In some ways, there is no greater threat to security than a temp employee. At first glance, the previous statement might not make much sense. After all, the temp has comparatively the least amount of privileges, and they have those privileges for only a short period of time.
In reality, however, the accounts created for temp employees are typically the most forgotten, potentially exposing your organization to unwanted access by users who, by definition, have little or no loyalty to the organization. Without the proper tools and procedures, former temp employees who should no longer have access may take advantage of the access granted, making them an insider threat.
During a temp’s time at your organization, there are three points or events at which security concerns come into play:
- Hiring them: One of the challenges with some temp positions is the ambiguity that comes with defining exactly what privileges temps need to get their specific job done. So, you do what most IT departments do: add them as members of the seemingly appropriate groups, without knowing exactly what permissions those groups have and what the security repercussions therein would be.
- Making them full-time: There are times when temps turn out to be such amazing employees that they are made full-time and given additional or different responsibilities. This creates the need for new access and new permissions — all via added memberships to groups. What typically also happens is that there is no review of their original group memberships, nor are the temps removed from any groups no longer relevant to their new full-time position. Such a situation simply compounds the same problem.
- Terminating them: While you might think that this should definitely help security, it may not put you in any better position. Unless you have a “pink slip” process where accounts are de-provisioned when someone is terminated, it’s likely that you have accounts in AD that haven’t been disabled, that are still members of groups they shouldn’t be, and that still have access to critical data and applications within the organization.
The underlying problem here stems from a lack of group management, exacerbated by the undefined nature of the “needed access” that temp employees require.
So, what are you supposed to do to ensure that temp employees don’t remain a security risk?
There are three basic steps that you should consider to create a more secure environment for all employees — temps, contractors, and full-timers alike:
- Identify the underlying risk that exists in your groups. Know what you have and understand just how good or bad the management of your groups really is.
- Begin to manage groups appropriately. It takes just a few basic steps to put your security back on track.
- Implement a true group management lifecycle. This is a bit more involved, but if you’re serious about security (and you should be), you’ll recognize two important conditions:
- The insecure nature of your groups as they exist today
- The necessity of implementing a real security strategy that involves the most common way of providing access: groups
It’s important to remember that people with high-profile positions are not the only people who need to have their security put under scrutiny. In reality, anyone given access via groups — especially when IT has no idea what rights have been granted — needs to be under the security microscope.