Effective lifecycle management of identities, privileges, and entitlements starts with provisioning and ends with deprovisioning. Implementing best practices in provisioning and deprovisioning minimizes the risk of data breaches while enhancing operational efficiency by ensuring that users have the right level of access without over-privileging. This can help organizations maintain a strong security posture, reduce the attack surface, and comply with regulatory requirements.
This blog explores the important role provisioning and deprovisioning play in effective lifecycle management of identities, privileges, and entitlements; emphasizes their significance in mitigating risks, ensuring compliance, and maintaining a secure, efficient operational environment; and offers practical insights to help you understand how to manage identities, privileges, and entitlements effectively, safeguarding your organization against the hidden threats in your ecosystem.
The Importance of Provisioning in Identity Management
What is Provisioning?
Provisioning is the process of granting appropriate access to new users, service accounts, and resources, ensuring they have the necessary permissions to perform their roles effectively. Whether onboarding employees, contractors, or system accounts, proper provisioning is the first step in establishing a secure identity and access management (IAM) system, and in the effective lifecycle management of identities, privileges, and entitlements.
The Onboarding Process for Users and Assets
When onboarding new users, service accounts, assets, servers, resources, vendors, etc., the process starts with provisioning. Understanding what is being brought into the organization, its purpose or role, and the capacity in which it needs to function are crucial steps in determining “what” (how much access to which resources) needs to be provisioned. This could include networks, applications, servers, and of course users (both human and non-human). In this blog, I focus on the user side as they relate to identity and privilege.
The key to successful onboarding is understanding that, when a new user or asset is created, they are being provisioned into the organization. This comprehensive process ensures that they have the necessary access while maintaining security and compliance standards.
The onboarding process involves several critical steps:
- Identification of Needs: Determine the specific requirements and roles for the new user or asset. Understand the purpose and scope of their access.
- Account Creation: Create the user ID and associated details in the system. This includes personal information for human users or specific identifiers for non-human users.
- Role Assignment: Assign the user to appropriate roles based on their job functions. This ensures that they have access to the necessary resources.
- Group Membership Association: Associate the user with relevant security groups to streamline the assignment of permissions and access rights.
- Provisioning of Access: Grant access to necessary applications, systems, and resources. For human users, this might include email, HR systems, web applications, collaboration tools, and server access. For non-human users, this involves access to process/resource-driven identities that serve specific purposes within an environment, and in some cases, large blanket access across organizations.
- Policy Enforcement: Apply organizational policies and security protocols to ensure compliance and mitigate risks.
- Verification and Testing: Verify that all access permissions are correctly assigned and test the user’s ability to access necessary resources.
- Documentation: Document all provisioning steps and maintain records for compliance and auditing purposes.
- Continuous Monitoring: Implement continuous monitoring to ensure that the user’s access remains appropriate and aligned with their evolving role.
Deprovisioning: Ensuring Secure Offboarding
While we understand why provisioning is important, let’s talk about why de-provisioning is equally—if not more—important.
What is Deprovisioning?
Deprovisioning, related to user IDs, is the process where a user’s access rights are systematically removed, revoked, or even deleted when they are no longer needed. This includes:
- When an employee leaves the company
- When a project is completed
- When an employee changes roles and needs to be deprovisioned from their current access and permissions and provisioned with new access.
In each of these instances, deprovisioning should take place, and any unnecessary access should be immediately revoked, or the user ID should be removed from the organization entirely. In some cases (such as for audit purposes) the user ID cannot be deleted. In these cases, deprovisioning best practices suggest:
- The user IDs should be stripped of all permissions or group assignments
- The password should be changed to an unknown password
- The account should be set to a disabled state.
Deprovisioning best practices also include regularly reviewing all user access, privileges, and entitlements to prevent excessive privilege accumulation.
