Which of the following is part of the user provisioning phase of the employee life cycle?

What is Identity Lifecycle Management?

Whenever an organization hires a new employee, engages a new contractor, or hires a third party, they need access to essential information, apps and processes that enable them to perform assigned tasks.  However, identities are not limited to just human users. Non-Human identities also exist associated with services, systems, SSH keys, API keys, IoT devices, and much more.

As networks and infrastructures grow more complex and cloud access by remote workers more commonplace, it is critical that organizations consider the complete identity lifecycle management (ILM) for all these accounts along with the privileges associated with them.

Identity lifecycle management best practices encompass several stages in the life of an identity.

Provisioning – Setting up new employees, contractors and third parties, as well as machine identities should be governed these days by the principle of least privilege.  That means once an identity is verified (single sign-on and multifactor authentication are typical methods of verification for human users) the user or machine is only given access at the level required to do their job or specific tasks.

Updating/changes –for human user privileges to change, their levels of access to sensitive data should be adjusted accordingly.  Role-based access controls dictated by stated policies help to maintain proper user access throughout the identity lifecycle. Revoking access when it’s no longer needed should also be an integral part of the lifecycle process.

Controlling privilege scope creep – Over time, it’s not uncommon for access privileges to accumulate. In some cases that means giving human users far more access than necessary to complete a given job or task.  Overprivileged accounts such as local admin accounts are prime targets for attackers who look to compromise them and escalate privileges to traverse the network undetected.

Deprovisioning – Research shows that nearly half of all former employees log into their accounts after leaving their job or being terminated. Deprovisioning accounts on a timely basis is necessary to minimize risks from unauthorized access or malicious intent if the employee has been terminated for cause. The same applies to machine identities associated with service accounts, for example.

How does privilege access management (PAM) help govern the identity lifecycle?

It's important that any organization utilizes privilege access management (PAM) solutions to implement controls that govern both user and service account identities. This is especially true as more organizations than ever move to the cloud.  Single Sign-On (SSO) and MFA are typically associated with human identities, but they do not assure effective privilege management after authentication and authorization.

Role-based access controls help to govern what the user can do once an identity is verified and access is granted. PAM solutions are designed to secure access to sensitive data by ensuring the enforcement of least privilege.

But machine identities on endpoints, servers, and applications that use services to access other systems and use different types of identities to authenticate must also be properly controlled. That means incorporating machine identities as part of your PAM solution to enforce least privilege and comply with policies governing access. Within the broader context of the identity lifecycle, there are certain considerations you should incorporate that relate specifically to service accounts.

Creation/approval process: As new applications are being deployed, ensure you have an automated service account creation and approval process. Align this with your review and audit process to ensure that more sensitive applications have strict security controls.

Service dependency mapping: Map and record dependencies because making changes to one service account can impact others as part of your privilege management plan.

Continuous discovery: Discover service accounts that may have been created outside of an approved process or life cycle. After that, review them to ensure the correct security policies have been applied.

Security and governance risk assessments: Map compliance requirements to the appropriate security access controls, implement them, and report on governance.

Automated auditing and reporting: Monitor, record, and report on service accounts usage and changes as part of your privileged access review and audit. This helps distinguish between authorized and unauthorized changes.

Updating and reviewing security controls: Group service accounts according to similar risks and categories. Review along with other privileged accounts to ensure that the correct security controls are set for each service account.

Expiration/review process: Set a review date or expiration date to determine whether the application is still required. This should be done as part of the creation process as well as part of continuous discovery.

Remove unused/expired service accounts: Continuously remove unused services accounts to reduce the privileged security attack surface. Deprovisioning is a critical stage of the life cycle that’s often overlooked with service accounts.

More Identity Management resources:

Blog Posts:

What does world-class Identity Governance look like?