User provisioning and deprovisioning: Why it matters for IAM
Overprivileged and orphaned user identities pose risks. Cybersecurity teams should be sure user profiles grant only appropriate access -- and only for as long as necessary.
While a longstanding practice in IT, IAM provisioning and deprovisioning practices have expanded in recent years to accommodate cloud environments, zero-trust access principles, federated identities and much more. Vigilant organizations are careful to give employees appropriate access to systems based on their roles and then remove that access promptly when no longer required.
Secure provisioning and deprovisioning actions are critical -- and complicated. When done carefully, provisioning and deprovisioning enables an organization to control access to systems, applications and data.
What's required is rigorous technology implementation, process design and regular reviews of the provisioning and deprovisioning lifecycle.
User provisioning scenarios and steps
The provisioning and deprovisioning lifecycle typically involves several stages, each with specific actions to ensure workers have the access needed to do their jobs, while keeping the organization in step with security and compliance requirements. For onboarding users and provisioning accounts with the needed privileges, the following stages are common:
- User request and identity creation
-
- User creation. When a new employee or contractor joins, their identity is created in the organization's IAM system, typically triggered by a record in an HR platform that initiates the request automatically.
- Assignment of unique identifier. The user is assigned a unique identifier, typically a username, which is consistent across the organization's systems and applications.
- Definition of roles and attributes. The user's role, department, location and other attributes are codified in the HR record. This information determines the user's level of access and associated permissions.
- Access rights and roles assignment
-
- Role-based access control (RBAC). When an organization adopts RBAC, it grants access rights according to the principle of least privilege. These controls ensure that the user has only the access necessary to perform their particular job functions.
- Policy-based access control (PBAC). A business might also choose to apply additional access controls based on policies. This approach imposes restrictions based on location, time or other parameters, aligning with remote work arrangements and zero-trust concepts.
- Entitlements and permissions. Specific permissions for applications, systems or data resources are assigned based on predefined entitlements linked to the user's role and job function, which often fall outside the standard permissions of a group assignment model.
- Provisioning into systems
-
- Account creation. The IAM system provisions accounts into a user directory in most cases, which then facilitates access to required applications and systems. This process can be automated or manual, depending on the system, but automation is much more common in account provisioning today.
- Credential assignment. The user is provided with credentials such as passwords or MFA tokens, as well as instructions on how to log in securely.
Adjustments to provisioning
The second phase of the provisioning and deprovisioning lifecycle is less specific in terms of timing, as it tends to occur periodically. This phase focuses on the user lifecycle, as people change jobs or other organizational changes occur. In this change management, or midlife management, phase, the following activities are typical:
- Access adjustments and role changes
-
- Role modification. When a user changes roles or departments, their access is reassessed and updated to reflect the new responsibilities. IAM systems should automate this process based on changes in the HR system -- typically through changes to predefined role tags or group tags.
- Attribute-based adjustments. Updates based on user attributes, such as location or job status, might modify access automatically to adhere to security policies.
- Temporary access requests
-
- On-demand access. Users might request temporary access to additional resources outside of their usual role. This access should follow a workflow that includes requests and approvals from team leads or managers, with access granted for a limited time and managed automatically by IAM systems.
- Logging and auditing. Temporary access requests should be logged, and a record of all approved and denied requests should be maintained for compliance and auditing purposes.
- Access reviews and certifications
-
- Periodic access review. Security and IAM teams should perform regular reviews of access rights. Managers and system owners should assert that users still need the access they've been granted.
- Revoking unneeded access. Access that is no longer necessary is revoked to maintain the principle of least privilege. IAM systems might automate notifications to managers for review and revocation of redundant permissions.
User deprovisioning scenarios and steps
The last major phase of provisioning is the revocation of user accounts and permissions assignments through deprovisioning. This offboarding phase is critical to security. Orphaned accounts that are still active can play a role in many types of incidents and breaches. Common activities and elements of this phase include the following:
- Triggering deprovisioning
-
- Termination notification. When a user leaves the organization, HR applications send a notification to IAM systems to initiate deprovisioning.
- Optional immediate suspension. User accounts could be immediately disabled to prevent any further access, especially in cases of involuntary termination.
- Access removal and account cleanup
-
- Deactivation of accounts. Accounts in all connected systems and applications are deactivated, either instantly or within a specified time frame.
- Data access revocation. Access to all data resources is removed -- usually automatically. Depending on organizational policy, data belonging to the user can be archived or reassigned to another user.
- Credential deletion. Credentials associated with the user's account, such as passwords, MFA tokens and access keys, are deleted to prevent any unauthorized future access.
- Final account deletion and auditing
-
- Permanent account removal. After a specified retention period for audit purposes, the user's accounts are permanently deleted from all systems.
