Analytics
11/18/2011
04:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Securely Adding New Users -- And Subtracting Old Ones

How can enterprises quickly provision new users with secure access and "off-board" users who should no longer be on the system? Here are some tips

When it comes to security administration, few tasks have remained as consistently painful over the years as provisioning new users, deactivating ("off-boarding") old users, and access rights management. It has always been a struggle for IT organizations to ensure that all user accounts are managed and disabled in a timely manner. And with the adoption of distributed "cloud" and software-as-a-service offerings, user management is becoming harder, not easier.

Organizations typically approach user rights in one of two ways: role-based access, which gives every member of a team the same rights; or user-based access, in which access is granted based on the individual user’s specific needs.

For IT administrators, role-based access makes initial setup easy by providing a template. User-based provisioning allows for more flexible access rights, but it is more complex and time-consuming for IT to manage. To get the best of both worlds, start with a template that meets the majority of user needs -- and then add extra rights as needed.

Over time, there will be "access creep" -- you'll need to remove privileges as users change job functions or complete projects, or as your internal standards change. Automated reporting and auditing of user rights to detect deltas from the standard template -- or from previously approved exceptions -- will help you to monitor privileges and escalate problems only, thus saving time on auditing while helping you to identify potential risks more quickly.

For the security team, deprovisioning exited users is just as important as adding new users. There have been many cases of security breaches that occurred because a disgruntled user retained access to company systems and decided to take out his anger. It's important to make sure that such attacks can't happen.

Here where I work at TiVo, we’ve standardized on central authentication systems, allowing IT to disable an account in a single place and effectively revoke all access across the company. Well, more or less. Now that we’re implementing SaaS services that aren’t managed through a central account management system, we’ve returned to the days of the Wild West of user management. Vendors such as Okta and Symplified aim to solve this problem with their commercial solutions, but enterprises are still struggling to set strategy and implement a solution.

The problem of user management can also be compounded if your enterprise does a lot of outsourcing. Often, outsourced personnel aren’t processed through the same methods as direct employees. While we can use the payroll system to track and provision employees, outsourced staff might come to us via a vendor with an overarching purchase order, or a staffing agency that charges per staffer on a consolidated bill. IT organizations struggle to keep track of these accounts, ensure managers submit off-boarding forms, and disable access in a timely manner.

Simplification and automation always make life better. Review your processes to understand where the provisioning issues are. If the organization is struggling with assigning rights, then create templates or implement user management tools. On the other hand, if IT isn’t informed of user exits, you might need to implement an expiration date for all non-full-time users aligned with the purchase order, statement of work, or contract. While it's true that some users in that environment might leave prior to the contract expiration date, this approach limits risk by providing a backstop -- and helps you gauge how long the risk could exist.

In all cases, seek to automate the task of time entry reporting and user access, and instruct managers to confirm that user accounts are still valid. Use feedback from managers and inactive accounts to determine which users should be disabled or off-boarded completely. While this can be time-consuming, it's a useful exercise, even if you do it only on a one-time or limited basis. It will provide insight into how bad the problem truly is, where to start, and which departments have the most risk.

Once your organization understands where the risks are and how processes can be improved, then purchasing identity management solutions, restructuring provisioning processes, implementing automation, and addressing employee failures becomes possible. Custom automation -- integrated with off-boarding forms or audits of group membership -- can help you improve the process when budgets are tight or manual effort would be too time-consuming.

Use your imagination. Reinvent processes, and find what works for your organization. If the process is already failing, then try something new. As painful as it continues to be, provisioning users is a critical part of your organization's overall security strategy.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant