Provisioning and Identity

Company BOSSES often like to describe their employees as the organisation’s greatest asset. However, those same bosses neglect to control the property entrusted to those employees. Property which, all too often, is lost or misappropriated during an employee’s time with the firm, and which is frequently unaccounted for when that employee leaves or changes jobs internally.

Picture the all-too-common scene. You appoint a new marketing manager. He or she will require a password for the central network, and for external Internet access through the firewall. He or she will also need a Virtual Private Network (VPN) password to access the system from home, as well as permissions for various internal databases, external subscription-based research sites and up-to-date stock price systems. Oh yes, let’s not forget access to the main Intranet, either.

The marketing manager will probably be entitled to a company car, and possibly membership of the corporate gym and the sports club. Then there’s an obvious requirement for a PDA and a mobile phone, a USB memory stick and perhaps a ‘calling card’ such that the individual in question can use foreign payphones to call the UK while abroad on business. And what about a key to the office? Perhaps another for the main doors of the building? Then there’s the code number for the alarms just in case weekend working is required. The list is almost endless...

Arranging for all of these items is known as provisioning. Putting everything in place for a new member of staff is difficult enough, but even trickier is keeping track of those assets once they have been granted, and revoking them when someone leaves the company or changes their role. Which is the very reason why so many companies simply do not bother, and thus rarely find out that an asset is being misused or is lost until it’s way too late.

Corporate asset misuse

The misuse of corporate assets takes many forms. All are irritating, some are merely inconvenient, yet a few can be seriously dangerous to the reputation of the company and even compromise its survival.

Among those misuses in the ‘merely inconvenient’ class might be a former employee entering his or her previous place of work at lunchtime and obtaining cheap food because someone neglected to relieve them of their privilege card when they left their job. A more dangerous action might be someone who obtains access to their previous employer’s computer system because the Personnel Department failed to realise that the individual concerned held two different accounts but only one of them had been disabled on resignation.

Then there is the employee who, on leaving, handed back the keys to the front door of the building but failed to remind the company that they also possessed a key to the warehouse located just around the corner.

Stories of ex-employees being able to gain access to the computer systems of previous employers are rife, while access still being possible after many months post-resignation is common. In one instance that was brought to my attention, an account still hadn’t been disabled after six years!

In the case of someone who leaves a job only to take up a similar position with a competitor, it’s hard to imagine a more damaging scenario.

Turning to software solutions

Thankfully, there are now software tools available to assist security and IT managers with the task of provisioning. They allow companies to keep track of all assets that are issued to staff. This includes physical assets – cars and computers, etc – entitlements like club memberships and discounted staff restaurant rates and any access to internal and third party computer systems. Thus when an employee leaves the company or changes his or her job, it is easy to discover which assets should be denied, recalled, disabled or returned.

All of this helps with audit compliance, of course, and also saves money. After all, why buy a new copy of Microsoft Office for an incoming employee when there are four licences available that were previously used by staff in another department but which are now no longer required?

When someone leaves the company, provisioning software means that all of their computer accounts can be shut down in a single action. This is particularly important in the case of a dismissal, where leaving a single electronic door open can place the company at serious risk from the proverbial disgruntled employee

There’s no point in continuing to pay for a Bloomberg or Reuters subscription for someone who previously worked in the investments office but has now moved sideways into a marketing role. An automated provisioning system can spot this change of role and automatically alert the person who manages the subscriptions.

When someone leaves the company, provisioning software means that all of their computer accounts may be shut down in a single action. This is particularly important in the case of a dismissal, where leaving a single electronic door open can place the company at serious risk from the proverbial disgruntled employee. There is a clear list of tangible items available so that the employee and the employer know what needs to be returned.

Automated provisioning management systems can be particularly useful where temporary staff – or those on relatively short-term contracts – are employed. It’s convenient merely to create all-powerful network usernames of, say, Temp1 to Temp20 and then allocate them to temporary staff as required. Such a practice is commonplace, but it’s also highly dangerous because it then becomes almost impossible to pin down unauthorised access to a specific person.

