Automate User Provisioning and Deprovisioning with Security Orchestration and Automation

Last updated at Mon, 04 Dec 2017 18:32:14 GMT

Managing user permissions is a critical process all organizations should be able to do quickly and effectively in order to respond to a variety of security threats. In reality, most companies aren’t able to provision or deprovision user accounts fast enough when such a threat arises — putting their organizations at risk.

While many enterprises make use of single-sign on (SSO) solutions to help protect user accounts, increasingly, SaaS and other third-party applications that don’t support SSO are being used which adds complexity to permission management and system security. Effectively managing user access controls has become more important (and also more complex) than ever before.

So what do you do about user access when a security incident arises? It comes down to two choices:

• Add or remove users manually, a process that won’t suffice in times of crisis or when time and resources are constrained.
• Orchestrate and automate the provisioning and deprovisioning of users so that user accounts can be automatically dealt with, freeing up time to deal with the real issues at hand.

As you may have guessed, orchestration is the smarter approach of these two. Let’s discuss how orchestration helps with the most common use cases for user provisioning and deprovisioning.

Rapid Onboarding: Provisioning New User Accounts

For growing companies, having 10, 20, or 50 new employees start in any given week isn’t uncommon. These new hires can range from sales reps to marketing interns, and from engineers to product managers. Each role and individual requires different access levels to various systems to get their jobs done, and it’s important that they are given this access as early as possible to aid in their onboarding and training.

Busy security or operations teams already have a lot to contend with — keeping on top of the latest vulnerabilities, scaling systems, managing tools, and much more. Taking the time to tediously add users one-by-one to each system puts a drain on productivity and competes with more significant, meaningful work.

With security orchestration, provisioning new user accounts becomes a non-issue. You can easily orchestrate tools together, and kickoff automation to set up accounts with the click of a button.

Closing the Books: Deprovisioning Departing Employees

No matter the reason an employee is leaving — whether for performance, behavior, or to take a new job, it’s important that their accounts are removed from systems as quickly as possible to eliminate potential attacks from aggravated ex-employees, and also as a sound security defense.

Among even our own team, we lost count of how many times each of us realized we had lingering access to systems owned by previous employers — even critical systems. It’s a task most companies forget about. With so much focus on external attacks, organizations often overlook the threat some of our own can pose with unbounded system access.

Ex-employees with malicious intent are eager to take advantage of this. Take the Tribune Co. case against former employee Matthew Keys as a perfect example. Upon his departure, the company failed to cut off his access, and Keys was quick to take advantage, engaging with hackers to deface the website of the Los Angeles Times, a paper owned by Tribune Co. If the company had been quicker to deprovision his access to company systems, this event could have altogether been avoided. There are countless numbers of other similar examples, many of which fly under the radar every single day but can wreak havoc on organizations.

Security orchestration can automate the immediate deprovisioning of departed users, protecting organizations against ex-employees, no matter their motivation. When an employee leaves the organization, security and ops teams can immediately deactivate the accounts in one fell swoop with a single automated workflow.

Sounding the Alarms, Shutting the Doors: User Access In the Event of a Security Incident

When a security incident arises, whether it was internal or external, it’s critical to be able to respond fast. While most enterprises have a process in place to respond to a threat, those processes can be long and complex, including:

• Checking the log data
• Tracing the timeline of an event
• Shutting down systems to prevent the attack from persisting any further
• Pinpointing and deprovisioning affected or suspicious user accounts

The last step—one of the most effective ways to stop an attack — often happens too late.

User accounts are very commonly exploited in phishing attacks. Once a user falls victim to the social engineering ploy in use, an attacker may gain access to any number of systems the victim’s email account is connected to. That’s why it’s important to, at the onset of an attack, deprovision affected email accounts immediately. Equally important is deprovisioning their accounts on critical systems, such as AWS, to ensure damage can’t be done to major infrastructure.

With security orchestration, security and ops teams can automatically remove access from key systems when issues arise. Similar to deprovisioning an account, access and permissions can automatically be revoked in the event of an incident.

Employing Security Orchestration and Automation as a Strategic Defense Tactic

Managing the permissions of new, existing, and old user accounts is a common struggle for many organizations, and the reality is that there is very little time for it in the midst of a security incident. That’s why it’s in a company’s best interest to employ security orchestration as a security defense tactic.

By automating the addition and removal of user accounts, companies can better safeguard their systems and data, whether it’s from a malicious ex-employee or the victim of a malware or phishing attack.