Enterprise user de-provisioning best practices: How to efficiently revoke access

Misplaced or stagnant employee access can be dangerous; Randall Gamby details user provisioning best practices for setting up a system to combat this risk.

Our organization is trying to figure out a way to effectively de-provision user accounts when employees or other...

authorized users leave the organization. We currently rely on HR to communicate this info to the MIS team, which then sends word to other system administrators. However, this system often fails. Without investing in new technology, is there a better solution out there for us?

The enterprise user de-provisioning process is the ugly stepbrother to an organization’s user access provisioning process.  Everyone’s more than willing to follow the proper procedures and can generally be found standing over the provisioning administrator’s desk when they need access to an IT resource they needed yesterday.  But when it comes to removing access due to a changing job role or someone leaving the organization, IT is notified to revoke access whenever department authorities get around to it.  This translates, in many cases, to access never being removed. 

So how do enterprises ensure system administrators and provisioning systems get notified in a timely manner when it’s necessary to remove someone’s access? As mentioned, HR isn’t the best source of record and they aren’t always timely with their notifications.  This lag in user access provisioning generally isn’t intentional, but has to do with HR’s service-level agreements (SLAs) with the organization.  HR normally has an SLA of adjusting personnel records one day before the payroll is processed.  If the company pays its employees on a bi-weekly period, a person exiting the organization on the day after the payroll is processed may not have his or her change processed for 12 days.  In the meantime, the person’s network access and accounts would remain active.

The best way of de-provisioning users in a timely manner requires a three-pronged approach. The first thing that must be done, and generally the hardest to accomplish, is to raise the flag by focusing attention on the problem and making executive management aware of the risks posed by having “orphaned” accounts within the organization’s business systems. Within today’s Internet business model, it’s easy to research and document the high costs to organizations through data loss and reputation and monetary costs when they have been sloppy in managing user access.  Informing the organization’s management will help to gain recognition and compliance for whatever solutions are proposed, as it’s the duty of IT security departments to inform executives of the potential risks facing an organization.

Upon buy-in from the decision makers, the next step is to implement a separate de-provisioning notification process outside of the HR environment.  This generally involves creating an internal “de-provisioning” website where managers can easily -- emphasis on easily -- access and report on user job changes and exits.  The tools to create the site, logic, and workflows for executing user changes are built into all modern provisioning systems and require no additional licensing or software costs. 

Finally, the last step is to ensure user managers notify the provisioning team in a timely manner.  This is where the value of Step 1 and Step 2 come in.  As part of the briefing process for executive management, the IT group should request that compliance with this key process be formally communicated from the top-down.  Not only should management stress the value of this action, but the IT group should also make a commitment to periodically report to department managers the statistical tracking numbers of current employees so IT can gauge the level of compliance with this process.  This is an effective method to ensure that middle and lower management cooperate.  During this process, IT should also provide training to the organization’s managers on how to access and use the site in Step 2. This allows a balance to exist between the process of compliance and the advantage of making it easy to report on changes.  If the site is user friendly and requires a minimal amount of time to report changes, managers will generally be willing to incorporate this task into their daily routines.

The disclaimer to this response is that not all people like to follow the rules, but with good communication among an organization’s managers and enforcement, this problem can be greatly reduced, if not completely eliminated.

This was last published in January 2012

Dig Deeper on Privileged access management