When a company takes on a new employee, managers may need to give that individual access to certain systems, features, apps or accounts. This is known as provisioning, and deprovisioning removes that access when the employee leaves the organization or changes roles. What do you need to know about deprovisioning?
How Provisioning Works
Provisioning can take place at one of four different levels:
- Network provisioning establishes a network that can be connected to devices and servers and accessed by the users. This is the approach phone companies use when they offer wireless solutions to their customers.
- It is also possible to set up a server within the network (such as physical hardware in a data centre) that can then be used to connect networks and storage.
- With application provisioning, an admin can manage various infrastructure items to optimize performance across different environments.
- User provisioning gives certain rights and permissions to individual people so that they can access systems, resources, files, networks or apps.
Occasionally, the company will need to remove access in the deprovisioning process, more often at the user level. Every company needs to get this right, as any errors can have significant security implications.
How Deprovisioning Works
As the organization becomes more complex, provisioning grows and becomes more involved. So, with greater complexity, one individual may have access to a large number of devices and extensive access rights. Until recently, deprovisioning would involve a great deal of money and work as the HR team went back and forth with the IT department to ensure that they revoked all access.
However, it is possible to automate deprovisioning today through identity and access management tools (IAM). These integrate with the company directory, so these tools can be pressed into action once an employee moves department or leaves the organization.
What Are the Key Benefits of Deprovisioning?
These are some key benefits associated with user deprovisioning:
- It will be a lot easier to offboard employees. The system can quickly identify their usernames, roles and profiles and view any assigned access permissions and user accounts. All such permissions and access can then be terminated, no matter how complex the various entitlement rules may be.
- The systems can use HR-driven identity management (IM) tools that will automatically prevent former employees from having any further online access. These tools can completely eliminate the chance of any “zombie” accounts within the system. Otherwise, there would always be a risk that those accounts sit idle, presenting a growing security risk and unnecessary threat.
Deprovisioning Best Practices
It’s important to set up these systems correctly at the outset when provisioning and deprovisioning in cloud computing — if they are to work flawlessly going forward. Otherwise, these automated tools could create access rights that go against company policies and could even breach complex regulations. So, each company should consider an IT control process known as access recertification. They will then audit the access privileges for each user to confirm they are correct and still adhere to compliance regulations or internal policies. Such work can be performed manually or automatically using access governance software. Then, auditors and security personnel can verify that the rules and workflows within each provisioning system are correct, based on industry best practices.
How Can Deprovisioning Make a Company More Secure?
If a company does not have an adequate user provisioning and deprovisioning system, they face significant risks. After all, the average cost of a data breach today is $148 per record or up to $7.91 million per breach. Needless to say, this could significantly impact a company’s performance for years ahead, and 60% of small businesses fail within six months of a major breach like this.
Enter Microsoft Azure Active Directory
Microsoft operates Azure Active Directory to store information about objects on a network and to make it easy for users to access. It’s a database with critical information about a specific environment, identifying assets and users and determining how individuals can access it. Within Active Directory is Azure Active Directory, a cloud-based identity and access management service.
Azure Active Directory allows the company’s employees to access various external resources, including thousands of SaaS applications. Crucially, it allows these employees to reach internal resources through the corporate network or cloud apps developed by the company.
Azure can automatically provision user identities and rules for applications. It can then maintain these user identities or remove them through deprovisioning when a status or role may change. It can handle these issues on-premises or in a virtual machine without the need for firewalls. It’ll also help synchronize data between systems so that identities are always correct across apps and systems.
Azure has additional benefits, including customization. This allows a company to use certain attribute mappings to define what user data moves between source and target systems. It can seamlessly deploy in any brownfield scenario, matching existing identities and precipitating easy integration, even if the user is already within the target system. Further, Azure will generate critical event alerts if needed, and the user can define custom alerts according to their specific business needs.
Get More Information
To get more information about deprovisioning and how your company can automate the process through Azure Active Directory, get in touch with Softlanding. We are an IT company that provides managed and professional IT services and are a Microsoft Solutions partner. We only deploy and implement Microsoft Solutions from Azure to Microsoft 365 and Microsoft Teams.