There is a common trend within organizations to focus more on provisioning rather than deprovisioning, but the process in which user IDs get deprovisioned is just as important as the provisioning creation process. Neglecting deprovisioning can leave organizations vulnerable to security breaches, unauthorized access, and potential compliance violations.
The important thing to understand is that there is a beginning and an end—both provisioning and deprovisioning must occur to complete the lifecycle management of identities, privileges, and entitlements.
Common Issues that Arise from Under-Deprovisioning
Failing to deprovision at the end of an account or identity’s lifecycle can lead to the following issues:
- Orphaned Accounts - These are accounts that remain active after their associated user has left the organization or the account is no longer needed. Orphaned accounts can be exploited by attackers to gain unauthorized access to systems and data. Since these accounts are often not monitored, they provide a stealthy entry point for malicious activities.
- Stale Privileges - Accounts that are not deprovisioned retain their access rights and privileges indefinitely. Over time, the accumulation of unused privileges can lead to a scenario where multiple accounts have excessive access rights, increasing the potential for privilege escalation attacks.
- Unmonitored Accounts - Accounts that are no longer in use may not be actively monitored by security teams. These accounts can be leveraged by attackers without detection, allowing them to move laterally within the network and escalate their access.
- Forgotten Service Accounts - Service accounts used for specific tasks or applications might remain active even after the associated services are retired. Attackers can exploit these service accounts to gain access to underlying systems, often with elevated privileges that are difficult to detect and mitigate.
- Forgotten Shared Accounts- Accounts that were shared among multiple users might remain active, even if one or more users no longer need access. Shared accounts can be abused by any user who still has access, leading to potential unauthorized actions without clear accountability.
- Persisting Temporary Accounts - Accounts created for temporary purposes, such as for contractors or temporary projects, may not be deprovisioned after the need for them has expired. These accounts can be used by unauthorized individuals to access the system long after their intended use, providing a hidden attack vector.
- Legacy System Accounts - Accounts created for legacy systems that are no longer in use but have not been deprovisioned. These accounts may not comply with current security policies and can be a weak point in the security infrastructure, making them attractive targets for attackers.
- Forgotten Administrator Accounts - Admin accounts that are created for specific tasks or projects and not deprovisioned afterwards. These accounts often have high-level access that can be exploited for administrative control over systems and data, posing significant security risks if compromised.
- Redundant Test Accounts - Accounts used for testing purposes during development or implementation phases that are not removed after testing is completed. Test accounts typically have access to multiple systems and might have weaker security measures, making them easy targets for attackers.
- Inactive User Accounts - Accounts belonging to users who have not logged in or used the system for an extended period but remain active. These accounts can be compromised and used as a foothold for further attacks, especially if they are not subjected to regular security reviews and updates.
The Role of Permissions and Rights in Provisioning
Understanding Security Groups and Permissions
With today’s threat landscape, and with identities becoming the primary target for bad actors, one of the most critical pieces of provisioning occurs when an identity or user ID is granted permissions. As mentioned earlier, this typically occurs by adding the user ID to specific security group(s).
These groups are used for ease of administration in order to streamline the provisioning process. These groups might be built-in groups, which already have assigned/delegated rights (such as domain admin, local administrator, or power users), or they might be groups that have been created and delegated rights to allow them to perform or function within an organization. To keep it simple, we won’t talk about nested groups, or groups within groups. The idea here is to understand that, without permissions or rights, (in most cases) a user ID cannot function properly within an environment.
More often than not, it is not ideal nor practical for each and every user to have their own special set of rights. This becomes a nightmare to manage and is unreasonable when you start talking about 10,000 to 500,000 accounts. While there are tools out there focused on streamlining this process, it is important to note that even in small organizations, sometimes it is easier to just add user id’s to existing groups or built-in groups, which can provide excessive privilege in an environment, versus creating proper groups and delegating rights. In larger organizations, sometimes there are so many groups, not knowing which of these groups a user belongs in can lead to users being added to several groups that have privileges within an environment a user doesn’t need.
