No hard and fast rule for provisioning

Posted: July 1, 2010 in Industry Commentary
Tags: , , , , , ,

VPN Haus contributor Ben Ruset posted some food for thought on his blog about employee provisioning. Some people assume the best course of action is to immediately provision departing employees off the network. But Ruset brings up some good reasons why this approach isn’t always best.

This presents a problem because if IT takes it upon itself to delete a user that it thinks should be deleted there’s a risk that important data could be lost, or that the user has a legitimate need to retain access for one reason or another. On the other hand, if IT decides to do nothing, there’s a vector for attack where, depending on the circumstances of the employees departure, they might have a motive to use the enterprises resources maliciously.

We agree with Ruset’s solution – “have strong policies in place that dictate the workflow of a user request. This is a policy that both HR and IT need to agree to, and it needs to be efficient, effective, and enforceable.” But he points out, this policy is often not created or simply not enforced. We understand that provisioning isn’t the sexiest part of an IT person’s job, but that’s not a good enough reason to let provisioning fall to the wayside. Ruset points out:

HR should notify IT that there’s a departure and fill out a request to have the account disabled. Depending on the circumstances of the departure it might be necessary to escalate that to a higher priority level, or let IT know about any special requests (ie: do not delete but disable the account, forward email somewhere, etc.) IT then should expediently handle the request and again confirm with HR that the request has been completed.

He acknowledges that provisioning “is one of the most crucial but utterly boring parts of IT.” Is this the reason that developing – and enforcing — a solid provisioning policy is such a challenge for organizations? Chime in with your thoughts.

Related Links:

Provisioning: Q&A with Ben Ruset, Princeton University PART 2

Provisioning: Q&A with Ben Ruset, Princeton University

De-provisioning is Just for Former Employees, Right? Wrong!

[tweetmeme source=”vpnhaus” only_single=false]

Comments
  1. […] important when working with third-parties, like customers and other vendors. We recommend provisioning as way to give customers access to data they need, without putting other data at […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s