Best Practices: Delegation—Securing Cygna Auditor

QUICK TIP: Interested in setting up delegation but do not know where to start?

This article will be handy if you are already familiar with the delegation concept and looking for best practices or case studies you can adopt to your company needs.

As a recap, here is a quick overview of the delegation concept. To ensure data security and integrity, Cygna Auditor restricts access to its functionality and enables you to grant granular permissions to entire sources or features; both allow and deny permissions can be granted. For general instructions on how to delegate access in Cygna Auditor, refer to Delegation.

As you install Cygna Auditor, you may notice that only the user who installed Cygna Auditor can operate the web-console. It's time to start implementing your delegation model. There is no universal rule or a general industry guideline for delegating access permissions but here is a list of ideas that can help you figure out how to set up delegation model for your organization and tailor it to your specific needs. The key is to find the right balance between security concerns and addressing user tasks.

In this article:

Identifying Users and Responsibilities

Keeping Global Administrators Number to a Minimum

Granting Permissions on Source

Giving the Smallest Piece of Data Needed

Keeping Delegated Permissions Accountable

Setting up a Revision Schedule

Identifying Users and Responsibilities

Planning ahead is always a good idea. Before taking any actions, identity who will use Cygna Auditor. You can start by creating a list of job positions where employees may be interested in audit data. For example, system administrators, security officers, internal auditors, helpdesk personnel, response team members.

As you analyze your organization structure and job responsibilities, make sure the people you have in mind are authorized to see audit data. Try to identify activity patterns and situations when employees will use the product. Do they need access to collected audit data 24/7? Or is a weekly report enough? Do they administer the system or just review data?

ClosedShow me example

Takeaway: A clear understanding of user tasks is a key to establishing a delegation model that will be secure and efficient at the same time.

Keeping Global Administrators Number to a Minimum

At some point, you might find Cygna Auditor to be overly restrictive—by default a single user, a global administrator, is solely responsible for operating the product while others are denied access. Though it seems to be an easy solution, do not fall into temptation of adding as many global administrators as many users will use the product. Global administrators are granted the most extended permissions in Cygna Auditor, so keeping the number of global administrators to a minimum is a good idea.

You might be wondering how many global administrators is enough to keep the product secure and ensure its operability. Basically, two or three will be enough. In most cases, the best candidates are system administrators who take care of the Cygna Auditor server, have advanced permissions in your corporate environment, and are capable of maintenance works.

Takeaway: Keep the minimum number of global administrators required to ensure the Cygna Auditor server operability. Should more people have access to Cygna Auditor configuration and audit data, delegate control granularly, on the source or feature level.

Granting Permissions on Source

If you work in a larger company that has administrators or helpdesk personnel taking care of a certain system, it may make sense to assign permissions on the source level. In this case, you increase overall security while allowing the maximum flexibility for your co-workers within their responsibility domain.

ClosedShow me example

Takeaway: To reduce the number of global administrators, delegate control on the audit source level.

Giving the Smallest Piece of Data Needed

To strengthen security within your organization, you can further extend the delegation model by setting granular permissions as low as on the product feature level. You can grant allow and deny permissions on each feature individually: configuration, search, reports, activity widgets, and alerts.

From a security point of view, the less is always better. Carefully review Cygna Auditor users' job responsibilities and break them down to tasks, and then map these tasks to product features. Basically, Cygna Auditor should not provide employees with more information than they could get otherwise. For example, in most organizations regular users cannot modify Active Directory groups or manage shared folder permissions, thus they should not review reports related to your Active Directory structure and file servers.

Based on industry recommendations, grant access to audit configuration only to those employees who are generally in charge of this piece IT infrastructure. Grant permissions to access audit data to employees that are entitled to see it (security officers, auditors, etc.)

ClosedShow me example

Takeaway: Once you have a clear understanding of what Cygna Auditor features your users need to accomplish their tasks, grant permissions accordingly.

Keeping Delegated Permissions Accountable

Instead of granting access to individual users, create dedicated groups in Active Directory and delegate control to these groups. It's easier to manage user groups, since you can track changes to group membership with Cygna Auditor search and reports.

ClosedShow me example

Takeway: Define delegation guidelines and apply them to user groups. Let the new users inherit group permissions instead of explicitly setting them.

Setting up a Revision Schedule

Keeping up to date with our organization's needs is essential. Periodically check your delegation model and adopt it to changes. For example, you can schedule a monthly revision, review current delegations and reassign permissions according to the current workflow and organization's structure.

ClosedShow me example

Takeaway: The delegation model is not created once and for all. As your organization keeps evolving, adopt the delegation model to changes.