Twitter has been in the news lately. They have a new chief executive in charge who is tinkering with his newest obsession, including postulating on a subscription service, having high-profile users pay for verified accounts and a whole lot of other things that media outlets have flocked to cover. In addition to carrying around sinks and the tweetstorms, there have also been cutbacks in staffing, with large swaths of people being let go as the company charts a new course towards profitability. Of particular note was a story that earlier this week, nearly 80% of contract workers were cut. This is unfortunately part of the big tech landscape, as many tech giants are laying off lots of people with varying levels of notice.
In this case, these contract workers found out they were terminated over the weekend when they lost access to communication channels and other in-house systems. While there is now some finger pointing going on around the circumstances surrounding this sudden cut in staff, it does serve as a sad reminder of the importance of properly provisioning and deprovisioning access for all identities. Beyond the unfortunate reality that people are now unemployed is a matter of security and compliance. Organizations have been burned before by ex-employees feeling scorned, justifiably or not, and using their insider access after an incident to wreak havoc, exfiltrate data, and more.
Provisioning and deprovisioning access based on roles
When thinking of policies for deprovisioning access, typically it starts with roles. Roles could be assigned based on titles like sales representative, finance manager, programmer, IT systems administrator, or more. They could also be used to assign users with the same access rights to business systems based on their employment statuses, such as employees or third-party contractors. In organizations that have lots of different people in different roles, it can be increasingly complex to assign and remove access rights manually which leads to errors. Common errors may include under-provisioning someone leading to lost productivity, or over-permissioning access so that when it is no longer needed (such as when they leave the organization) it presents a security risk. Instituting role-based access control (RBAC) is a good way that organizations can meet compliance and improve security while removing much of the manual lift needed to provision access one by one.
The best practice to implement RBAC is to use an IGA solution to provision and deprovision access automatically whenever events throughout the identity lifecycle occur. This could be someone joining an organization, moving roles, or leaving the organization altogether. These processes are initiated whenever someone is entered into an authoritative source, like an HR system, whenever their identity data is changed (i.e., when they change job titles), or when they are marked inactive in the system. These events trigger the IGA solution to clarify which policies should be added or removed to someone’s identity, and is then ready, when applicable, to be reviewed by the manager. They can then also add or remove access according to the job function and responsibilities. Access rights are then automatically provisioned or deprovisioned depending on the event in question.
Creating a process for deprovisioning
When working to offboard workers, creating a standard process for deprovisioning is critical to avoid security risks and maintain compliance with regulatory or audit requirements. By default, within an IGA solution, third-party contractors are onboarded with a set timeline of when their start date is with a clearly defined end date of when their contract is set to expire. This works to ensure that security and risk managers do not need to remember to remove access of temporary workers on the exact date their contracts expire. They can also easily extend access rights if needed. For the entire workforce, setting a policy that deprovisions access when an identity record is no longer delivered by the source system can help reduce risk and uncertainty. This type of event happens if the data record of an identity is deleted, or when a record is marked as ‘not active.’ No matter the scenario, whenever an identity is terminated, all the correlated accounts are disabled, and access is revoked, and a transfer ownership process beings to make sure that there are no productivity gaps. I have written previously about orphan accounts and why they present such a risk for all organizations. IGA helps in this deprovisioning process by identifying which accounts of deprovisioned users need to be reassigned or deleted.
The most common triggers for removing access are when:
- Someone removes their own direct access, either as part of a certification campaign or self-identifying that they no longer need access to a business resource
- A manager removes access for one of their direct reports
- A system or application owner removes access that someone has to the system or application they own
- Previously granted access rights meets a preset expiration date, such as when a third-party workers’ contract expires
- A data or domain administrator determines to remove direct access of anyone
The way this looks in process is as follows:
- The ‘valid to’ date or value in the identity record of the HR system or the IGA solution is reached, or a missing data set triggers the process in the IGA solution
- Identity status is set to ‘terminated’
- The identity is terminated, all associated accounts are disabled, and access is revoked
- The transfer ownership process is triggered by the IGA system to ensure that all resources previously owned by the terminated identity are re-allocated
Omada has developed an identity governance framework based on 20+ years of experience that standardizes key processes every organization should implement as part of their IGA programs. Omada IdentityPROCESS+ defines several ways that customers can implement deprovisioning policies and processes to ensure that whenever the unfortunate reality of workforce turnover happens, access can be quickly deprovisioned without any lags in productivity.