They say that breaking up is hard to do.
You grow together, share secrets, and open up to each other. Maybe you even give them a key to your place. But then the relationship ends and all you want is a clean break.
Unfortunately, it doesn’t always work out that way.
Sometimes your ex may hold on to a spare key that you didn’t know they had and will let themselves into your place now and again. Maybe even helping themselves to some of your stuff.
This can be an unsettling and downright dangerous situation for anyone in their personal lives.
Organizations can face similar risks when employees are separated but still retain access to some of their resources. They can even cause significant damage to their former employer if they are not completely offboarded from their access.
We saw a recent example of this in the conviction of a woman who deleted 21 GB of data from a New York Credit Union after she was fired. According to the court documents, the organization had requested that their IT team remove her access, but there was a lag in actually getting her locked out.
The former part time employee was able to use her credentials to log in and access data ranging from mortgage applications to board meeting notes, deleting the files and causing an estimated $10k in damages.
This case highlights the need to get offboarding right in particular, and implement a better approach to the Joiner-Mover-Leaver (JML) Lifecycle management more generally.
The Trouble with Partial Offboarding
The amount of resources that employees have access to has ballooned in recent years with the transition to the cloud.
In 2019, the average mid-size organization was reported using 137 SaaS apps. This does not account for all of their IaaS (think AWS, Azure, GCP) or Data that they may have accessible in the cloud. This number nearly doubles to 288 for enterprises.
Access to all of these cloud services has to be managed carefully, granting just enough access for folks to do their jobs but not more than that or they run the risk of unnecessarily widening their threat surface.
While the Joiner and Mover stages are important so that folks have what they need, the Leavers pose the most risk to the organization’s security. A salty Leaver has the most incentive to do harm, so their offboarding requires the most care.
When the offboarding process is not carried out completely and the former employee retains some of their access, then we refer to this as partial offboarding.
Ideally, organizations are using an IDP like an Okta, Azure AD, or Ping that connect all of their employees’ accounts and can simply cut off that access in one fell swoop.
In reality though, this process is often challenged by a number of factors.
- Lack of Visibility and Controls
Organizations generally lack visibility over who has access to which assets. It’s hard to block if you don’t know what folks have access to. Especially as the scale of identities, assets, and climb even higher.
This is a particularly thorny issue when it comes to externally shared assets. Simply cutting off their access through your IDP is not really an option here because your team does not control accounts outside of your organization.
- Multiple Systems Means Multiple Controls
A common mistake is that the IT team will disable a person’s Azure AD or Google account for their email and file sharing, but then forget to cut off access through the IDP.
An even worse case scenario is when the organization has allowed unfederated access to some of their assets so they don’t even have the control that their Okta could give them.
- No Tracking of Permission Usage
Understanding if and how permissions are being used is a key part of securing your assets.
The Principle of Least Privilege tells us that a person should only be given the access they need to do their job. But far too often employees are given access that they never use.
If they’re not using it, then they should lose it.
Managing these permissions means tracking usage and using that intelligence to make informed decisions. The problem is that most organizations are not tracking their usage, leaving them with considerable blindspots.
Another important reason to track permission usage is for identifying when an account that has been dormant becomes active again. Let’s say that you have a dormant account that all of a sudden starts accessing assets. That should be a red flag that something nefarious might be afoot as the credentials may be compromised by a hacker or being used by a former employee.
3 Tips for Cutting Ties
Ensuring that your exes get out and stay out means following a couple of best practices.
- Don’t Use Local Accounts
Keep your control centralized. Avoid a situation where you have to manage multiple account controls and risk missing one later when acting quickly counts.
The best way to deal with this is to manage all of your accounts through your IDP.
- Use Tools to Detect and Control External Shares
Ensuring that external parties, often contractors or partners, no longer retain access can be a painstaking process of going file by file in a shared drive if you do not have the right tools available to you.
Utilize tools that understand who has access to your assets and can flag items that are shared externally. Mapping and analyzing this data will help you to limit cases of excessive privilege and narrow your threat surface.
- Automate Your JML Lifecycle
The breakdown in the credit union case appears to have come from the IT team not acting fast enough to revoke access to their assets. Managing your JML Lifecycle is too unwieldy to handle manually, and breakdowns in communication can have devastating effects on your business.
Your access provisioning system should be tied in with your HR management tools to expedite the transfer of critical information such as a person leaving the company. We want to avoid messages like these getting lost in someone’s email.
Change the Locks and Make Them Leave Their Key
Ending a relationship, whether it’s with an ex or a former employee, is done best when it’s done quickly and cleanly.
Dragging out processes for revoking access only serves to leave the window open for them to cause damages, so better to close it as soon as possible, letting everyone move on.