User provisioning is a standard component of onboarding and involves creating user accounts for a newly hired employee. It entails access to IT resources (including the directory) and to systems, networks, and applications that are vital to the employee’s performance of their job.
The usual IT resources provided to a new employee include the following:
- A computer (desktop or laptop)
- Company e-mail account
- Wi-Fi network
- Web and on-premise apps
The user is assigned a single authoritative identity in the directory, which is then synced with their identities elsewhere. Ideally, maintaining various directory stores should be avoided to prevent security and efficiency issues.
User provisioning can be automated, depending on the directory service and the resources involved.
New accounts are often initially over-provisioned because the specific resources an employee needs have not been clearly determined. This early-days over-provisioning is justified by the practicality of giving the employee access to everything they need to perform their tasks and sparing the company the cost of helpdesk overloading and the related delays.
User de-provisioning is the post-employment counterpart of user provisioning. It involves revoking the access and deleting the accounts of employees who are no longer working with the company. In addition, SSH keys are also decommissioned.
Like user provisioning, de-provisioning can also be automated. Even in areas where de-provisioning is not automated, admins should be able to promptly revoke access through the central directory; and though a handful of accounts may have to be deleted manually, it’s not strictly urgent to accomplish them because they’ve already restricted access to company resources or data.
Best practices for user provisioning
User provisioning is an important security-related process. As such, be sure to adopt practices that ensure that prevent any unnecessary security compromise.
Implement central identity and access management (IAM).
Implement a centralized cloud directory service that can sync identities among G Suite, Office 365, HR systems, and other major directories (e.g., Active Directory).
Your IAM system will monitor new accounts and identify the privileges used by an employee and recommend to an administrator which privileges are not used and therefore should be removed.
Implement the principle of least privilege.
The concept of least privilege stipulates that users should be granted access rights only to the IT resources they absolutely need, and only in the time frame that they need them to perform their job.
In user provisioning, admins determine what resources to grant new users, and in de-provisioning, they can monitor inactive accounts and delete them accordingly. This can also be enforced through a cloud directory service.
Automate where you can.
Ensure accuracy and ease in both user provisioning and de-provisioning by automating both processes using any of the various automation tools available today.
You can create a user account through a cloud directory service, as well as map their attributes to systems, apps, files, and networks via automation tools like group settings, PowerShell modules, and APIs.
Regardless of what automation tools you choose, be sure they allow you to revoke user access to all resources with one click from the directory to avoid a security issue.
Ensure continuous monitoring.
User provisioning can hamper productivity; they can also compromise compliance and security since they result in users being granted more and higher-level access rights than they should have. Put a premium on continuous monitoring of users’ access and running regular reports that enable them to confirm user access, check assignments, and detect orphan accounts.
Promptly de-provision users as soon as they leave the company.
Ideally, as soon as an employee left your company, your admin should be able to de-provision them: delete them in the directory and immediately deactivate their accounts in all resources managed by the directory.
Your an admin shouldn’t be have to trace all the resources the employee had access to (e.g., various SaaS apps) and manually delete individual accounts, much less not know about the employee’s access to those resources.
Add an extra layer of security.
User provisioning software not only can manage individual user access, they can also increase the security of your IT systems by enabling your HR and IT teams to control access, application roles, and security policies across departments and other groups.
Level up your IAM system by going passwordless. For multilayer security, adopt passwordless multifactor authentication. Passwordless MFA means multiple factors ensure a more stringent authentication process, but minus passwords, which are the weakest element in your login sequence security. For added convenience, adopt passwordless MFA with passwordless single sign-on (SSO).
It’s high time to pay closer attention to your user provisioning and de-provisioning processes to avoid making your assets vulnerable to a cyberattack.
Contact TraitWare to learn more about enterprise-level solutions.