When it comes to account provisioning, the act of bringing in a new employee, there may be procedures and protocols to getting them set up with email, accounts, computers, and other things; but as important as it is to make sure that new employees are set up, it’s equally important to make sure your company is also doing account deprovisioning.
Account deprovisioning is the account of removing an employee’s credentials, such as company email, account access, computer access, and other things. Here, we’ll look at how deprovisioning works and why it’s important to do so, especially focusing on password protection and security.
Password protection is key and allowing staff members to know them can cause issues in the long term.
How Does Account Deprovisioning Work?
Think of deprovisioning as the reverse of provisioning – just as you would add an employee to the business accounts, deprovisioning is removing an employee from the company once they leave the company.
Depending on the service connection, deprovisioning could be as simple as deleting the user or more complicated such as removing them from Active Directory.
Why Should I Bother with Deprovisioning?
Deprovisioning is a very important aspect when it comes to managing employees, especially upon termination. Not only is it good for organisation and keeping track of current and previous employees, but it’s a security measure.
There are several cases in which former and disgruntled employees have been able to get back into a company via their credentials or have figured out ways in which to skirt around them.
Not only can this cause the loss of sensitive data, but can also lead to further security breaches should an ex-employee gain access – hence the importance of deleting user accounts for employees who no longer work for the company.
The most recent of these would be the Sony hack – at the end of 2014, Sony Entertainment, the movie portion of Sony, was hacked by a group known as the Guardians of Peace.
The group made public many of the inside document forms of Sony, including current and former employee information (like home addresses, social security numbers, salary amounts, etc.), emails between management, and many more.
The group then called for the halt of Sony’s movie The Interview; at first, it was believed that the country of North Korea was involved due to the subject of the movie, but information and events have led some authorities and cybersecurity experts to believe that a disgruntled employee, along with some current employees, is responsible for the hack.
What Happens on the Employee Side?
Again, depending on company procedure or protocol, once the employee has been terminated, they may receive a notice that their privileges are to be revoked at a certain time or day or they may receive a note to deactivate a service (such as the user’s roles) themselves.
Once the termination arrives, the former employee won’t be able to access their former accounts, usually receiving an error when they try to log into that account. As mentioned above, making sure that former employees are not allowed to retain their user access can be a major security risk, allowing them to re-enter the system should they choose, especially if their termination was not a happy one.
What If I Just Change the Password?
This is often the first thought that comes to the mind before deprovisioning. But this can quite easily be a case of human error, should a password manager just change the password to something such as “Password123”.
Regardless of if the password is a secure password, or even a strong password with lowercase letters, numbers, uppercase letters and special characters – it can still be hacked and put an incredible amount of data at risk.
If the account is not deprovisioned either, it can become what is known as an orphan account. An orphan account is defined as a user account that can provide access to services, corporate systems and other business applications, but does not have an owner.
Of course, the danger of this is that should the orphan account be compromised, a hacker could easily gain all of the privileges and access to the credentials that the ex-employee had. Therefore, deprovisioning the account is a much safer option.