Analytics
11/18/2011
04:32 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: Securely Adding New Users -- And Subtracting Old Ones

How can enterprises quickly provision new users with secure access and "off-board" users who should no longer be on the system? Here are some tips

When it comes to security administration, few tasks have remained as consistently painful over the years as provisioning new users, deactivating ("off-boarding") old users, and access rights management. It has always been a struggle for IT organizations to ensure that all user accounts are managed and disabled in a timely manner. And with the adoption of distributed "cloud" and software-as-a-service offerings, user management is becoming harder, not easier.

Organizations typically approach user rights in one of two ways: role-based access, which gives every member of a team the same rights; or user-based access, in which access is granted based on the individual user’s specific needs.

For IT administrators, role-based access makes initial setup easy by providing a template. User-based provisioning allows for more flexible access rights, but it is more complex and time-consuming for IT to manage. To get the best of both worlds, start with a template that meets the majority of user needs -- and then add extra rights as needed.

Over time, there will be "access creep" -- you'll need to remove privileges as users change job functions or complete projects, or as your internal standards change. Automated reporting and auditing of user rights to detect deltas from the standard template -- or from previously approved exceptions -- will help you to monitor privileges and escalate problems only, thus saving time on auditing while helping you to identify potential risks more quickly.

For the security team, deprovisioning exited users is just as important as adding new users. There have been many cases of security breaches that occurred because a disgruntled user retained access to company systems and decided to take out his anger. It's important to make sure that such attacks can't happen.

Here where I work at TiVo, we’ve standardized on central authentication systems, allowing IT to disable an account in a single place and effectively revoke all access across the company. Well, more or less. Now that we’re implementing SaaS services that aren’t managed through a central account management system, we’ve returned to the days of the Wild West of user management. Vendors such as Okta and Symplified aim to solve this problem with their commercial solutions, but enterprises are still struggling to set strategy and implement a solution.

The problem of user management can also be compounded if your enterprise does a lot of outsourcing. Often, outsourced personnel aren’t processed through the same methods as direct employees. While we can use the payroll system to track and provision employees, outsourced staff might come to us via a vendor with an overarching purchase order, or a staffing agency that charges per staffer on a consolidated bill. IT organizations struggle to keep track of these accounts, ensure managers submit off-boarding forms, and disable access in a timely manner.

Simplification and automation always make life better. Review your processes to understand where the provisioning issues are. If the organization is struggling with assigning rights, then create templates or implement user management tools. On the other hand, if IT isn’t informed of user exits, you might need to implement an expiration date for all non-full-time users aligned with the purchase order, statement of work, or contract. While it's true that some users in that environment might leave prior to the contract expiration date, this approach limits risk by providing a backstop -- and helps you gauge how long the risk could exist.

In all cases, seek to automate the task of time entry reporting and user access, and instruct managers to confirm that user accounts are still valid. Use feedback from managers and inactive accounts to determine which users should be disabled or off-boarded completely. While this can be time-consuming, it's a useful exercise, even if you do it only on a one-time or limited basis. It will provide insight into how bad the problem truly is, where to start, and which departments have the most risk.

Once your organization understands where the risks are and how processes can be improved, then purchasing identity management solutions, restructuring provisioning processes, implementing automation, and addressing employee failures becomes possible. Custom automation -- integrated with off-boarding forms or audits of group membership -- can help you improve the process when budgets are tight or manual effort would be too time-consuming.

Use your imagination. Reinvent processes, and find what works for your organization. If the process is already failing, then try something new. As painful as it continues to be, provisioning users is a critical part of your organization's overall security strategy.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web