Deleting user accounts: How to manage users during a layoff

When budgets get cut across the enterprise, it's likely that employees will get cut, too. So what's the best way to handle a large number of user account modifications or deletions? IAM expert David Griffeth offers a step-by-step process for deleting and disabling accounts promptly and securely.

If the tools and processes are not in place to deal with large numbers of employee terminations, now is the time to start building scripts to discover accounts and disable or delete them.
In lean economic times, many companies are forced to restructure their staffing model to align with the drop in demand for their goods or services. This often means laying-off large numbers of people, generally on a date predetermined by upper management. To help information security and IT administration professionals navigate the tumultuous environment created during downsizing, this article lays out the basics of managing large numbers of system account removals.

Challenges of deleting user accounts
For many in information security and IT administration, there is little or no notice of an impending staff reduction. This poses two distinct challenges for those responsible for user account governance. The first is identifying all the accounts across disparate systems associated with the pruned staff. The second is disabling or deleting these accounts within a short time frame, sometimes a matter of hours.

Tackling these issues successfully requires a risk-based approach. As a rule, target high-risk systems with large user populations first, such as those with confidential customer data or monetary movement capabilities; low-risk systems such as an internal phone book with few accounts should be last.

Processes for deleting user accounts
To begin the process, identify the accounts to be deleted. If the company has a product like SailPoint Technologies Inc.'s IdentityIQ or Eurekify's Sage, it's way ahead of the game. These identity-governance tools help administrators associate accounts with end users on various systems and manage them according to a policy. These applications can assist in generating lists of accounts targeted for removal on each system. Some even send tickets for deletions to system administrators and feeds to automated provisioning/deprovisioning products. With these tools the first challenge is solved.

In the absence of an identity-governance application or process, administrators should start by querying each system for accounts to be removed. This work can be time consuming, depending on the number of systems. To speed up the process, prepare scripts ahead of time that automatically compare a list of all newly terminated employees to the accounts on a given system.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
Once all of the targeted accounts on all of the relevant systems have been identified, the next step is deleting or disabling the accounts. Look to the company's established policies to determine whether the accounts should be disabled or deleted. Deletion is ideal, but there are several valid reasons why a company may need to retain the accounts. These reasons include a need for the business to access emails and continuity of audit trails. The established processes should be adhered to as closely as possible. Don't try to reinvent the wheel while flying down the highway. In cases where deletion isn't an option, the passwords for the accounts should be changed to be random and highly complex, and then the accounts should be disabled.

If the company has an automated provisioning product, such as IBM Tivoli's Identity Manager or Oracle Corp.'s Identity Manager, these applications can be leveraged to disable or delete accounts by default policy. It may be as simple as letting the normal process take its course, with the HR feed triggering a series of events based on employment status, workflows and deprovisioning policies.

If the company doesn't have an automated provisioning product, or if it has one but it isn't hooked into all systems, scripts should be written. These scripts should be fed the list of targeted accounts generated in step one. They should also be tested in lower regions, i.e., in development and QA; it's unwise to interrupt the production environment any more than it's being interrupted by downsizing.

For more information
Read more about the future of user provisioning.

Is it possible to retrieve and restore a deleted user account in Active Directory? Find out here.
Having scripts created and approved in advance would be a huge advantage, allowing for proper development and testing -- elemental components of the process that are often sacrificed to expedience in a rush scenario.

Best practices for deleting user accounts
Whatever the company's termination process is, it is imperative to remain in close alignment with HR. Generally speaking, information security and IT administration are not in the business of determining how accounts are to be treated outside of standard policy. The security team should not be in charge of determining what accounts are deleted or when the accounts should be disabled or deleted if that time is outside the standard process. For example, if the automated product deletes accounts at 5:00 a.m. based on an HR feed, does the security team have the authorization to kick that same process off in an ad hoc fashion at noon? Policies on termination should be well-established and published. Adhere to these without exception unless there are other instructions in writing from an appropriate source. The process should be as objective and impartial as possible.

One of the biggest pain points in a layoff scenario is deleting accounts that should have been retained. Try to have a fallback plan for these cases, such as a process to have the accounts restored. Also, ensure that the help desk is aware of who is an active employee and who isn't; don't give a disgruntled employee the chance to call in and have his or her account unlocked and reset.

If your company is one of many enterprises facing economic challenges that may lead to staff reduction in the coming months, bear in mind that the process should be similar regardless of numbers. If the tools and processes are not in place to deal with large numbers of employee terminations, now is the time to start building scripts to discover accounts and disable or delete them, and make sure that HR is fully aware of the process.

About the author:
David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank's growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor's degree in computer science from Framingham State College and holds several certifications including CISSP and CISA.

This was last published in December 2008

Dig Deeper on Privileged access management