Protecting against Rogue Access

Following on from my recent blog “Are your passwords secure”. Let’s take a moment to think about the kind of data and systems your employees can access. Your client data, your sales numbers, your financial records, your strategy documents, your website system, your social reputation, and confidential files of all types.

Now imagine the risk if your ex-employees had access to the exact same systems.

According to a new survey by Osterman Research, an incredible 89% of knowledge workers retained access to Dropbox, Salesforce, email, SharePoint and other sensitive corporate apps from a former employer.

Even worse, 45% can access what they consider “confidential” or “highly confidential” data.

This problem of “Rogue Access” creates countless risks for companies: stolen secrets, lost data, compliance failures, data breaches, and out-and-out sabotage—to name a few.

If your IT access management and employee off-boarding policies are anything less than 100% watertight, you need to act fast. Listed below are just some of the things you will need to consider when on-boarding and off-boarding employees.

IT systems access recommendations

1. Establish a security and compliance group within the company. This group should monitor two key areas: 1) who has access to which IT services and 2) how information is being accessed and shared. You should build this group’s role into broader IT policies so that alerts can go out when a policy has been violated. This group should provide compliance and security training to employees on a quarterly/yearly basis.

2. Put in place a clear set of company IT policies. This includes policies on app usage, a list of approved sites and services and a list of approved software and apps that employees can use. Also, require that employees use company-provided logins for these apps instead of personal logins.

3. Provide role-based access to applications. Create a stringent approval process for all services, apps, and equipment that employees need. Employ two levels of approval for each request: approval from the employee’s direct manager, as well as a VP or account owner. Keep records in a centralized database, so you have a clear “paper trail” of all services and equipment given to each employee.

4. Create a central repository for admin logins and passwords. Don’t give users admin rights to their laptops. Instead, require employees to log tickets with IT to get access to download new software.

5. Eliminate shared logins/accounts. Assign accounts to one person whenever possible. If you have to use a shared account for budgetary reasons, make sure you rotate out the password on a monthly basis and employ strong password policies.

6. Conduct regular audits. Audit all your user accounts (LDAP, Active Directory, all apps) regularly. Have a single place for running audit reports and searching for users. Make sure you track all the apps being used—regardless of department— so you know who’s paying for them, who “owns” them, and what access and control IT has.

Employee on-boarding recommendations

1. Set up your accounts in Active Directory, and make sure all cloud apps are SAML authenticated. This gives you one central location to manage employee accounts. It also makes it faster and easier to provision and de-provision employees.

2. Use unique identifiers when creating new employee accounts. In the system in which you’re creating the account, fill an unused attribute field with the employee’s unique HR-assigned ID number. This way, if a user has different name listings (e.g. J. Smith, Joe S., etc.), it’s easier to find all the apps with which they are associated.

3. Maintain a distribution list to announce new hires. A distribution lists ensures that all key departments (Finance, HR, Facilities, etc.) are notified without fail when someone new is coming on-board.

4. Run a system audit when employees change departments. Make sure you de-provision access to anything the employee no longer needs in their new role. That way, employees always have access to only those systems and applications that they really need to do their jobs.

Employee off-boarding recommendations

1. Adhere to a strict employee off-boarding checklist. A sample checklist is included in this document.

2. Maintain distribution list for terminations. Similar to your new hire distribution list, create a list that informs key departments (Finance, HR, Facilities, Legal, etc.) when an employee is leaving.

3. Direct the email account of a departing employee to his/her manager. Reroute the departing employee’s email account to their manager for the first 2-3 months so that important messages are retained and handled.

4. Terminate all employee accounts. It is critical to terminate every employee account to every service, both on-premises and in the cloud. If the employee is the primary contact for an online account or project, make sure that contact gets re-assigned.

5. Review the apps saved in your employee’s single sign-on portal. This is an excellent method for discovering apps that an employee may have provisioned or used without IT’s knowledge. (These “unknown” apps are the most likely to create the risk of post-employment access.)

6. Make sure to collect all company assets: laptops, phones, ID badges, software, etc. Also make sure you collect any external hard drives or company-owned equipment an employee may have used as part of a home office.

The following two tabs change content below.

Tony Cohen

Tony joined BT in 1987 and chose to develop his career in data communications. He moved from an engineering to programme management role with Global One before taking up a position as Global Account Director in 1999. Tony joined iPass in 2002 where he was Head of channel sales before moving to Intermedia to grow their European channel sales organisation. In 2012 Tony joined FSI Cloud as General Manager to accelerate the development of their hosting and managed IT solutions division.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>