Imagine this: you’re in your house, and you notice some water coming through the ceiling. One of your pipes is leaking. To fix it, you call your plumber to change the pipe, a handyman to patch up the ceiling, and a painter to cover the spackle. Once they’re done with their work and you walk them out of your house, you need to ensure they no longer have access to your property.
A similar premise applies to business resources. When employees—internal and external—depart a company, they must immediately lose access to all systems, files, and folders. Otherwise, companies can experience security vulnerabilities ranging from an employee stealing confidential files to a large-scale data breach with lasting repercussions.
Keep the doors locked
The impact of not properly managing employees’ user privileges can be catastrophic, especially if a resulting breach targets personally identifiable information. In 2018, 14.9 billion raw identity records were circulated around underground web communities—a 71% increase from the previous year. Despite this clear risk to organizations and their users, comprehensive offboarding is a task that’s often overlooked.
To mitigate this risk, enterprises can automate the process of onboarding and offboarding their users. Employing automated lifecycle management processes will also better prepare enterprises for managing users from outside of their organization, which brings a whole host of new challenges.
Secure your house, so you can (safely) welcome visitors
As an organization grows, its need for an extensive network of vendors and partners also grows. As a result, external users from third-party entities require quick and easy access to systems and applications when a project begins—and that access needs to be revoked as soon as the project ends. In practice, this is easier said than done.
At most organizations, internal employee accounts are tightly controlled by their HR teams. When an employee is hired, HR is typically responsible for ensuring the employee is onboarded on the first day, and they oversee any role changes or updates during the rest of the employee’s lifecycle. Meanwhile, it is the IT team that is responsible for enacting any of these changes across the organization’s systems through a combination of manual and automated processes.
Onboarding partners and vendors, however, is often handled not by IT or HR, but by the internal teams working with those contractors (e.g., marketing or engineering). This can pose several problems, including:
- Multiple exceptions to HR and IT’s tightly controlled onboarding process
- A heightened possibility of security concerns and overspending
- An increased number of credential theft attacks made on remote connectivity methods like VPNs
These concerns make it important for enterprises to develop standard practices for managing partner user access.
Removing former tenants’ access
User experience across the employee lifecycle needs to be seamless for external users, while still mitigating any security vulnerabilities that come with handling external user identities.
If the partner or vendor is a large organization, they are likely able to handle user lifecycles carefully and deactivate accounts through their own Active Directory or identity provider—and they can be contractually tasked to do so. But not all vendors are this sophisticated, which means organizations need to be able to take on the burden of onboarding and offboarding external users from companies at various stages of identity management maturity. In order to do this effectively, you might need to put partner and contractor accounts into your own Okta tenant, for instance, and manage their termination in a systematic way. This can be done by implementing one of the following techniques:
Scheduled suspensions: Businesses can automatically develop conditions, evaluate, and revoke user privileges that have been assigned to a specific group or project on a scheduled basis. For example, on December 31, 2019, the business can check if any users remain present within specific contractor groups and, if their projects have ended, suspend their account and remove their access.
Inactivity-based suspension: It’s also possible to identify users that have been inactive within certain timeframes and automatically suspend them. The business can write a condition that checks for inactive users within groups and routinely revoke or suspend their access to applications.
Companies can also deploy a comprehensive meta-directory that holds both user accounts and groups. Within Okta’s Universal Directory (UD), groups play a big role as they are used to assign access to apps and help differentiate between internal and external users.
When it comes to handling external users, Okta UD can import user data from various identity systems, even if a partner is using on-premises software like Active Directory. In Okta’s UD, IT admins can create custom attributes and group rules for different user types—or feed them into scheduled or inactivity-based suspension policies—making it easy to set automated deprovisioning policies for partner and contractor resources. As a centralized source of truth, UD can show the status of each user, giving IT the opportunity to evaluate permissions and disable user profiles that no longer need access.
Managing access to internal networks and systems is already difficult, so extending access to outside, third-party users using unfamiliar devices from unknown locations only complicates the task. Enterprises need to make user privileges a top priority and ensure access is always secure, especially when it’s from outside the perimeters of their corporate network.
Maintaining a secure household
When your handyman and plumber finish fixing the leaky pipe, they no longer have access to your house. Automating the onboarding and offboarding of user accounts for external contractors and vendors helps companies follow that same premise. As businesses continue to expand their network of third-party providers, an automated lifecycle management system will help keep them secure.
Want to learn more about what you can do to provide secure access to your vendors and partners? Read our whitepaper on the subject.