Off-boarding employees who resign has become something HR and IT teams have to manage more often than they'd like. From an IT perspective, ensuring those employees no longer have access to all of the applications and systems they had been using takes some careful work.
Such off-boarding presents enormous challenges, especially when off-boarding those who are tasked with building and securing the company’s application ecosystem in the cloud. Security and engineering professionals tie the vast landscape of disparate systems in the cloud together, often through API keys, users, roles and service accounts, which opens a new level of risk to any company’s enterprise security policies.
Let’s look at the API keys that connect applications, services or data lakes together. Jane may provision an API key to a vendor or someone else on the team that ultimately grants access to sensitive data. This API key serves as a system password – and many times these keys are long-lived and often shared across different workloads.
Now let’s say Jane resigns and gives the standard two weeks notice. What about the API keys that Jane provisioned? How many did she provision? Which ones are they? Who exactly currently uses those API keys, and where? Which of those API keys are shared? What are the workloads or machines that are sharing those API keys? More important, how can the security team gather this information in a federated world across authentication boundaries? If the group uses federation these actions taken by Jane occur using a shared credential/role in the environment. This means logs would only show the credential conducting that activity, which again, gets shared with others who have access to the role. Because of this, the security team can’t easily answer which keys Jane actually made.
While Jane may have been a great employee who left on good terms, she’s still privy to the keys she provisioned. Because revocation will likely have a significant impact on different users and systems, it’s highly likely these keys are still active long after Jane leaves. We can’t easily enforce who can or can’t use these keys. So at this point, a company’s former employee has an API key that could access highly-sensitive data of one of their biggest customers. This example focuses on API secrets, but security teams should make similar considerations for the users, roles, permissions, and policies that Jane created as well.
This problem isn’t unique to Jane or her colleagues in engineering, security, or similar IT-related positions. When someone in sales puts in their two-week notice, similar data security concerns are warranted, not in Azure, AWS, Okta or GitHub, but rather, in Microsoft 365, Gsuite, or other cloud applications such as Salesforce. We recently spoke with a CISO at a company who voiced concerns about off-boarding sales team members that leave the company and some of the data they may take with them, sometimes to direct competitors.
“When someone leaves the company, even on good terms, we want to audit access and behavior on Gsuite and Office365,” said the CISO. “We want to identify suspicious activity: Did they access certain files, or share them? Who did they share them with? We work toward pulling these logs to create a map of what the user does in their day-to-day on Gsuite after they’ve given their notice. Someone leaving on bad terms are at higher risk of stealing our company’s data, sales information, product roadmaps or financials. They are often active downloading files locally shortly before putting in their notice.”
The CISO went on to say that in his career, there were multiple instances where a sales rep decided to leave and takes company agreements, competitive intelligence, customer and prospect database information with them. The problem to this point has been examined under the lens of an employee leaving on good terms. It goes without saying, in the wake of mass layoffs for many tech companies over the last year or so, this problem has become magnified when employees are terminated.
Making sense of these logs, let alone in a timely fashion, or in real-time, presents a new set of challenges for security teams. Sifting through the data and trying to make sense of what the user did often takes hours, sometimes days to re-enact what happened.
So how can security teams mitigate these risks? Start with a comprehensive inventory of all the departing employee’s identities, keys/tokens/certs/credentials they’ve provisioned and used, what service accounts they have access to, what roles could they assume. Moving forward, start baselining “normal” access and behavior and develop leading indicators of potential nefarious activity in real-time. Once the team understands the user’s “normal” behavior, they can develop rules and alerts from logs to try to detect access and behavioral anomalies in the company’s environment.
Security pros can still expect a hectic time during a mass layoff, but hopefully, these ideas will help mitigate many of the security risks.
Paul Nguyen, co-founder and co-CEO, Permiso