Deprovisioning: Firing Line

A poorly handled employee termination can create a slew of security risks, from deprovisioning issues to (in the worst case) threats. That's why CSOs need a process for letting workers go.

Terminations and Deprovisioning Ian Cheeseman Is President Of LVA Communications, a small public relations consultancy headquartered in Niantic, Conn., with subsidiary offices in New York City and Silicon Valley. But earlier in his career he was the data-processing manager for a municipal insurance company—a fact that may have something to do with one of LVA's employee termination procedures.

LVA is a contractor to its string of high-tech clients, and consequently its employees are routinely granted high-level access to its clients' systems. "With most of our clients, we can get in behind the firewall," Cheeseman says. "But we've noticed that while companies may be diligent about blocking access for their own former employees, they often don't seem to have a system for dealing with contractors' employees. If someone at a contractor left, the client company might not find out about it for months—if at all." So when a worker leaves LVA, the company is proactive about communicating that to affected clients. LVA collects items such as contractor ID badges as a routine part of the termination process. As soon as the employee has left, says Cheeseman, LVA's human resources administrator telephones the client companies on whose behalf the individual in question worked. "Then we follow up that call with an e-mail so that there's a paper trail," he adds. "The message is quite specific: 'This individual has left our employment and should no longer be allowed access to your premises or your data.'"

After a spate of well-publicized incidents where former employees wreaked havoc after gaining access to companies' systems—and premises—the security processes for employee terminations ought to be nailed down hard and fast by now. As every new breach makes clear, though, that's simply not the case. It's not as if the task is a difficult one; updating passwords and retrieving access cards is hardly rocket science. But it's no mystery why it just doesn't get done in a thorough manner. Firing or laying off an employee is an uncomfortable experience that even highly professional line-of-business managers would rather not think about. The result? From the security perspective, the process of firing people is often a mess. As Joe Magee, former CSO of Top Layer Networks, says, "When terminations happen, there's often considerable chaos and a lot going on. It's easy for things to get overlooked and for security measures to take second place."

But by pulling together a thorough, documented, humane procedure for employee terminations, the CSO can help make the process easier—though not painless—for all involved, protecting the physical and digital assets of the company as well as the dignity of the departing employees and their supervisors. Here's some advice, garnered from experts, on aspects of the process frequently overlooked or misunderstood.Absence of ProgressHow widespread is the lack of clear thinking on this subject? Hard-and-fast figures are scarce, but Margaret McCausland, a partner in the Employment/Benefits/Labor practice of national law firm Blank Rome, estimates—based on the calls she gets from clients—that roughly 50 percent of companies with 50 to 100 employees have adequate procedures in place for letting people go. With larger companies, the figure improves—climbing perhaps closer to 80 percent. However, McCausland says that even for those with some kind of documented process, confusion over "the right way" to do the job actually creates more problems.

For an example of a common, yet inadvisable procedure, McCausland says look no further than the practice of ushering departing employees off the premises. Far from preventing people from stealing data or lashing out in some other manner at their former employers, this process might actually be encouraging them. "Employers sometimes ask me, 'Should we escort people out?' And I say to them: 'Why? Are they going to damage something on the way out? Or steal something? No. Treating people like a suspect is more likely to cause them to retaliate."

"Treating a terminated employee as a serious security risk—by escorting them out of the building under guard, for example—increases the likelihood that they will be a danger," agrees David Creelman, chief of content and research at human resources management portal "Terminated employees don't have guns to pull at the termination interview. But if they feel betrayed and humiliated then they may go home, get a gun and come back. Most companies overreact on security. They march good people out the door under security escort, which simply damages morale in the company and greatly enhances the likelihood of a wrongful termination suit or other retaliatory action."

Top CSOs chime in as well on this point. "You probably are asking people to retaliate," says Grant Crabtree, vice president of corporate security at Alltel, an $8 billion telecom service company. "Under some circumstances it might be warranted, but it would have to be exceptional for us to do that. I think many of my colleagues would agree."

McCausland says existing termination policies frequently focus on things that touch only peripherally on security issues, if at all. Instead, their focus is often on avoiding unfair dismissal suits and the like. "Companies have become accustomed to lawsuits and litigation when terminating people and now think ahead and say, 'Should I terminate this person? And if so, how do I terminate them?'" she says. "But beyond that, they often don't think very far ahead at all."

Disabling information systems access is another area that a good policy should spell out clearly. "It's one of the great missed opportunities in security," says Giuseppe Cimmino, director of corporate systems architecture at Discovery Communications, the parent company of the Discovery Channel, Animal Planet and The Learning Channel. "Security consultants focus on the bits and bytes of firewalls and not on the accounts that remain provisioned for people who don't exist." Once again, hard evidence is scant, but what evidence there is certainly supports Cimmino's assertion. A survey into corporate identity management practices, published jointly by Novell worldwide services, Stanford University and Hong Kong University of Science and Technology in March 2003, found that 43 percent of companies surveyed took more than two days to revoke the access rights of departed employees—and that 15 percent took more than two weeks. Incredibly, some businesses appeared never to revoke access rights at all.

