“By failing to prepare, you are preparing to fail.” – Benjamin Franklin
A common complaint we hear from data consultancies is that they hate keeping track of their client’s credentials. It’s not uncommon for a small consultancy to have 30 to 50 sets of credentials for different applications (10 clients at 3 to 5 credentials each). Larger consultancies will have even more.
This presents a significant security risk for consultancies. At the annoying end of the security risk spectrum, it’s too easy to log into the wrong account for a given client and update something they shouldn’t. Turning off a sync for Client A when you meant to turn it off for Client B isn’t a huge deal. On the other end of the spectrum, though, you run the risk of ending your and your customers’ businesses.
Data consultancies are unique in the access level to critical and private data of multiple companies. Just imagine someone stealing those credentials and being able to hack into the production database of one of your clients. Or an intern leaving with a list of 1000 names of customers of one of your clients.
As a data consultant, you can access some of your clients’ most sensitive systems, so you must keep them safer than safe by preparing for failure.
Here are seven tips you should never forget.
1. Different passwords for everything
This is old advice, but it still happens more than you think. The rule is very clear: Use a different password for everything, and we mean everything. Make sure:
- users created for you inside clients’ systems have unique passwords
- your password manager vaults are secured with unique passwords
- all of your employees use unique passwords for your own internal systems
Never reuse a password, even when it’s for logins of the same client.
How do you do that? Don’t just add “client_x” to the end of a common password. Randomly generate a password for each application by using a password manager.
2. Use a password manager
Password managers are essential for securing sensitive login information. We internally use and recommend 1Password for this. 1Password allows you to define vaults for each client, enables easy generation of random, complex passwords, allows for safe and easy sharing of credentials when needed, makes two-factor authentication easy, and much more.
When it comes to agencies, extensive sharing capabilities are essential. You want to share and control password access with your team, sometimes an external contractor, and your clients. Don’t go for a password manager without that.
3. Organize credentials clearly by client
When doing any work for a particular client, you want to be clear about which credentials you need. If you’re using a password manager and you type “Fivetran” or “Snowflake,” you shouldn’t have 50 different options come up.
When I type in “WordPress” for my personal WordPress login credentials, I get 5 options, some outdated and some for another project. That isn’t very pleasant, but it is okay for me personally. However, if you’re working on multiple projects and have numerous people accessing your password vault, this is a recipe for disaster (one I should personally resolve, I know).
The best way to go about it is to organize credentials by the client (not by having a client_x in front of it!) in whatever container your password manager uses, Vaults for 1Password, sheets or folders if you’re old fashioned, and use files/ CSVs (which we don’t recommend.)
4. Regularly review application access
I remember logging into a physical database server to add a new role for a new employee on my team. Lo and behold, what I found wasn’t a pretty sight; I discovered two roles from employees who left two years ago!
I was embarrassed, deleted them on the fly, and discussed it with the team, only to learn this happens all the time.
For data consultancies, you’re inevitably managing more than a handful of applications that require access; there will always be bloat – users who don’t work with you anymore, users who don’t need access, and sometimes even whole systems you don’t need anymore.
We propose a ritual:
- Every quarter, go through each application you have access to on behalf of your client and provide a security audit.
- Ask your employees to do the same; let them go through the list of applications they have access to (an easy way to figure them out: search for “login” inside your emails)
- For each system, document any irregularities and address them immediately
5. Have a clearly defined pattern for Access Control
For any system you use regularly, you should become familiar with the roles within the system and the access scopes available to each role. For every person onboarded to a system, there should be a clear understanding of why they need access and what they need access to. This should be documented in the Client Agreement.
Role-based access control (RBAC) is a common offering of many software solutions. Users can be given specific roles with access to different platform parts. This is an excellent model to follow. Attribute-based Access control (ABAC) also exists. ABAC is less common currently, but more platforms support both RBAC and ABAC and a blended model that gives administrators a lot of control and confidence in the systems.
Whichever method is used, the overall idea is simple: Don’t ask for admin roles just because it’s easier, and focus on a least privileged access model that gives people access to what they need and nothing more.
6. Document how you hand off systems & offboarding
As a consultancy, you’re an outsider. There’s no way around it.
Some day, sometimes sooner, sometimes later, you’ll need to leave your client’s systems. Making sure this process is smooth requires good documentation on how handoffs and offboarding work in general.
Make sure to know not only how to deliver the goods to your client but also how to make sure all accesses are revoked.
It can be as simple as a line inside the Client Agreement like this:
“After completion of the work, Client will be required to remove access to the following accounts.”
Make sure that your client is following up on this. This is for your benefit and theirs as well.
7. Consider an all-in-one system
Stringing together multiple tools to accomplish a task presents coordination challenges and increases the risk of mistakes. By minimizing the number of systems you use that have access to sensitive data, you decrease the security risk of your business and your clients.
Each additional tool for a client is not a linear increase in your security risk. Every tool is a new set of credentials for everyone, plus new integration points between each tool. This potentially creates a near-exponential increase in risk for each additional tool. That complexity is a time and possibly money cost, so choose wisely.
Consolidation is a valuable idea. Whether you use a tool like Arch or Databricks doesn’t matter as long as you reduce the number of access points.
Conclusion
Effective client credential management is crucial for data consultancies to mitigate security risks and protect their client’s sensitive data. By following best practices such as using different passwords for each application, utilizing a password manager, organizing credentials clearly by client, regularly reviewing application access, and conducting regular password security audits, consultancies can ensure higher security.
Are there any regular security practices you perform that we didn’t mention? Let us know!