Risks of Over-Provisioning and Under-Deprovisioning
Each active but unnecessary account provides an additional point of entry for attackers, thereby broadening the attack surface and increasing the likelihood of a successful breach. Unmonitored and forgotten accounts introduce the added risk of allowing attackers to maintain a low profile within the network, avoiding detection while they carry out malicious activities.
Let’s dive into two of the biggest risks associated with over-provisioning and under-deprovisioning:
Excessive Privileges: A Security Nightmare
The principle of least privilege is designed to mitigate the main threat malicious actors are expecting to capitalize on when it comes to compromising user identities. Their goal is to compromise an identity that has privilege or excessive privileges they can then exploit across an organization to escalate their privileges within the network, gain access to sensitive data and critical systems, and enact their malicious intent.
As a best practice, users should only have the amount of access they need in order to perform or carry out their duties within the organization—and that access should be revoked when it is no longer needed Just-in-Time access).
This includes administrators of systems, too. For example, a database administrator would need access to a database (and maybe even the server it is hosted on). The database admin might not need access to other web servers, network infrastructure, or server operating systems, though, and they shouldn’t be provisioned with the rights to access these extraneous resources. This is what is considered over-privileged or excessive privileges.
These types of scenarios happen across organizations all the time. Users end up being over-provisioned with excessive privileges or entitlements within an organization, and this severely increases the level of exposure within the organization (and thereby the risk) should that user’s access be exploited.
The Threat of Malicious Insiders
A side effect of this is also the malicious insider. Users still need to have the right level of access to perform their job duties, and this comes with an inherent and accepted level of associated risk. But what about when a (intentional or unintentional) malicious insider has access to resources they shouldn’t or don’t need? This poses a huge risk, and in some cases, organizations don’t realize or don’t have insight into this problem.
By deprovisioning unnecessary access immediately, organizations reduce the risk of insider threats from disgruntled former employees, those who might misuse their access before leaving the organization, or employees who are being paid by threat actors to carry out nefarious tasks or grant unauthorized access.
The Risk of Regulatory Non-Compliance
Many regulations mandate strict access controls and timely deprovisioning of accounts. For instance, provisioning and deprovisioning play a vital role in meeting standards set by GDPR, HIPAA, and SOX, to name a few. Failure to properly provision and deprovision accounts can result in non-compliance with data protection regulations, leading to fines and legal penalties.
Best Practices for Provisioning and Deprovisioning
Implement the Principle of Least Privilege
The principle of least privilege (PoLP) dictates that users, applications, and systems should only be granted the minimum level of access necessary to perform their duties. Implementing PoLP effectively when provisioning and deprovisioning enhances security and reduces the risk of unauthorized access and data breaches:
- During provisioning - Minimizing access rights during role assignment, setting up fine-grained access controls that restrict users to predefined permissions (Role-Based Access Control), monitoring and auditing user activities, and reducing the complexity of tracking and updating user permissions as roles change are all elements of least privilege that can be implemented during the provisioning state to drastically reduce the number of potential entry points that attackers could exploit (minimize the attack surface) and limit exposure.
- During deprovisioning - Timely Revocation of Access when a user no longer needs access to certain resources and regularly reviewing and adjusting access rights to prevent accumulation of excessive permissions (ie: due to changing roles and responsibilities or project completion) are elements of least privilege that can be implemented during the deprovisioning stage of the lifecycle to prevent latent access that could be exploited by unauthorized users.
Enforce Regular Access Reviews
In a perfect world, moving the account to a highly-monitored area in the event it is re-enabled or even used, would be ideal. But this doesn’t always happen. As a result, this creates added risk to organizations for identity compromise. This could be threat-actor-related or even a malicious insider looking to cover their tracks by using another identity to potentially do something they aren’t supposed to be doing. Ensuring the account is in a disabled state and removing them from any groups that grant access to resources, will ensure the identity cannot be used to compromise the organization, and when appropriate, successfully deleted.