- Audit and compliance check. An audit trail of the deprovisioning process is reviewed to ensure compliance with organizational policies and regulatory requirements. This process ensures that access removal has been done and appropriately documented.
IAM policies need to be managed, too
Ongoing governance and compliance are essential. IAM policies and processes, including the provisioning and deprovisioning lifecycle, should be reviewed regularly to address new risks, compliance requirements or organizational changes.
In addition, automated logging and monitoring of IAM activities should be in place. These provide an audit trail and assist in the detection of unauthorized access attempts.
Provisioning and deprovisioning use cases
Let's look at some examples of user provisioning scenarios and the steps for how they could be properly handled:
- A new hire joins an established, well-defined department, such as the finance or legal team. The new employee has highly specific job requirements requiring access to particular applications on-premises and in the cloud. The user's record is created in an HR application, such as Workday, which then initiates a new user created in Active Directory with predetermined group membership. This user is then federated to a cloud single sign-on (SSO) system, such as Okta, which has preprovisioned applications available in a portal when the user logs in.
- A contractor is brought on to work internally on a specific new product implementation. An HR record is created with a contractor label, which includes a specific contract time frame, such as six months or 12 months. This initiates a new account being created in a contractor group. A manager notes in the HR profile the particular RBAC and PBAC access to data stores, applications and other resources. The account automatically expires when the contract time frame is up, with automated notifications sent out two weeks prior so that the account can be extended if needed.
- A DevOps engineer needs a cloud service account and appropriate access keys to build and deploy resources into the cloud environment. Through an access request portal, an automated API-based request into the cloud environment triggers the creation of a cloud IAM account, access key provisioning, and any associated MFA and/or privileged access management (PAM) credentials or tokens as well.
The following are examples of user deprovisioning scenarios:
- An IT employee who has privileged access to servers, applications, data stores and numerous network environments decides to leave the company. This two weeks' notice triggers an automated HR system request to the IAM platforms in place to notify all necessary stakeholders responsible for systems and applications, as well as to set deactivation of both standard and PAM accounts on the worker's last day on the job.
- When an employee in the finance department is terminated for cause, the user account is flagged as high risk in the HR application. This triggers an immediate deactivation of the account and any associated credentials, such as MFA tokens. Deactivation also eliminates any access to federated SaaS applications within the SSO portal. Because all this results from termination, an automated alert is sent to the security team, which performs an assessment of access rights and reviews logs and alerts related to this user's behavior.
A wide range of tools supports these provisioning and deprovisioning activities, including SSO and federation platforms, such as Ping, Okta and Microsoft Entra ID, as well as PAM platforms, such as CyberArk and BeyondTrust.
Well-known identity governance administration vendors, including SailPoint, IBM and Oracle, offer platforms that can manage the entire lifecycle of IAM provisioning and deprovisioning; these can also integrate with other tools and applications, such as HR and ticketing systems. Because they are so complex, many of these tools require a fair amount of effort to implement and maintain.
Best practices for the IAM provisioning lifecycle
IAM provisioning best practices improve security, compliance and operational efficiency. The most prevalent of these practices recommend that an organization does the following:
- Implement the principle of least privilege. Ensure users have the minimum access necessary to perform their job functions. This reduces the risk of unauthorized access and data breaches. Regularly review permissions, and promptly remove any excessive or outdated access rights.
- Automate provisioning and deprovisioning. Automate the creation, updating and deletion of user accounts to reduce errors and speed up processing. Integration with HR systems for real-time updates ensures that provisioning reflects role changes, plus it handles deprovisioning at the appropriate time when users leave the organization.
- Use role-based and attribute-based access control. Define roles that reflect job functions, allowing users to inherit predefined access rights based on their roles. Attribute-based access control further refines access by incorporating dynamic criteria, such as location, time or specific user attributes.
- Perform regular access reviews. Conduct periodic user access reviews to ensure user permissions remain relevant and appropriate. Attestation processes, where managers review and reapprove permissions, help maintain compliance and keep access aligned with current business requirements.
- Implement MFA and SSO. MFA adds a layer of security, and SSO eases access management. With SSO's centralized user authentication, a business can streamline provisioning and deprovisioning. This makes it easier to enforce secure access policies across multiple applications.
- Enforce strong authentication policies and credential management. Establish policies for all credentials, including passwords, keys, tokens and MFA. Complement this with secure credential management, such as vaults for privileged access, to safeguard credentials and minimize the risk of compromised accounts.
These practices create an efficient and secure IAM provisioning lifecycle, one that adapts to organizational changes, minimizes unauthorized access risks and simplifies compliance management.
The user provisioning and deprovisioning lifecycle in IAM is essential for maintaining security, compliance and efficiency. By automating steps where possible, using consistent policies and conducting regular access reviews, organizations can protect their data, systems and users, while minimizing risks associated with overprivileged access and orphaned accounts.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.