Keeping employees and former employees in their proper network place
When a new employee joins a company, a network login name and password are issued along with the employee manual and benefits guide on their first day at work. In all but the smallest companies, the network login carries restrictions on the privileges available to the user-restrictions that, in many cases, are soon stretched to cover far too much of the network.
The first stretch comes when the employee’s duties increase to include using new applications or data sets. Now, the user’s network identity will include privileges on new servers, network segments and applications. The new network territory is added to the employee’s Network Identity and, in most companies, the territory is never given back.
Bowing to employee requests to add wireless networking brings new network privileges, these carrying with them the right to log into the network (and the accumulated servers and applications) from virtually anywhere. When the employee takes another position in the company, more permissions are added-and before you know it, the single employee login has permissions second only to the head of network security. It’s not that the employee is using all these permissions; the odds are pretty good that the employee is blissfully unaware of all the access that exists.
The danger may come to the surface when the employee, who has never had a malicious thought in her life, leaves the company. A month later, bored on a Sunday night, she decides to try her old dial-in connection, and finds that her log-in is still active. Fueled by curiosity, she goes on to discover that she still has access to scores of other servers and databases around the company. A bad situation becomes worse if the employee left the company under less than ideal circumstances.
The most damaging circumstances, though, can be found if the network log-in is found by someone outside the company-someone looking for a way into the network. When an attacker finds a network log-in with broad access to the network and its resources, the golden keys to the kingdom have been handed over-and the keys unlock every door in the kingdom! It’s the recipe for a network security disaster, though it’s a disaster that can be prevented with the implementation of the right process for managing network users and their identities.
Implementing the process that ends identity creep involves three major areas: process development; personnel training and reinforcement; and product deployment. Put another way, these areas define the people, process and technology behind effective security and identity management.
It’s important to begin with a process that recognizes the way information on personnel flows through the organization. In most companies, it means that human resources and IT will have to talk to one another on a regular basis. It also means a procedure for reviewing the network access requirements of each position, and making sure that the employee has the network and system access they need for their current job-not for past positions they’ve held in the company. Finally, it means having a procedure for terminating all network and system access when an employee leaves the company-not just their primary network login.
Training people begins with impressing them with the fact that management takes network security seriously. When line managers, human resources staff, and IT team members all understand that modifying network permissions is a routine part of any job transfer or employee termination, the enterprise will have made major steps towards plugging a significant security hole.
Companies often fixate on the products that they should choose to help ensure security, but there are many good products on the market that can help when a set of policies and procedures have been developed. The key is to develop solid procedures, make sure the products that you choose will support full implementation of the policies and procedures, then train every affected staff member on the proper use of the technology in following through on procedural directives.
When you’ve done this, the network will be far more secure, and "The Case of the Creeping Identity" can be safely filed under "Solved."
Michelle Drolet is CEO of Conqwest Inc., a 10-year IT security policy and assessment services firm based in Holliston, Mass. Write her at [email protected]