It is time for user provisioning to shine. For too long, IT departments have isolated account provisioning, making it a standalone process, ignoring how destructive a provisioning mistake can be. But user provisioning, the very act of providing the workforce with network access, is absolutely fundamental to an organization’s security and risk posture.
There are a plethora of scenarios in which poor provisioning can result in upsetting, and massively expensive, data leaks. The best defense against such disasters is to fully understand the significance of provisioning, as well as, preparing for the worst. And the worst can be costly. Last year, Kaiser Permanente was fined $250,000 after more than 20 employees accessed medical records for Nadya Suleman, known in the media as the “Octomom.” But the threat of data leaks isn’t, by any stretch, limited to high-profile scenarios involving celebrities.
Coping with new realities
The reality of today’s collaborative, global, 24-hour business world has unlocked more provisioning pitfalls than ever. Organizations typically juggle multiple business partnerships, consultants who work alongside full-time staff, “road warriors,” remote employees and those who are connected from home after-hours and on the weekends.
And for many organizations, force reductions have been the grim reality, especially over the past two years. When an organization cuts back its workforce, its risk for data leaks soars because disgruntled employees are the most likely instigators. This is why deprovisioning workforce accounts, or removing them from the network, is so critical.
Unlimited risk potential
Even among disgruntled employees, there are those who pose an even greater risk than others. For instance, a sales employee could wreak havoc around disclosing confidential customer data. While this has major business consequences, it usually can be traced and, in most cases, contained. However, a dismissed IT employees has what insurances companies call unlimited risk potential. They can bring the entire IT infrastructure to a halt. This can cost an organization a staggering amount of money and shake customer and employee confidence to the core.
Yet, it is often tricky to know which employees are truly disgruntled and might compromise the company’s data. The easy solution for this would be to apply the same deprovisioning process for all dismissed employees. But this one-size-fits-all scenario doesn’t work, as more organizations are transitioning full-time staff to consultants or part-time status, rather than outright relieving them of their employment. When faced with this scenario, too many organizations simply freeze the full-time employee’s access credentials and then reactivate them once the employee comes back on board as a consultant or part-time. But this isn’t safe or advisable. Instead, it is best to completely remove the full-time credentials and then create a new identity that only allows limited network accessibility.
Another aftermath of the recession has been increasing merger-and-acquisition activity in nearly all sectors. When folding another workforce into an organization, it becomes critical to wrinkle out compatibility and provisioning issues right away. The same is true for short-term business partnerships. In these cases, the most feasible option is to grant the partnering organization temporary network access, whether it’s through their existing VPN infrastructure or a site-to-site tunnel. However, it is critical that when this relationship ends to terminate these connections. You absolutely do not want another company to access your network once your business with them has completed.
Obviously, the organizations most vulnerable to headline-making data leaks are those that handle the most sensitive data, like health care organizations, financial services, and the retail sector. With organizations dealing with so many moving parts that have emerged rather suddenly, IT departments are not always adequately caught up.
For instance, in 2007, hackers broke into retailer TJX‘s system, exploiting vulnerabilities in the company’s network and Wi-Fi system. The colossal breach affected at least 90 million accounts, and the fraud-related loss on Visa cards alone ranged from a whopping $69 million to $83 million. The retailer has since strengthened its network, but in this case, it was too late to rectify the damage already done.
Manageability is key to success
Not only should organizations ensure that their IT security is equipped to handle high-volume, complex, and tiered provisioning, but also that their remote branches have the same high-level security as the headquarters. Retailers often pour the vast majority of their IT resources into the corporate headquarters, forgetting that the retail outlets are where customers are physically entrusting the organization with their personal data.
Tiered provisioning also becomes crucial for health care organizations, especially now that patients are interacting electronically with more medical professionals than ever. Patients are seeing doctors, nurses, physician’s assistants, lab techs, among others who need access to their files. But in a tiered provisioning system, not all of these players would get equal access to a patient’s file. For instance, a lab tech only requires contact to a certain portion of a patient’s file, while, perhaps a nurse requires more extensive access, but often not as comprehensive as the doctor.
Of course, data breaches aren’t limited to these scenarios. There are scores of unknown breaches that happen from employees who innocuously log into the network from unprotected family or public computers, or even while tapping into their mobile devices from unsecured wireless networks and hotspots. While organizations should strive to ultimately eliminate all of these provisioning dangers, targeting the most likely and most identifiable is a prudent – and vigilant – place to start.