1. Deprovisioning – Cinderella
Provisioning may be the chosen stepsister to Deprovisioning, but as the Fairy Godmother
bestows workflows and automation on Deprovisioning, she becomes a Princess.
When it comes to removing access due to a changing job role or someone leaving the
organization, IT Departments often revoke access rights when they can get around to it.
Or, if HR is the system of record, then timeliness may be a concern for notification of access
removal. The SLA for HR may affect personnel records just before payroll is processed. Too
many days pass with the employee still having access rights.
Automated Deprovisioning combined with a Workflow Process can help IT and the department
heads reduce risk and workload. This reduces orphaned accounts, improves audit capability,
and provides audit trails to enhance regulatory compliance.
The key is getting department heads to report on job changes and exits - partnering with IT, so
Deprovisioning does not fall to a low priority task within the IT workload. To coach and enforce
department heads, IT will need to provide tracking of current employees to gauge the level of
compliance that can be forwarded to management.
Terminated employees do quit or are fired for a reason, so it makes a lot of sense to terminate
access as soon as they are terminated. As an example, further research into the Sony hack has
led experts to believe that the breach was caused by an employee improperly Deprovisioned,
allowing them continued access.
A key first step – fitting the glass slipper (to continue the Cinderella analogy) - Documenting
procedures via a checklist and if possible, automating the process utilizing workflows.
You may find tangible costs associated with automated Deprovisioning. Consider the costs of
subscription rates for users’ cloud apps that are not Deprovisioned in a timely manner. Other
costs may include changes in roles for users accessing network based applications like Visio,
and Photoshop.
For an added benefit, include managing access rights to unstructured data. Control access to
sub Active Directory group level, down to the folder and file level in document management
systems. Offset IT workload with workflows, you can connect data owners with assignment
processes.
The Cindarella analogy seems even more appropriate when considering the Wiki definition:
“The word "Cinderella" has, by analogy, come to mean one whose attributes were
unrecognized, or one who unexpectedly achieves recognition or success after a period of
obscurity and neglect.”