EXPERT RESPONSE
By any and all means possible, remove every trace of a terminated user from the system. Though it may be a headache to remove access from a user in multiple groups, it has to be done. In fact, the more groups a user is in, the greater the danger that his or her "ghosts" can come back and haunt your system maliciously.
Terminated users who still have access are just as likely to penetrate enterprise systems as current employees. Former employees who retain access are considered by the information security industry to be insiders, making them part of any insider threat.
Besides blocking a terminated user for simple security reasons, removing these users is required for compliance with regulations, such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Both of these regulations require regular auditing of access controls and reporting of active accounts. It makes regulatory sense to monitor and remove terminated users from all groups.
You need an identity management system that not only provisions accounts, but also audits and removes stale accounts. When shopping around for such a system, make sure it can automate provisioning and provide auditing and reporting of active and inactive accounts. These systems should automatically flag an account that hasn't been active for a set time period, such as 30 days.
There are a number of tools on the market that can easily erase ex-employee IDs, provision new ones and change access levels. The Identity Management Suite from BMC Software Inc. has a tool called BMC User Administration and Provisioning, formerly called CONTROL-SA. The tool automates provisioning of accounts for as many (or as few) groups as a user needs access to. It also provides complete auditing and reporting capabilities for both compliance purposes and for use internally by your information security team. It also automatically removes expired users, preventing terminated employees from accessing your systems -- no matter how many groups they were in. Another product, PowerPassword from Symark Software International, offers similar access management controls but is strictly for Unix- and Linux-based systems. PowerPassword also provides logging and auditing features required for compliance.
For more information on termination procedures see Chapter 6 of my book, The Little Black of Computer Security. The chapter Managing Human Resources is excerpted on SearchSecurity.com.
For more information:
In this Identity and Access Management Security School lesson, see which IAM tools can satisfy compliance demands.
Learn how to prevent unauthorized
access by securing your server.
|
