Problem solve Get help with specific problems with your technologies, process and projects.

How should termination procedures address a user's multiple roles?

In this SearchSecurity.com Q&A, expert Joel Dubin explains how the right access management tools can eliminate all traces of a terminated employee.

Regarding access management policy, it is my belief that at the time of employee termination, locking the user ID and changing the "valid to" date to current date is sufficient. However, some think we should include the additional step of changing the "valid to" date of every role attached to the user ID, which for most of them is in the double digits, since they do not use composite roles. Please kindly address the question of whether or not this additional step is needed, and if this would be considered an industry standard or not.
By any and all means possible, remove every trace of a terminated user from the system. Though it may be a headache to remove access from a user in multiple groups, it has to be done. In fact, the more groups a user is in, the greater the danger that his or her "ghosts" can come back and haunt your system maliciously.

Terminated users who still have access are just as likely to penetrate enterprise systems as current employees. Former employees who retain access are considered by the information security industry to be insiders, making them part of any insider threat.

Besides blocking a terminated user for simple security reasons, removing these users is required for compliance with regulations, such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Both of these regulations require regular auditing of access controls and reporting of active accounts. It makes regulatory sense to monitor and remove terminated users from all groups.

You need an identity management system that not only provisions accounts, but also audits and removes stale accounts. When shopping around for such a system, make sure it can automate provisioning and provide auditing and reporting of active and inactive accounts. These systems should automatically flag an account that hasn't been active for a set time period, such as 30 days.

There are a number of tools on the market that can easily erase ex-employee IDs, provision new ones and change access levels. The Identity Management Suite from BMC Software Inc. has a tool called BMC User Administration and Provisioning, formerly called CONTROL-SA. The tool automates provisioning of accounts for as many (or as few) groups as a user needs access to. It also provides complete auditing and reporting capabilities for both compliance purposes and for use internally by your information security team. It also automatically removes expired users, preventing terminated employees from accessing your systems -- no matter how many groups they were in. Another product, PowerPassword from Symark Software International, offers similar access management controls but is strictly for Unix- and Linux-based systems. PowerPassword also provides logging and auditing features required for compliance.

For more information on termination procedures see Chapter 6 of my book, The Little Black of Computer Security. The chapter Managing Human Resources is excerpted on SearchSecurity.com.

For more information:

  • In this Identity and Access Management Security School lesson, see which IAM tools can satisfy compliance demands.
  • Learn how to prevent unauthorized access by securing your server.
  • This was last published in April 2007

    Dig Deeper on Password management and policy

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.