It is also inadvisable to grant users permissions for systems they have no need to access, even if you are confident that they’ll probably never discover those systems. Even if the temps do not know about them, other long-standing members of staff will do. With an automated provisioning system, the company simply defines a set of temporary job functions and the system can then create (and, just as importantly, revoke) usernames with the correct set of privileges when required.

Identity management issues

Provisioning systems often include identity management capabilities. This allows control and organisation of what can be a major problem area for a good many companies – namely the management of access rights and passwords across multiple systems.

When security auditors ask a company’s IT manager for a list of all key computing resources, and details of which staff have access to which resources, it is often impossible to produce a definitive list because the information is spread across the internal access control lists of many different servers running a multitude of operating systems. A corporate inability to accurately list the components of someone’s electronic identity makes auditing difficult, and will hinder investigations if a system is hacked.

Identity management software allows companies to define roles which correspond to job functions. By assigning staff to one or more roles, their access rights to multiple systems can be easily granted, revoked or changed with ease. Able to offer the ability to report on users’ access rights, and to cross-reference these via customised reports, identity management software may be deployed to alert companies to potentially dangerous (or even illegal) situations before they arise.

Consider this example. An employee who has been granted access to the procurement systems for placing orders should be prevented from subsequently being granted access to the system which issues payments to suppliers. In this way, fraud may be prevented in that the employee will not be able to set up a bogus company and transfer goods. The software warns against such cases, even if access to the second system is granted many years after the first.

Generally speaking, identity management solutions also have facilities to allow users to automatically request password resets, thus freeing the Help Desk staff from the expensive and time-consuming task of dealing with users who have forgotten their password.

Joiners, Leavers and Movers

Some joiners request access to internal systems before their official start date in order that they can begin to introduce themselves via e-mail. This is inadvisable, as the employee will probably not have signed all of his or her contracts and thus will not yet be governed by the company’s IT Conditions of Use or Acceptable Use Policies.

Stories of ex-employees being able to gain access to the computer systems of previous employers are rife. Access still being possible after many months post-resignation is common

If key clients and external partners are given access to your company’s network, ensure that each registered user has a unique username so that their actions may be tracked and logged. If such a user changes employer or job function, consider whether or not their access rights are still relevant. For example, their new employer might be a competitor of one of your company’s external divisions.

If an employee changes roles within the company, examine the systems to which they have access and consider how this might need changing. Promoting an employee doesn’t necessarily mean that they still require access to all of the internal systems they were previously entitled to use.

Always ensure that access to key systems is closed as soon as an employee leaves at the end of their notice period. The use of an identity management tool will help to ensure that all access privileges assigned to the employee have been revoked. When an employee leaves, make sure that all company assets have been returned. Again, the use of automated provisioning software can make this onerous task far less painful than it otherwise might be.

Check that former members of staff are no longer on any internal e-mail listings. This is particularly important if their mail was forwarded to an external account, as they may be able to continue reading it even if their access to the corporate e-mail system has been revoked. If dismissing an employee, withdraw their access to key systems immediately either before – or during – the dismissal meeting.

Don’t make the mistake of destroying usage records when a member of staff leaves. Their abuses of the system may not come to light until some time after they have departed, so it’s vitally important you hang on to the evidence.

In addition, audit your systems to ensure that no accounts belonging to former members of staff remain active. If you find any, check the last log-in date and investigate any which raise concerns.

Do not forget to change intruder alarm and numeric-pad lock combinations on a regular basis, and in particular when someone who knows the numbers either leaves the company or is dismissed.

Far from straightforward

Provisioning is one of the latest so-called enterprise IT buzz phrases, although it actually describes a process that has been occurring for decades. The multiples of systems, applications and information strands required by employees in the workplace – coupled with the need to offer a range of perks to staff in order to attract or retain them – means that provisioning is now more complex than at any time in the past.

With staff requiring access to so many internal and external computer systems, all of which might require separate usernames, passwords and access privileges, identity management – ie keeping track of who has access to what – is far from straightforward.

The provisioning and identity management burden placed upon IT and security managers as well as Personnel Departments can – thankfully – now be eased through the use of dedicated software management systems.