As we move more into the cloud we are noticing an issue that may become a problem in the future.
I know how big companies do it, but we are at a disadvantage with commit. We cant control access by asset.
We keep accounts, passwords, etc on file for customers. When they need a "password" reset or just need to know what it is, we give it to them. What happens when someone asks for a password to a resource they shouldn't have? How is our staff to know who has access to what?
An easy fix = If we could password or pop-up protect assets.
Lets say Julie calls from acme construction. Her boss needs his email setup on his phone. They need the login info for their hosting account. if julie her her PIN our support staff could easily know shes authorized and reset the password or whatever.
2 things could work;
1) A pop-up thst said [Sensitive Info | Account challenge] that informs our staff to authenticate the person before giving out any information would work. We dont need it for the entire account, just specific assets.
2) For certain assets my staff would have to put in a pin that the customer should have. Before the entered the pin they could only see the asset name. We could set the pin requirement for staff depending on their level, access, etc.
------------------
When we were smaller i knew the boss and knew julie. I could just give it to them. As I add staff everyone doesn't know every customer like i do.
The bigger we get the more likely i see an issue happening where someone gives out information they shouldn't.
I know we can tell everyone never to give out passwords unless we know they are supposed to have it, but that seems error prone. If my support staff had to enter a PIN to get access themselves, then the customer has to have it, or the request has to get escalated up to a supervisor who has more access.
Thoughts?
I know how big companies do it, but we are at a disadvantage with commit. We cant control access by asset.
We keep accounts, passwords, etc on file for customers. When they need a "password" reset or just need to know what it is, we give it to them. What happens when someone asks for a password to a resource they shouldn't have? How is our staff to know who has access to what?
An easy fix = If we could password or pop-up protect assets.
Lets say Julie calls from acme construction. Her boss needs his email setup on his phone. They need the login info for their hosting account. if julie her her PIN our support staff could easily know shes authorized and reset the password or whatever.
2 things could work;
1) A pop-up thst said [Sensitive Info | Account challenge] that informs our staff to authenticate the person before giving out any information would work. We dont need it for the entire account, just specific assets.
2) For certain assets my staff would have to put in a pin that the customer should have. Before the entered the pin they could only see the asset name. We could set the pin requirement for staff depending on their level, access, etc.
------------------
When we were smaller i knew the boss and knew julie. I could just give it to them. As I add staff everyone doesn't know every customer like i do.
The bigger we get the more likely i see an issue happening where someone gives out information they shouldn't.
I know we can tell everyone never to give out passwords unless we know they are supposed to have it, but that seems error prone. If my support staff had to enter a PIN to get access themselves, then the customer has to have it, or the request has to get escalated up to a supervisor who has more access.
Thoughts?
Comment