An IT Manager’s Guide to Provisioning and Identity Management
Provisioning is the job of ensuring that, at all times during their career with an employer, staff have all of the necessary access privileges, equipment and other IT resources that they need in order to do their job. Managing this accurately and efficiently within budget and on time can be extremely difficult. Thankfully, software solutions are available which can help greatly.
Companies often like to describe their employees as the organisation’s greatest asset. But many companies fail to realize just how much of an asset their staff really are, because they fail to adequately control the property that is entrusted to employees. Property which, all too often, gets lost or misappropriated during the employee’s time with the company and which is frequently not accounted for when the staff member leaves the company or changes jobs.
Picture the all-too-common scene. You appoint a new marketing manager. He’ll need a password for the central network and for external internet access through the firewall. He’ll also need a VPN password to access the system from home, and permissions for various internal databases, external subscription-based research sites and up-to-date stock price systems, and the main intranet. He’ll need a laptop and a desktop PC, and a collection of software. He’ll probably be entitled to a car too, and possibly membership of the corporate gym or sports club. Then there’s his PDA and mobile phone, USB memory stick, and perhaps a calling card so he can use foreign payphones to call home. Not to mention a key to his office and perhaps another for the front door of the building, and the code number for the alarm.
Arranging all of these items is known as provisioning. Getting everything in place for a new staff member is difficult enough, but even trickier is keeping track of those assets once they have been granted, and revoking when someone leaves the company or changes their role. Which is why many companies simply don’t bother, and therefore rarely find out that an asset is being misused or is simply lost until it’s too late.
Types of Misuse
Misuse of corporate assets takes many forms. All are irritating, some are merely inconvenient, yet a few can be seriously dangerous to the survival of the company or its reputation.
Among those in the merely inconvenient class might be a former employee entering his previous place of work at lunch time and obtaining cheap food because someone forgot to relieve him of his card when he left the job. A more dangerous action might be someone who obtains access to his previous employer’s computer system because the personnel department neglected to realize that he had 2 different accounts and only one of them was disabled upon his resignation. Or perhaps an employee who, on leaving, handed back his keys to the front door of the building but failed to remind the company that he also had a key to the warehouse round the corner.
Stories of employees being able to gain access to the computer systems of previous employers are rife, and access still being possible after many months is not uncommon. In one case that I’m aware of, an account still hadn’t been disabled after six years. In the case of someone who leaves a job only to take up a similar position with a competitor, it’s hard to imagine a more damaging scenario.
Thankfully there are software tools available to assist with provisioning. They allow companies to keep track of all assets that are issued to staff. This includes physical assets such as cars and computers, entitlements such as club memberships and discounted canteen rates, and access to internal and third-party computer systems. Thus when an employee leaves the company or changes his or her job, it is easy to discover which assets should be denied, recalled, disabled or returned. All of this helps with audit compliance, of course, and also saves money. After all, why buy a new copy of Microsoft Office for an incoming employee when there are four licenses available that were previously used by staff in another department but which are now no longer required.
There’s no point in continuing to pay for a Bloomberg or Reuters subscription for someone who previously worked in the investments office but has now moved sideways into a marketing role. An automated provisioning system can spot this change of role and automatically alert the person who manages the subscriptions.
When someone leaves the company, provisioning software means that all of their computer accounts can be shut down in a single action. This is especially important in the case of a dismissal, where leaving a single electronic door open can put the company at risk from the proverbial disgruntled employee. Plus, there is a clear list of tangible items available so that the employee and the employer know which items need to be returned.
Automated provisioning management systems can be especially useful where temporary staff, or those on relatively short contracts, are employed. It’s convenient merely to create all-powerful network usernames of, say, temp1 to temp20 and allocate them to temporary staff as required. Such a practice is commonplace but is highly dangerous because it becomes impossible to pin down unauthorised access to a specific person. It is also inadvisable to grant users permissions to systems that they have no need to access, even if you are confident that they’ll probably never discover those systems. Even if the temps don’t know about them, other long-standing staff will. With an automated provisioning system, the company simply defines a set of temporary job functions and the system can then create (and, just as importantly, revoke) usernames with the correct set of privileges when required.
Provisioning systems often include identity management capabilities. This allows control and organization of what can be a major problem area for a lot of companies, namely the management of access rights and passwords across multiple systems. When security auditors ask a company’s IT management for a list of all key computing resources and details of which staff have access to which resources, it is often impossible to produce a definitive list because the information is spread across the internal access control lists of many different servers running a multitude of operating systems. A corporate inability to accurately list the components of someone’s electronic identity makes auditing difficult and will hinder investigations if a system is hacked.
Identity Management software allows companies to define roles which correspond to job functions, and then by assigning staff to one or more roles their access rights to multiple systems can be easily granted, revoked or changed with ease. By providing the ability to report on users’ access rights, and to cross-reference these via customized reports, identity management software can alert companies to potentially dangerous or even illegal situations before they arise. For example, an employee who has access to the procurement system for placing orders should be prevented from subsequently being granted access to the system which issues payments to suppliers, in order to prevent fraud caused by an employee setting up a bogus company. Identity Management software can warn against such cases, even if access to the second system is granted many years after the first.
Identity Management solutions also generally have facilities to allow users to automatically request password resets, thus freeing the help desk staff from the expensive and time-consuming tasks of dealing with users who have forgotten their passwords.
Top Tips for managing Joiners, Leavers and Movers
1. Some joiners request access to internal systems before their official start date, in order that they can start introducing themselves by email. This is inadvisable, as the employee probably won’t have signed all his contracts yet and thus will not be governed by the company’s IT Conditions of Use or Acceptable Use Policies.
2. If key clients and external partners are given access to your company’s network, ensure that each registered user has a unique username so that their actions can be tracked and logged. If such a user changes employer or job function, consider whether their access is still relevant. For example, their new employer might be a competitor of one of your company’s external divisions.
3. If an employee changes roles within the company, examine the systems to which they have access and consider how this needs changing. Promoting an employee doesn’t necessarily mean that they still require access to all of the systems they were previously entitled to use.
4. Always ensure that access to key systems is closed as soon as an employee leaves at the end of their notice period. Use of identity management tool will help ensure that all access privileges assigned to the employee have been revoked.
5. When an employee leaves, make sure that all company assets have been returned. Use of automated provisioning software can make this onerous task far less painful than it otherwise might be.
6. Check that former staff are no longer on any internal email lists. This is especially important if their mail was forwarded to an external account, as they may be able to continue reading it even if their access to the corporate email system has been revoked.
7. If dismissing an employee, withdraw their access to key systems immediately before, or during, the dismissal.
8. Don’t destroy usage records when staff leave. Their abuses of the system might not come to light until some months after they have departed so it’s important to hang onto the evidence.
9. Audit your systems to ensure that no accounts belonging to former staff are still active. If you find any, check the last login date and investigate any which raise concerns.
10. Change intruder alarm and numeric-pad lock combinations regularly, and especially when someone who knows the numbers leaves or is dismissed.
Provisioning is one of the latest enterprise IT buzzwords, although it describes a process which has been going on for decades. The multitude of systems, applications and information now required by employees, and the need to offer a range of perks to staff in order to attract or retain them, means that provisioning is now more complex than it ever has been. And with staff now requiring access to so many internal and external computer systems, all of which might require separate usernames, passwords and access privileges, identity management (i.e., keeping track of who has access to what) is far from straightforward. The provisioning and identity management burden placed upon IT managers and personnel departments can, thankfully, be eased considerably through the use of automated software systems.