Credentials: You Can’t Take Them With You

There is a price tag on misused credentials. This week, as Rachel King at the Wall Street Journal reports, Tata Consultancy Services’ (TCS) bill came out to $940 million.

An employee at TCS was found to have used credentials from a previous contracting job at Kaiser to access more than 6,000 confidential files on Epic System’s web portal. Prior to TCS, the employee worked on an Epic-related project for Kaiser. Kaiser administrators failed to completely de-provision the employee upon contract termination. Moreover, at TCS, the employee shared credentials with colleagues at TCS, amplifying the exposure. A U.S. federal jury ruled in favor of Epic Systems and slapped a fine on TCS equivalent to nearly half of Epic Systems’ annual revenue.

The real kicker here is that the lawsuit, fine, and the loss of sensitive information was preventable. Epic and Kaiser could have prevented the unauthorized access entirely by automating deprovisioning and federating access to the portal. This would have ensured that access to Epic was secured, and protected any confidential data without having to worry about managing the lifecycle of external users.

Okta’s cloud-based identity and access management service offers a feature called Automated Deprovisioning that allows an IT or security leader to deactivate a corporate identity across all enterprise resources within seconds. Because many contractors will require intermittent access, organizations can also suspend access without deleting application mappings or group memberships. Okta captures the process in its system log data so that your organization can demonstrate that deactivated users no longer have access to critical business systems, and that you’ve taken the required administrative actions to deprovision them. And, with Okta’s new Access Discovery Report, administrators can identify any account that has been directly created in an application and is not managed by Okta. Admins can either delete these accounts, or import them into Okta so they become fully managed.

Okta also offers a cloud-based Universal Directory where organizations can store contractor identities to keep track of them, while isolating contractors from employee identities, which are typically stored in Active Directory. Universal Directory can be used to store any identity, including contractors, vendors, or customers. Okta Universal Directory profiles can be extended with custom attributes, and organizations can selectively encrypt data fields to protect sensitive information.

Automated deprovisioning is a key security control. It should be a standard for every company — there is no reason that an employee or contractor should be able to take credentials with them. It’s a dead simple, and cost effective way for IT and security leaders to protect their sensitive information, employees, contractors and partners, and maintain compliance.