04:32 PM
Connect Directly

Tech Insight: Securely Adding New Users -- And Subtracting Old Ones

How can enterprises quickly provision new users with secure access and "off-board" users who should no longer be on the system? Here are some tips

When it comes to security administration, few tasks have remained as consistently painful over the years as provisioning new users, deactivating ("off-boarding") old users, and access rights management. It has always been a struggle for IT organizations to ensure that all user accounts are managed and disabled in a timely manner. And with the adoption of distributed "cloud" and software-as-a-service offerings, user management is becoming harder, not easier.

Organizations typically approach user rights in one of two ways: role-based access, which gives every member of a team the same rights; or user-based access, in which access is granted based on the individual user’s specific needs.

For IT administrators, role-based access makes initial setup easy by providing a template. User-based provisioning allows for more flexible access rights, but it is more complex and time-consuming for IT to manage. To get the best of both worlds, start with a template that meets the majority of user needs -- and then add extra rights as needed.

Over time, there will be "access creep" -- you'll need to remove privileges as users change job functions or complete projects, or as your internal standards change. Automated reporting and auditing of user rights to detect deltas from the standard template -- or from previously approved exceptions -- will help you to monitor privileges and escalate problems only, thus saving time on auditing while helping you to identify potential risks more quickly.

For the security team, deprovisioning exited users is just as important as adding new users. There have been many cases of security breaches that occurred because a disgruntled user retained access to company systems and decided to take out his anger. It's important to make sure that such attacks can't happen.

Here where I work at TiVo, we’ve standardized on central authentication systems, allowing IT to disable an account in a single place and effectively revoke all access across the company. Well, more or less. Now that we’re implementing SaaS services that aren’t managed through a central account management system, we’ve returned to the days of the Wild West of user management. Vendors such as Okta and Symplified aim to solve this problem with their commercial solutions, but enterprises are still struggling to set strategy and implement a solution.

The problem of user management can also be compounded if your enterprise does a lot of outsourcing. Often, outsourced personnel aren’t processed through the same methods as direct employees. While we can use the payroll system to track and provision employees, outsourced staff might come to us via a vendor with an overarching purchase order, or a staffing agency that charges per staffer on a consolidated bill. IT organizations struggle to keep track of these accounts, ensure managers submit off-boarding forms, and disable access in a timely manner.

Simplification and automation always make life better. Review your processes to understand where the provisioning issues are. If the organization is struggling with assigning rights, then create templates or implement user management tools. On the other hand, if IT isn’t informed of user exits, you might need to implement an expiration date for all non-full-time users aligned with the purchase order, statement of work, or contract. While it's true that some users in that environment might leave prior to the contract expiration date, this approach limits risk by providing a backstop -- and helps you gauge how long the risk could exist.

In all cases, seek to automate the task of time entry reporting and user access, and instruct managers to confirm that user accounts are still valid. Use feedback from managers and inactive accounts to determine which users should be disabled or off-boarded completely. While this can be time-consuming, it's a useful exercise, even if you do it only on a one-time or limited basis. It will provide insight into how bad the problem truly is, where to start, and which departments have the most risk.

Once your organization understands where the risks are and how processes can be improved, then purchasing identity management solutions, restructuring provisioning processes, implementing automation, and addressing employee failures becomes possible. Custom automation -- integrated with off-boarding forms or audits of group membership -- can help you improve the process when budgets are tight or manual effort would be too time-consuming.

Use your imagination. Reinvent processes, and find what works for your organization. If the process is already failing, then try something new. As painful as it continues to be, provisioning users is a critical part of your organization's overall security strategy.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.