The security worries the season brings

With the holiday season coming up, I decided to take a quick break from my myth series to discuss something that is a bit timelier given the holiday season is about to introduce significant risks for a good many of us. 

Last week I was dropping one of my sons off at Knott’s Berry Farm to spend the evening with friends. When I pulled up to the loading zone I saw a fairly innocuous sign advertising the hiring of temporary employees for the 2017 holiday season. Most people would look at a sign like that and either see opportunity or get excited about the coming holidays. For me however, a shiver went up my spine as I considered the security nightmare they were about to venture through. Having spent years working for a company with an even larger park just down the road, I am no stranger to the troubles we have with temporary workers. After dealing with these issues myself, I’ve gathered a few techniques that I’d like to share in hopes of easing your security pain this season.

Some companies might not even know why temporary workers cause security issues, so to put it in a nutshell, it’s a fundamental issue with provisioning and de-provisioning. Sure, there are many other scenarios that can cause us pain, but let’s focus for a bit on these two universal use cases.

Provisioning

So what’s the big deal with provisioning? Consider this, we’re under a great amount of pressure to get these new hires on-boarded quickly. It is not easy to create user accounts, train users, grant access to appropriate systems, and, do this all before the holiday season actually kicks in! Because of this pressure, some will cut corners, take shortcuts and inevitably grant permissions where they shouldn’t be granted. In summary, there are two big concerns you need to avoid:

• Impacting the business with IT security delays in our holiday hiring.
• Putting the business at risk by granting more access to these employees than they need.

De-provisioning

The hard part is done; your new employees are hard at work and you are making way more money than you did last year. The fact remains though, these are “temporary” employees, and after the holiday season is over, most if not all of them are nicely shown the exit. If you are like some of the companies I’ve worked with, you might notice an anomaly in your systems. Why are there so many ‘orphaned’ accounts in my directory? Why are the user accounts for the point-of-sale software not going down? 

• Orphaned accounts provide risky back-door access to otherwise terminated employees.
• Many attacks are an “inside job.” Are you sure those ex-employees can’t do any damage?

The number of attack vectors we see opened by temporary workers is certainly greater than just an issue with provisioning, but what you need to know is that solving your provisioning issues is often the keystone to closing the other vulnerabilities we have in our networks. Let’s take a look at some of the aspects modern provisioning strategies are going to solve for us:

Get the job done

Your security team has a job to do, and understanding the importance of that job to make sure they have the tools they need is vital. With that said, an almost greater responsibility is to create an environment where IT and business work together and that business agility is not impacted by the security team. At the core of this fundamental concept is the notion of a provisioning engine that almost runs itself. At a minimum, if the engine can’t run itself, then the business should be able to make provisioning decisions on their own without being bothered or delayed by asking IT for help.

Your holiday new hires can have their directory and email accounts created, system access granted, and even training dates scheduled, all from simply clicking the save button from your HR employee management system.

• Attribute-driven provisioning: Your identity system should be designed to watch the system of record, or the HR database for new or changed user records. Workflows designed in the identity system react to those updates and execute changes in downstream systems, automatically granting access, creating logins, etc. For more sensitive systems, a series of other tasks will also automatically execute, like approval workflows, separation of duty checks, creation of MFA tokens and more.
• Business-driven changes: Sometimes only after an employee shows up for work will the manager know exactly what to do with them. These same automated tasks can also be completed within the identity system by an approved manager.

Get it un-done!

Any identity system that can do the above needs to also be able to do it in reverse!  De-provisioning workflows can be executed automatically simply by noting that the employee record in HR is closed or terminated. Some companies might want to configure a start and end date of employment in advance, which itself starts the de-provisioning. The important thing to remember here is that de-provisioning must take place, and given the forgetfulness of the human mind, having a system enforce these rules is a concrete way to make sure it gets done.

It’s normally around this time customers start asking me about how much this is going to cost. It can be difficult to realize the return from an investment from the theoretical expense of a breach. However, with this foundational solution in place, not only can it be argued the possible savings from the theoretical, but also the very practical savings in the time it takes for people to manage these changes manually. 

If ever there was a win-win in IT security, this would be it! Happy holidays!