6 steps to cutting the cord with departing employees
NASA uses a check in/check out de-provisioning checklist that invokes six inter-departmental actions that cut off outgoing workers from networks, applications, e-mail accounts and other agency resources.
After decades of televised launch countdowns and Hollywood movies, NASA has become famous for checklists that keep missions running smoothly. So it’s probably no surprise that when an employee or outside contractor is leaving the agency, security officials turn to a checklist to guide a clean separation.
Following a process laid out in the check in/check out de-provisioning checklist, officials invoke six inter-departmental actions that cut off outgoing workers from networks, applications, e-mail accounts, and other agency resources.
Thus, when hypothetical employee J.P. Goddard, a network administrator with ten years at the agency, submits his resignation, NASA can effectively de-provision him within minutes, if necessary.
But NASA and other large agencies have learned that it’s difficult to develop a single switch to flick and reliably block access to all the various systems that contain sensitive information. Just identifying all the accounts a long-term employee like Goddard may have isn’t always easy.
Adding to the public-sector challenge are armies of outside contractors with temporary rights to internal IT and business systems that must be quickly shut down when individuals take new assignments or contracts expire.
And when de-provisioning glitches occur they could be costly. In one recent example, a newly resigned auditor at the California Water Service returned to the offices one night this spring to use his prevailing access rights to wire $9 million to offshore bank accounts, though officials cancelled the transaction upon discovering it.
To cope with de-provisioning challenges, NASA has been working for years to develop it’s check in/check out process, or CICO, and to further an ongoing effort to centralize authorization and identity information to make fast responses possible.
“We keep the human factor to a minimum through automation,” said Jerry Davis, NASA’s deputy CIO for IT security. “If one person is not fully de-provisioned even though he’s gone, that becomes a problem from a security perspective. Even one account is one too many.”
Comprehensive processes
De-provisioning isn’t challenging because it’s inherently difficult to cut off access rights or retrieve badges and communications devices, CIOs and security officials said. Instead, difficulties lie in creating a system for assuring that any details aren’t accidentally overlooked.
If a new hire still can’t access the network or send e-mail after a day, he or his manager may complain until the proper authorizations are established, said Will Brown, Windows Active Directory infrastructure specialist with Quest Software, a systems management software vendor.
“But when that person is removed people may get into their normal mode of work and [de-authorizations] are just simply missed. Now you have a short-term or long-term security breach,” he said.
Examples of how unaddressed details can create security breaches came to light earlier this year in a review of the Federal Maritime Commission. The Inspector General’s Office found de-provisioning problems that ranged from minor infractions, like a student volunteer who failed to turn in a building access card, to more serious violations, including one former employee who retained access privileges to the internal procurement system for six months after departure.
Concerns like these motivate federal agencies to create automated checklists like NASA’s CICO to keep important de-provisioning steps from falling through the cracks.
CICO is both a workflow process and a Web-based application that helps assure an employee like Mr. Goddard relinquishes his notebook computer, smart phone and credit cards, and that the agency successfully blocks his further access to the network and other IT resources.
In the first step, Goddard’s managers enter his name and departure date into CICO to initiate the separation. They then review a list of representative assets, such as laptops and cell phones, that a person in Goddard’s role may have been assigned.
In the second step, CICO sends automated e-mail alerts to all the various departments that have a role in Goddard’s impending departure. Besides the HR and IT departments, recipients include facilities, administrative services, and security personnel.
Security veterans said it’s important to quickly lock down assets because the separation may be producing heightened emotions in someone like Goddard, causing the normally trustworthy staff member to act out of character.
“For a lot of employees being in an employment separation circumstance is a time of heightened emotions,” said Kevin Rowney, founder of security-software vendor Symantec’s data loss prevention group. “Bad judgment can come into play.”
Research bears this out. A Ponemon Institute survey sponsored by Symantec looked at data loss risks during downsizing across a wide cross section of industries, including the public sector. The study found that 59 percent of departing employees stole data during the severance process.
A quarter of the respondents said their ability to access data continued, sometimes for a week or more after the split. Within this group, a third said they in fact did access their former employer’s system and that their credentials remained valid.
Overall, 67 percent of the data thieves said they took confidential, sensitive, or proprietary information to aid them in their new job. A similar percentage said they planned to use e-mail and customer contact lists, as well as employee records from their former employer.
