In any organization, there are numerous users, including employees, managers, and clients. All these users need to have appropriate access to resources on the network, so they can do their jobs effectively. They cannot be held back by needing to request access each time they need something. On the same note, organizations need to protect private or personal data, sensitive resources, and vital security information—both from internal threats and from cyberhackers.
This process should be managed by appropriate user provisioning.
Provisioning is the process of making information technology (IT) systems available to users. Depending on your organization’s needs, provisioning can be defined at the network, server, application, and user level. We will be focusing on user provisioning (or automated user provisioning) below.
User Provisioning and Deprovisioning Process
User Provisioning (or user account provisioning) is the process of granting privileges and permissions to users or groups based on their role. It involves creation, modification, and deletion of user accounts and permissions. These identity management actions take place whenever there is a change or addition of information in a personnel system. It is to protect security in the enterprise, while allowing users access to everything they need to do their jobs.
On the other hand, User Deprovisioning is the process of revoking privileges and access rights of a user or a group to ensure they no longer have access to company resources.
Main Kinds of User Provisioning
There are four main kinds of user provisioning. See the below image:
Let’s talk about Automated Provisioning!
In this process, every account is added in the same manner through a centralized management application interface. This streamlines the process of adding and managing user credentials and provides administrators with the most accurate way to track who has access to specific applications and data sources. Although provisioning and identity management processes are the same, the extent and type of provisioning varies greatly among different users (e.g., patients, clinicians, customers, and partners).
Why it matters and why not enabling it is a security risk?
When an employee leaves the organization, all their accounts and access should be immediately removed, for security reasons. Having former employees with access to the system is a big security risk.
Automated provisioning makes the manual processes of onboarding and offboarding users automatic. In organizations both big and small, automated user provisioning frees up IT and HR to work on more strategic tasks, prevents gaps in security by minimizing the impact of human error, and provides better user experiences.
How do Automated User Provisioning and Deprovisioning make companies more secure?
The risk of costly security breaches for companies who fail to provision and deprovision, properly or quickly, is huge: the average cost of a data breach is $3.86 million per breach in the U.S. As a result, breached companies often underperform the market for years following a major breach.
Automated user provisioning helps keep your company secure by ensuring employees have access only to the apps they need. Automated user deprovisioning helps keep your company secure by ensuring that whenever an employee leaves, their access is automatically removed for all connected applications. In addition, all existing user sessions are removed to reduce security risk.
Read more: Active Directory User Provisioning made easy
From the diaries of our SME
When Microsoft first released Forefront Identity Manager (FIM), they described an alarming statistic:
On average, every new user needs to be added to 16 directories upon hire; upon fire, the average user is only taken out of 9 directories.
If the above statistic is true, then the average user is still floating around in 7 directories after leaving a company (assuming they mean directories and databases). To be fair, these might be completely benign data repositories like Active Directory, the badge system, payroll, or who knows what – or chances are they could be important.
One of our IAM specialists said, “I just know that I want ex-users completely deprovisioned to the point they cannot do anything on my network. I can’t imagine that MSFT meant they were inactive users on those directories because our own Active Directory research shows something else alarming. It takes an average of 9 days for organizations to deprovision a user from Active Directory after termination.” He told us, “9 days of access, what could a bad guy do with that? Steal all your CRM data? Book a flight to Paraguay? Steal source code? Plant a virus? Prank call customers from within your phone system? This is a big deal.”
The obvious answer is to create an automated provisioning and deprovisioning process.
GroupID Synchronize allows you to create bi-directional provisioning and deprovisioning jobs with almost any database or directory as a source or destination. GroupID does not use a meta-directory, instead writing directly to the source DB/directory.
Find the authoritative source (usually HR) and go from there. Once you identify all the systems where a user needs to have accounts, simply provision them using GroupID. During their hopefully long and productive career, use GroupID to synchronize changes in their identity (department, shoe size, title, etc.). Once they are terminated, use the reverse of the provisioning jobs and deprovision them from the destinations. You can even daisy chain these jobs to be sure that all data is passed along (for example, HR doesn’t have an email address until provisioned in Active Directory/Exchange).
What comes next?
To streamline the process of user provisioning and deprovisioning, companies need to have an automatic user provisioning tool. These tools help companies remove difficulties and streamline the management of user accounts and permissions.
With an automated tool, employee credentials, existing user sessions, and connected applications of employees who have left the company are disabled automatically without IT staff getting involved.
Once you have implemented the user provisioning solution in the organization, make sure you monitor it on a monthly, quarterly, or yearly basis. Track the number of user provisioning requests handled, the time required to address such requests, internal audit findings, and user experience level to improve the process continually.
Protect your information assets from unauthorized access!
No business will survive with 58% productivity every time a user changes or starts a position. Think about internal and external turnover in your environment and think of how your business will prosper with that lost 42% productivity just by managing permissions and completing the user provisioning process.
If you fear that there might be ex-users sitting in 7 directories on your network, sign up for a free trial of GroupID today and don’t take 9 days to do it!
Learn more about how to securely manage your active directory, Azure security groups and avoid costly mistakes.