An IT Managerís Guide to Provisioning and Identity Management
by Michael Burling - European Director for Thor Technologies - Thursday, 4 August 2005.
Thankfully there are software tools available to assist with provisioning. They allow companies to keep track of all assets that are issued to staff. This includes physical assets such as cars and computers, entitlements such as club memberships and discounted canteen rates, and access to internal and third-party computer systems. Thus when an employee leaves the company or changes his or her job, it is easy to discover which assets should be denied, recalled, disabled or returned. All of this helps with audit compliance, of course, and also saves money. After all, why buy a new copy of Microsoft Office for an incoming employee when there are four licenses available that were previously used by staff in another department but which are now no longer required.

Thereís no point in continuing to pay for a Bloomberg or Reuters subscription for someone who previously worked in the investments office but has now moved sideways into a marketing role. An automated provisioning system can spot this change of role and automatically alert the person who manages the subscriptions.

When someone leaves the company, provisioning software means that all of their computer accounts can be shut down in a single action. This is especially important in the case of a dismissal, where leaving a single electronic door open can put the company at risk from the proverbial disgruntled employee. Plus, there is a clear list of tangible items available so that the employee and the employer know which items need to be returned.

Automated provisioning management systems can be especially useful where temporary staff, or those on relatively short contracts, are employed. Itís convenient merely to create all-powerful network usernames of, say, temp1 to temp20 and allocate them to temporary staff as required. Such a practice is commonplace but is highly dangerous because it becomes impossible to pin down unauthorised access to a specific person. It is also inadvisable to grant users permissions to systems that they have no need to access, even if you are confident that theyíll probably never discover those systems. Even if the temps donít know about them, other long-standing staff will. With an automated provisioning system, the company simply defines a set of temporary job functions and the system can then create (and, just as importantly, revoke) usernames with the correct set of privileges when required.

Identity Management

Provisioning systems often include identity management capabilities. This allows control and organization of what can be a major problem area for a lot of companies, namely the management of access rights and passwords across multiple systems. When security auditors ask a companyís IT management for a list of all key computing resources and details of which staff have access to which resources, it is often impossible to produce a definitive list because the information is spread across the internal access control lists of many different servers running a multitude of operating systems. A corporate inability to accurately list the components of someoneís electronic identity makes auditing difficult and will hinder investigations if a system is hacked.

Identity Management software allows companies to define roles which correspond to job functions, and then by assigning staff to one or more roles their access rights to multiple systems can be easily granted, revoked or changed with ease. By providing the ability to report on usersí access rights, and to cross-reference these via customized reports, identity management software can alert companies to potentially dangerous or even illegal situations before they arise. For example, an employee who has access to the procurement system for placing orders should be prevented from subsequently being granted access to the system which issues payments to suppliers, in order to prevent fraud caused by an employee setting up a bogus company. Identity Management software can warn against such cases, even if access to the second system is granted many years after the first.

Identity Management solutions also generally have facilities to allow users to automatically request password resets, thus freeing the help desk staff from the expensive and time-consuming tasks of dealing with users who have forgotten their passwords.

Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //