Easy Employee Off Boarding – Forget Password ChangesAnirban Banerjee
Employees are the core of any enterprise. However, it is also a reality that employees come and employees leave. The Gallup “the truth about turnover” article provides an interesting read. I would like to discuss what happens when an employee decides to move on to the next opportunity. Does panic set in? Who is in charge of the off boarding? Is there a process here? What do other people do when employees leave? Many many questions spring to mind and teams including IT, Security, HR, Finance have to get involved and work a solid cohesive unit in order to make the transition happen.
It is inevitable. Engineers, IT folks, Sales leads, HR managers, PR admins will move on at some point of time. In fact its interesting to see what is the average amount of time people stay in the same company in the San Francisco tech industry – 1.5 to 2 years – for the hot startups.
When you receive an email from any member of the team announcing that they want to move on there are various things that need to be considered. Here are two examples.
1. Does the person have access to privileged accounts? – Most organizations do not realize but the number of privileged and administrative accounts can range anywhere between 30% – 100% of employee count. Why is it this high? It is so because most companies are using servers, each one has an administrative account, root accounts and in a complimentary manner SaaS and Web applications also provide administrative and privileged accounts. You might think that there are only 20 people in your IT team and they control most of the servers, but, what companies end up realizing is that the marketing team uses a SaaS service and has 5 administrative accounts of their own on this service. Similarly, shadow IT plays a big role in the explosion of the number of privileged accounts inside any company. You need an easy way to understand has the person been given access to any privileged accounts, what have they been doing, is there a way to delegate this access and much more needs to be answered.
2. Does the person have any existing projects that will be affected? – In most cases the person who is leaving the organization will have more than one project that they will have been involved with. You need to look up in your project tracking system what are the various areas this person has been involved and in which projects are they currently contributing. One easy way to handle a situation like this is to visit your ticket tracking or request tracking portal and search for the individual and look at the open tickets assigned to them and the close dates which are assigned. This gives you a good idea of the severity of the work the person has been assigned to.
Let The Off Boarding Begin
The Off Boarding Process (OBP) in most companies causes panic attacks and sweat dripping from the forehead of the compliance and GRC folks. Many a time you will find that employees who have moved on still have access to resources that they used to have access to months ago. This happens because in most enterprises the OBP is not fully automated and does not cover 100% of privilege surface. In a lot of organizations, the OBP is rather manual. Employee announces they are leaving and this is followed with emails to various business unit heads and IT to disconnect access for the person in question. The obvious issue with this approach is that all access is never cut off at the same time, nobody even knows about all the access a person may have.
In a lot of cases companies think changing passwords of an employee who is leaving is good enough. Thats a false sense of security. Changing of passwords is just the first step. You need to disengage and disallow devices associated with the person, you need to update group memberships in AD, you need to redirect emails to an escrow box, a bunch of things need to happen. Anyone who claims that changing the passwords for a terminated employee account is the be all and end all of the OBP is quite simply delusional.
What you need to aim for is a controlled OBP. This OBP should have the following hallmarks:
- Allows you to identify quickly what does the employee have access to and what privileges they have.
- Allows you to cut of access within minutes not days or months to *all* apps and servers.
- Allows you to record and log the entire process for compliance reasons.
- Allows you to delegate responsibilities and share service accounts with new hires or replacements.
- Allows you to identify the projects the person is involved with, how important is their contribution, and what deadlines they have to hit prior to off boarding.
- Allows you to set up time based OBP to select a date in the future and perform all the above actions.
There are some obvious challenges that companies need to overcome in the process of building out a good stable OBP. They range from gathering data from various fractured data stores (multiple ADs, LDAP directories and more) and collecting it neatly in one single repository to make sense out of it. Furthermore, the data might not have the granularity that helps you figure out whether the privileges associated with the person are actually administrative or user level. In addition to this you will need to find out who are the various business unit heads and how to reach out and make sure that the OBP is actually carried out.
PAM – An Automated Pain Killer for OBP
Most Next Generation Privileged Access Management (PAM) solutions come not only with the ability to manage who has the right to what on which application or server but also with the ability to gain complete visibility into who is doing what, what access they have, rights, and sensitivity of the access grants. PAM solutions continuously sync with various AD and LDAP stores and check up on any changes made. As an example to kick off your OBP you may only need to visit your AD store and pull the person out of the Organization Unit. This is picked up by the PAM solution and instantly all access to all servers and apps is cut off for the user. This can be supplemented with automated password resets, SSH keys rotations and more.