When Your Employees Leave, Make Sure Your Agency Is Still Safe

Through the first eight months of the year, numerous federal agency CIOs left their posts or moved to other ones, including the recently announced retirement of Larry Gross, the Federal Deposit Insurance Corporation’s CIO.

However, users of all kinds and seniority within the government leave agencies on a regular basis. While it’s difficult to determine how many there are, the risk that they pose to agencies’ data integrity is clear. If users’ security credentials are not deprovisioned in a timely manner, they can use those credentials to surreptitiously gain access to sensitive agency data.

That’s why it’s critical agency CIO offices and IT leaders deploy identity and access management tools to revoke users’ security credentials when employees leave, according to security experts. The National Institute of Standards and Technology’s Cybersecurity Framework notes that “cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening).”   

Ted Girard, Okta’s director of the public sector, says that thanks to cloud and mobile technologies, data can be accessed from anywhere. The only point of control, he says, is with the users. If former employees get inside systems they should no longer have access to, they can “cause chaos.”

Girard says deprovisioning shouldn’t just occur when a federal employee leaves an agency. “It should also take place when the employee takes on a new role within his or her current agency to ensure employees only have access to the information they need, mitigating security threats should any one user’s credentials be compromised,” he says.

BeyondTrust’s 2017 “Federal Cybersecurity Threat Survey Report” found that 30 percent of respondents believe that insider threats pose a significant threat and 35 percent believe their users have more privileges than are required.

Al Sargent, senior director at identity management provider OneLogin, notes that, according to a survey the company conducted earlier this year of 500 nationally representative U.S.-based IT decision-makers, nearly half (48 percent) of respondents were aware of former employees who still had access to corporate applications. Additionally, 50 percent said that ex-employees’ accounts remained active for longer than a day after they left the company.

“Because of this, there’s a risk of federal agencies not fully deprovisioning all users from all apps, enabling some of them to continue to access agency apps and their sensitive data,” Sargent says.

Sargent says one reason for this is that many government IT organizations are responsible for hundreds of apps “yet still rely on error-prone manual deprovisioning.” When this is combined with the time pressure facing most IT teams, “it’s easy for deprovisioning tasks to fall through the cracks.”

How can agencies avoid that? Here are key tips.

Quickly Revoke Security Credentials

Speed is critical and users should have their credentials deprovisioned as quickly as possible. Agencies should deprovision all users, both contractors and employees, “within minutes of them losing their authorization,” Sargent says. “This is because, with high-speed networks, a rogue user can quickly download vast amounts of sensitive data.”

Girard notes that by leaving employees with access to internal data, an agency opens itself up to the possibility that information will be shared outside of the agency. “As cliché as it sounds, all you need is one weak link to open up your organization to serious risk,” he says.

Deprovisioning a user identity is not the same as deleting an identity, Sargent adds. In some cases, agencies “need to maintain communication continuity with third parties, or transfer ownership of documents, licenses and other data to another employee as part of the offboarding process.”

Take a Multi-Faceted Approach to Identity Management

Identity and access management is “core to mitigating” the threat of ex-employees gaining improper access to agency networks and systems, Girard says. “By ensuring the right users have access to the right data, at the right time, identity solutions are able to provide agencies with the controls needed to manage and secure access across their entire workforce,” he says.

Sargent says OneLogin recommends agencies engage in “deprovisioning in depth” to avoid security risks.

First, agencies should connect their human resources directories and identity management systems so that, when a user is deactivated in the HR system, the identity and access management (IAM) system revokes access to all applications.

That connection should be real-time, so that the HR system can push changes to an identity management system rather than have the IAM system periodically looking for changes. “This enables deprovisioning to kick off sooner to block rogue users,” Sargent says.

IT teams should move to modern apps that use the Security Assertion Markup Language (SAML) or OpenID Connect standards to broker access, Sargent says. “Using these standards means that users don’t have a backdoor to access applications once they are blocked from accessing” the IAM system, he adds.

Additionally, IT teams should move to applications that use the System for Cross-domain Identity Management (SCIM) standard for managing user identities, according to Sargent. This enables IAM systems to remove user accounts from an app automatically.

Make Sure Deprovisioning Is Validated   

A big part of deprovisioning is ensuring that an agency is meeting compliance regulations.

“Not only do you need to declare that someone (employee or contractor) has been deprovisioned — to satisfy auditors you need to be able to validate they’ve been deprovisioned,” Girard says.

Sargent notes that for auditing purposes, IT teams should use IAM systems that send all application access events to a Security Information and Event Management (SIEM) system. “This enables them to inspect access logs to see if any former employees or contractors continue to access agency applications,” he says.

With Okta tools, IT teams “can furnish logs that show that a specific employee or contractor has not accessed specific systems over specific periods of time, making it easy to validate that deprovisioning was successful,” Girard adds.

For more on security credentials, visit fedtechmag.com/identity.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.