A lot of business owners are implementing automation to strengthen their company’s security and improve overall efficiency of IT processes. It’s fair enough that they primarily think about their current employees. But forgetting about the users who have left can be a big mistake. It can lead to massive security holes and literally cost you millions of dollars.
What Is User Deprovisioning
The deprovisioning process is a set of actions that need to be executed before a user leaves the company and becomes an ex-employee. These are the typical steps that need to be executed:
- all personal assets need to be secured and archived;
- all accounts in all connected systems need to be disabled;
- any active licenses need to be revoked;
- all access rights need to be taken away.
Deprovisioning your users properly is a very important because it protects your company, including its operations and security sensitive data. We all know, that sometimes ex-employees are not the happiest people ever and might have some harsh feelings for your company. Therefore, you don’t want to give them any sort of access to your systems. Neither you want somebody else to gain access to your ex-employee’s account.
What Can You Do with It
The first thing you need to do is to extensively document the process and constantly update the documentation. If a new system that has its own user accounts or access rights is added to the environment, make sure that deleting them is on the deprovisioning list of actions.
You also need to ensure that everybody who’s executing the process must always have access to the latest version of the list and have the sufficient permissions to execute all the operations.
What can possibly go wrong?
If deprovisioning is done manually, there is a high chance of a human error. It’s enough for somebody to miss a single step during offboarding to leave a security hole in your IT environment. And the main problem with such a hole is that it’s very hard to notice, until it’s too late.
You might think that something like that is highly unlikely to happen in the real world, but the numbers tell a different story. According to the industry study published in 2016, a whopping 42% of people report that they have some sort of access to their previous workplace’s IT systems.
One of the brightest and most remembered cases of improper user deprovisioning was back in 2014, when Sony Entertainment was hacked. After some investigation, it was revealed that the hack was exploiting access that was left to a dissatisfied ex-employee. As we know, the consequences were not pleasant at all. The damage was evaluated to be around $100 million! All that because the user deprovisioning procedures weren’t done properly.
How to protect yourself
To minimize the potential risks, it’s important to include deprovisioning to your automation processes. This has three main benefits.
One. All deprovisioning actions will be executed properly every time the procedure is launched. Automation makes it a one-step action for anybody, who’s in charge of the execution. This means that you don’t have to worry about missed steps or any other mistakes that can occur along the way.
Two. Automation means that if you have different deprovisioning scenarios for different types of users, you can just add them once to the workflow and never bother about it anymore. Machines don’t really care about how complex your set of tasks is.
Three. Automated offboarding means that all operations happen instantly. Sometimes timing is very important. E.g. if an angry ex-employee wants to copy some info that he or she has access to, it’s important to limit this access at the exact moment when the decision is made.
The toolset that can be used to implement the automation can vary a lot, depending on factors like the size of your company, the rate of user flow, the complexity of your procedures, etc. It can start from home-grown PowerShell scripts to complex third-party solutions, like the one we at Softerra provide with Adaxes.
Automating user deprovisioning is a very important aspect of securing your company’s data as well as improving overall efficiency of IT processes. Avoiding the human factor significantly reduces the risks of basic attacks, which are also the most often ones.
Irrespective of the tools that you use, the benefits of automation user offboarding will eventually pay off. Investing in security and efficiency always does.
Written by: Anton Pozdnyakov, CMO at Softerra.
Softerra provides Adaxes, a comprehensive management and automation solution for Active Directory, Exchange and Office 365. It helps enterprises to increase IT security, reduce workload on IT staff and enforce data standards.