Accurate information
In the important third CICO step, Goddard’s managers match the generic asset list from the first step with actual assignment records to develop a more complete list of the resources and access rights in his possession.
But compiling an accurate list can be one of the biggest challenges of exit processes. One problem is “zombie” accounts, unused but still-active log-ins to networks, applications, and databases that aren’t decommissioned as employees take on new roles and responsibilities in the agency. Without detailed processes in place, organizations may not judiciously weed out past access rights as employees acquire new ones.
“If you don’t know what accounts exist, you can’t de-provision them,” said Todd Chambers, vice president of marketing Courion Corp., which sells identity management and provisioning software. “Some of our customers thought they had 40,000 identities to manage, but when they went through this weeding out process they found perhaps less than half of them were current.”
The fourth step creates work orders for NASA staff members to recover or deactivate each of the assets identified in the previous step.
“We can literally de-provision someone in a matter of minutes,” Davis said. “You definitely don’t want it to linger and have someone who is no longer working for the organization with open accounts or access to the network or to the data anymore.”
NASA’s work consolidating Active Directory accounts used to authenticate Goddard’s privileges to the network and applications is helping to speed this step. Dubbed NCAD, for NASA Centralized Active Directory, the project is bringing individual directories created at various NASA locations under a single, centralized directory.
NCAD is part of a larger effort to create an environment where employees will be able to use a single sign-on procedure to access multiple applications and resources, Davis said. But for now, it’s also is paying dividends by streamlining the exit process.
“It’s the single point we can go to and take away their privileges across multiple systems,” he said. “We get an increased posture of security because we can centralize access to resources.”
But consolidating tens of thousands of Active Directory accounts hasn’t been easy. The agency had to first “clean up” existing Active Directory accounts by confirming that access rights are properly defined before NASA could migrate them into the single Active Directory environment. These operations represent much of the work that NASA has been focusing on for the almost two years it’s spent on the project. These efforts may not complete until 2011 because of the large number of accounts being centralized.
Quest’s Brown warned that using Active Directory alone to control IT access may not be enough for some organizations.
“There are legacy mainframe applications and Web-based applications that have their own set of means for authenticating access,” he said. “So if I can still find a way into those environments, theoretically I can still get to other systems even though I don’t have credentials within AD anymore.”
For its part NASA already includes users of Mac hardware and software in the Active Directory infrastructure. As part of the longer term plan, it will assess whether to add its Linux and Unix systems to the environment.
NASA’s NCAD works in conjunction with other authorization tools, including ones for addressing zombie accounts. The agency is expanding the number of passwords it manages in IdMAX (Identity Management and Account Exchange), the agency’s portal for obtaining NASA badges and IT access rights.
“That’s another place where we can de-provision someone from one single location,” Davis said.
Centralized identity management systems are also important for managing the comings and goings of contract employees. The Department of Energy uses a central identity system that combines custom DOE code with an Oracle management application that tracks the access rights of contractors.
When a contractor employee leaves the project, the federal sponsor within DOE goes into the identity management system and sets up a termination date to turn off access rights.
“The norm is for somebody to go through the checkout process a day or two before the termination date,” said Tom Pyke, DOE’s chief information officer. “But we can do it within minutes if it’s an emergency situation.”
Pyke also credits the agency’s enterprise architecture with helping to speed de-provisioning and assure that it’s comprehensive.
“The fewer moving parts, the easier it is to coordinate [de-provisioning],” he said. “That minimizes the number of systems that need to talk to each other when separating an employee.”
Final steps
In the fifth step of NASA’s CICO process, managers update the check-out work orders to indicate status for retrieved or deactivated resources.
And in the final step, which typically occurs on Goddard’s final day, someone in HR reviews the checklist to flag and act on any missing elements in the CICO process.
Davis said that while CICO provides a de-provisioning framework, the agency uses other internal systems, such as the Federal Personnel Payroll System payroll and NASA’s WebTADS time-card applications, as “checks and balances” to assure the exit process is complete.
For example, employees submit time-card hours to WebTADS every two weeks and are prompted to regularly reset their passwords in the application.
“Those are key things that organizations can use to help facilitate check-out processes,” Davis said. “If an individual is not submitting his time card online every couple of weeks that should be a clue that he’s not working there anymore.”