Core Blog

Identity and Access Management - Problems with provisioning and deprovisioning

Written by Lucy Wright | Jun 5, 2018 8:41:01 AM

One of the major changes that customers face when adopting cloud solutions and platforms is the difference in criticality of provisioning and, specifically, deprovisioning user access.

BC – Before cloud

In the old world of on-premise infrastructure, all platforms were safely hidden away in the walled garden, protected from the outside world by the organisations security perimeter. If a user wasn’t instantly deprovisioned when they left, or no longer needed access to a system, the risk was low.

If the user was still an employee and simply didn’t need access to the system any more, the risk is limited, balanced by the trust that the employee would be sensible and would not actually attempt to access the system, or even realise they still had access. People leaving the organisation would be stripped of their access to the building, or the devices that gave them access, so even if their account was still live they couldn’t access any systems once they had left, in theory.

Deprovisioning, therefore, became a non-critical task and was often accomplished, at least initially, by osmosis. When their IT teams were in the heat of battle, many organisations would de-prioritise deprovisioning and pick up anyone that had fallen through the cracks at a periodic review and clean-up of old accounts. This was good, because typically both provisioning and deprovisioning are labour intensive processes requiring IT admins to go into several line of business systems to activate or close down the employees account. If they happened to be interrupted while doing this, there is a significant risk that things might be missed and deprovisioning may not happen to 100 per cent completeness. And in the on-premise world, that was kind of acceptable; not strictly adhering to policy but unlikely to cause significant issues…

Risks with poor deprovisioning

Except that even then, it did. A study in 2004 by Camelot Network Security found that, across the companies they surveyed, 43 per cent of data breaches were traced back to ex-employee accounts. A more recent study of ex-employees completed by Accenture found that 10 per cent admitted to illegally accessing a former employee’s data. If 10 per cent admitted it, the true number of offenders is probably higher.

Most organisations know that their data is a valuable commodity: it’s the fuel of their business. It’s not only valuable to you but also to your competitors, and it’s a currency that may be exploited by people who are looking to move in their careers. So, protecting it is unquestionably in the interest of the business. With the changes in data protection legislation, i.e. GDPR, the stakes get even higher.

It’s different in the cloud

Then we get to cloud. In the cloud model, user access isn’t protected in the walled garden of your on-premise infrastructure. Instead, it is outside of your core network in a multi-tenanted datacentre. In the world of the modern workplace, we encourage employees to be connected at all times and in all locations. This can mean that users are enabled to access your data on a multitude of devices - some that you supplied, but maybe on their own devices too.

Rightly or wrongly, in order to ensure a frictionless user experience the default security and access requirements are often fairly minimal, perhaps limited to a username and password to gain access. This is probably the one negative aspect of adopting the cloud to the uninitiated; if you carry on with your previous practices around identity then this is where you open up your risk of a breach.

The basic cloud security model is based on the customers IT administration function controlling access by making sure accounts and access are immediately deprovisioned when they are no longer required. On the surface this is not a big ask, but in reality, we are all trying to do more with less people, and for years and years we have conditioned IT staff to understand that deprovisioning is not a priority task. Even if we can successfully re-educate them, how do we build in the focus time to make sure they are able to do this consistently and completely every time an employee changes role or leaves the business?

That’s a problem.

Thankfully, it’s a problem a good IDAM platform like Aurora can solve

Aurora from Core – the solution

Aurora can automate the provisioning and deprovisioning of user accounts, taking this whole issue off the plate of the IT admin teams. By linking with your HR systems and using role-based profiles, Aurora can automatically set up the user access with your main cloud platforms when a new HR record is created and deprovision when the HR system is updated as part of the leaver process. It will even allocate the correct licenses from your pool as part of the process. The system is automated, so there is no risk of someone getting part way through an account closure only to be called away to deal with another priority and never finish the process.

Even without HR system integration, IT admin can make one change to the employee’s identity record in Aurora. The system will then take care of the rest of the workflow, drastically reducing the resource time required to set up or revoke access.

In another side benefit, Aurora can be configured to use modern authentication methods to provide Single Sign-On access to appropriate cloud platforms. This is a great experience for the user and aids productivity, but it also means the user never has access to a password that would enable them to access the cloud platform directly. So, even if the deprovisioning process had not been completed, perhaps say as an employee is in a leaving process, there is a much more limited risk of them being able to exfiltrate your data on a private device before they depart. They won’t be able to bypass your IDAM solution, so you retain complete control and visibility of all of their activities to respond accordingly.

Protecting your business data is the critical outcome of this, but the benefits to an organisation from a GDPR perspective are significant. Aurora reduces the risk of unauthorised access to data in cloud services and provides an audit trail of the user’s permissions and activity so that you can monitor what they have access to and when it has been revoked.

The resource/time/cost savings of automating the provisioning, licensing and deprovisioning activities alone are often enough justification for the business case of an IDAM solution like Aurora. Roll in the reduced risk of fines from a data breach in the world of GDPR and the solution moves from a “nice to have” to a “must have” for any organisation adopting the cloud.

If you want to find out what Aurora can do for your business, please don’t hesitate to get in touch with us.