Companies are facing increased pressure to remove employees that have left the company from all computer systems where they may have access to sensitive data.
These pressures are coming from a number of sources. Regulations like the MA201 privacy act and HIPPA are creating strict controls around the protection of customer personal data. Increasingly, companies that provide services are becoming contractually obligated to their clients to disable users within 24 hours or less after being notified that the user has left the client. Companies are delegating this responsibility to their service providers demanding rapid removal of user access rights as soon as the service provider is notified.
Disabling user login is not the same thing as removing user accounts. Demands for termination are usually immediate, while contractual obligations for removing the actual user records and accompanying data depend on when your company no longer has a legitimate business need to maintain the data. This can be significant if you are required to archive the data, need it for tax purposes, or may need to respond to audit requests in the future.
Service providers that attempt to perform user removal manually, face a strong probability of breaching their service level agreements with their customers. The only sure way to guarantee prompt user removal is to automate. There are two approaches to automated user removal. Establishing, single sign-on between the customer and the service provider is the surest way to automate removal. SSO delegates the responsibility of user management to the customer. Since the user still authenticates with the customer’s identity provider, the moment the user is disabled at the customer, they are also disabled at the service provider. This assumes that the service provider hot left any “back doors” into the system that allow the user to bypass single sign-on and log in directly.
If single sign-on is not established, a service provider may take a feed from the customer showing which users are no longer to be part of the system. This feed can then be used to remove users. The ideal situation is that the customer sends records that are explicitly marked as terminated users. However, frequently, the only feeds available are full user feeds. You might think that it is a simply a matter of removing all users that are not in the feed, but you must take special care not to also delete non-user accounts such as test accounts and service accounts that may never be in the feed. At AssureBridge, we use our SyncFire™ product to compare each feed against the previously received feed to extract a list of removed users and then only terminate users that have “gone missing”. We also recommend a “physical inventory” on a periodic basis (e.g. quarterly) where we pull the complete user list, compare it to the registered users and have the delta examined manually. This makes sure that all “extra” accounts are indeed legitimate service or test accounts.
If you use the feed method, make sure your process has a strict logging process since auditors will require “evidence” that the user removal process is actually happening.
Prompt removal of terminated employees is fast becoming a mandatory requirement for service providers that cannot be ignored. Putting in a solid process will allow your service to maintain compliance without becoming and administrative burden.