As in McCausland's anecdotal experience, smaller companies did indeed perform worse in the survey: 54 percent of companies with fewer than 10,000 employees reported a lag of more than two days, while just 32 percent of companies with more than 10,000 employees reacted as slowly. And European companies reacted more slowly than did North American or Asian companies: More than 20 percent of European companies took two weeks or more, while just 10 percent of North American and Asian companies reported taking as long.All Kinds of Access The conventional wisdom is that businesses are most at risk from individuals who have been abruptly fired—perhaps as a result of performance-related issues or through downsizing—and who consequently harbor a grudge. While that's probably true, experts stress that the real risk is much broader.

Individuals who have left voluntarily, for example, may still want to strike back or simply seek to exploit weaknesses to further their careers at a competitor. The Novell-Stanford-Hong Kong study, for example, cites a former employee at a global investment bank, now working for a competitor, who was able to access her voice mail for months after she had left, gaining access to all internal banking announcements. That kind of risk can even extend to current employees, as companies typically have more internal movers than they do leavers. The level of access that is appropriate for one position in a company may not be appropriate for another, but how many companies proactively (and promptly) change user access rights when individuals move from one function to another?

Not as many as ought to, asserts Deepak Taneja, CTO of security software purveyor Netegrity. "We see this a lot," he says. "It's a real problem." The reason, it appears, is that businesses are blind to the termination implications of internal moves. When Joe in IT moved to customer support, his access rights were left unchanged, either because of apathy or because for an intended interim period it actually made sense. But five years later, when the customer support function is outsourced and Joe is suddenly axed, the fact that the company has just fired someone with current IT-function access rights is forgotten—until it is too late.

The potential risk, of course, goes beyond mere electronic vandalism. Many employees who might think twice about inflicting damage will be far more sanguine about stealing information. And incredibly, "A lot of people don't think about things like intellectual property and commercially sensitive information when undertaking layoffs," warns one seasoned CSO who asked not to be identified.

One solution, suggests Bernie Cowens, vice president of security services at IT consulting and security solutions company Rainbow Technologies, is for companies to go through a process of figuring out which people in the organizational hierarchy have high levels of access and to then make sure that any termination actions involving those people are handled with kid gloves. "They tend not to be people with big titles—in fact, they can be quite low-level," he says. "Then bring together a standing or ad hoc committee of people from legal, human resources and the information security function to go through a step-by-step process of understanding what systems each individual has access to, how and when to turn off that access, and when to remove the passwords."

But what about the "average" employee—someone who might not have administrator rights to an IT system, but who could still damage or steal information if he is so minded? One answer is to create access "profiles" associated with each job description in the organization, laying down the access rights that an individual in each position has, suggests Michelle Drolet, CEO of Conqwest, a Holliston, Mass.-based security and policy-assessment consultancy. Gathered together under a single profile, she says, it's easier to see when individuals have more access than they should, and it's much easier to switch that access off when they leave. "Firewalls just don't cut it anymore," she says. "It's all about access rights."

Discovery's Cimmino points out that regular housekeeping is required to keep the details of access rights current. At his company, for example, managers routinely receive e-mails from the administration function, in effect saying: "This is who we think you've got in your organization." Another smart tactic Cimmino offers is to provision contract and temporary workers with accounts that have automatic "stop dates," after which they cease to function, unless extended. In theory, of course, the account gets killed the day the employee leaves, but if for some reason that shouldn't happen, the stop date acts as a useful backstop.

Hence the attraction of so-called active directory approaches, where a dedicated system—often linked to the HR system—manages the provisioning and de-provisioning of user accounts. Especially for large and decentralized organizations, active directory management is seen as a way to securely provide, and remove, user rights at grassroots level without the costs of a hefty IT presence. "As soon as the notification comes from HR, an individual's account is disabled," says Siegfried Jagott, an IT consultant with Siemens Business Services. Jagott managed the implementation project of an active directory management solution from Aelita Software for Siemens Power Generation of Munich, Germany, which houses 22,000 employees. The disabling is for two or three months, after which the data is deleted—not permanently, as German law requires its retention for up to 10 years. "The disabling feature is useful as people occasionally return, and disabled accounts can be reinstated with the same user name and other details," Jagott says.Man with the PlanHelpful as they are, technical solutions are still only a step on the journey toward well-managed terminations. Happily, a few companies are further down that path. British Telecom (BT) is an example. Andy Hodgson, vice president of security at BT's global services division, explains that with just 100 staffers and a virtual security team to police the security of the 20,000-employee division (which operates in 43 countries around the world), the company relies heavily on a detailed termination checklist that the manager of every departing employee must complete and sign. BT regularly audits compliance with the process. (Check out BT's full deprovisioning checklist.)

The power of the checklist, Hodgson says, is that it makes a single person responsible for a whole series of security-related termination "transactions." "It goes beyond making sure that the employee hands in items such as his identity card and building pass, and that system access rights are rescinded, but also covers physical assets such as office keys, vehicles, cell phones and laptop computers," he says.

The lesson is clear. Managers may groan at the prospect of yet another administrative process being foisted on them, but today's procedures for separating organizations and employees are just too slipshod. BT's detailed checklist may strike some as overly prescriptive—but that's likely to be before they've suffered a significant breach by a former employee, not after.

Copyright © 2003 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)