Provisioning is a continual hot topic when it comes to Identity and Access Management projects. It is arguably one of the most visible business drivers that IT facilitates – getting people the access they need to do their jobs.
However, provisioning has an often overlooked younger sibling called de-provisioning (the revocation of access.) And the thing is, if ignored or neglected, de-provisioning can cause some serious problems in your organization. Limiting privileged user access and protecting your business critical data can help you prevent a security breach or publicity nightmare. The following are three things to consider when approaching de-provisioning:
- Automate De-Provisioning. It is critical to revoke access as soon as an employee no longer requires access to that information to perform their job. Relying on humans to do this only results in delays, errors or neglect because most IT staff are stretched to their limit with other business critical projects or fighting emergency situations. We’ve heard time and time again that they don’t have the time to sit and meticulously comb through a users access to determine if it’s relevant, and as a result, they are finding that automating de-provisioning is saving them many headaches. Additionally, it’s saving them from having to perform forensics down the road when a security breach happens due to unauthorized use of critical data.
- Capture and audit trail and securely store it. When a security event occurs, the first thing folks want to know is what information the person in question had access to and how they used that access. As you implement processes for de-provisioning, make sure to capture audit logs that clearly show when a user was granted access to information and when that access was revoked. Also, you want to capture who approved, granted or revoked that access. This will simplify the process of performing forensics after a security event and also streamline the process of producing reports for auditors who also love to ask the question, “show me what this terminated employee had access to over the last 60 days.”
- De-Provisioning isn’t just for folks who leave the company. De-provisioning is the act of revoking access. As users roles change and evolve in an organization, they can gradually begin to “stock-pile” access over the course of their career that is unnecessary for their current role. Sure – removing access when a user leaves a company is critical, but it’s just as critical to control the access that your current employees have as well.
Granting and revoking access can be a time-consuming and error prone activity if process is not in place. It’s critical to understand how your business works and how employees’ roles develop over time so that you can align your provisioning and de-provisioning processes to most effectively secure your critical data while still maintain and supporting business continuity.
Posted
Jul 14 2010, 03:35 PM
by
Erin Avery