Leverage Tools for Identity and Access Management
Effectively managing identity and access within an organization can be a complex task, but leveraging the right tools can simplify provisioning and deprovisioning processes significantly, making managing the full lifecycle of identities, privileges, and entitlements much more digestible. Various types of tools exist to address different aspects of identity and access management, each designed to streamline and enhance the security and efficiency of these operations, and some even work cohesively together to provide a comprehensive approach to the problem.
- Identity Management Tools - Facilitate the creation, maintenance, and deletion of user identities, ensuring that only authorized individuals have access to critical systems.
- Governance Management Tools - Help enforce policies and compliance requirements, providing oversight and control over who has access to what.
- Lifecycle Management Tools - Oversee the entire lifecycle of user identities, from onboarding to offboarding, ensuring that permissions are appropriately adjusted as roles change within the organization.
- Privileged Access Management Tools - Are crucial for enforcing the Principle of Least Privilege (PoLP), ensuring that users have only the minimum access necessary to perform their duties. These tools often integrate seamlessly to provide a comprehensive approach to managing identities and access rights.
Key capabilities to look for in any tool you choose to streamline your provisioning and deprovisioning process are automation and user behavior analytics (usually incorporate some form of AI or machine learning). Tools that leverage these advanced technologies can enforce the consistent application of PoLP and other security policies, reduce the risk of human error, ensure that access rights are promptly updated in response to personnel changes, and allow a prompt response to anomalies in user behavior that could indicate a potential threat.
By leveraging these tools, organizations can not only simplify the provisioning and deprovisioning processes but also enhance their overall security posture.
Conclusion: Strengthening Your Identity Security Posture
Effective provisioning and deprovisioning are crucial for effective lifecycle management of identities, privileges, and entitlements. It’s critical to review your entire identity landscape and ensure your provisioning and de-provisions steps follow a framework that doesn’t introduce more risk to the organization. By following best practices, organizations can minimize risks and ensure compliance:
- Define roles and responsibilities.
- Follow least privilege principles when provisioning user IDs.
- Implement strict deprovisioning protocols. Delete user IDs when they are no longer needed or in use, and, at a minimum, remove any privileges from the user ID and set to a disabled state.
- Monitor and review access at least annually, if not quarterly.
These steps will enforce strong provisioning and deprovisioning practices in your identity security posture. Are you ready to learn more about how to strengthen your identity security posture by improving provisioning and deprovisioning practices across your ecosystem? BeyondTrust is here to help, with extensive features and capabilities available across the BeyondTrust platform that can help you manage the entire lifecycle of your identities, privileges, and entitlements. Contact us today, or click here if you would like to start a 30-day complimentary trial that can help you find where privilege, entitlement, and identity risks exist in your organization.
![Photograph of Christopher Hills](https://assets.beyondtrust.com/assets/images/user-photos/_people/Chris-Hills-Headshot-2024_2024-03-12-135250_gvzq.png?auto=format&q=80)
Christopher Hills, Chief Security Strategist, BeyondTrust
Christopher L. Hills has more than 20 years’ experience as a Technical Director, Senior Solutions Architect, and Security Engineer operating in highly sensitive environments. Chris is a military veteran of the United States Navy and started with BeyondTrust after his most recent role leading a Privileged Access Management (PAM) team as a Technical Director within a Fortune 500 organization. In his current position, he has responsibilities as a Chief Security Strategist (America’s) working with Customer, Marketing, and Executives on Thought Leadership, Market Trends, Company Vision and Strategy. Chris has held the Sr Solution’s Architect, Deputy CTO, and Deputy CISO roles since starting with BeyondTrust. Chris is also co-author in the Cloud Attack Vectors book, a contributor in the New Privileged Attack Vectors book, and editor in previous books. In his free time, Chris enjoys spending time with his family on the water boating, supporting his son’s college football career, going to the sand dunes off-roading.