Skip main navigation

Deprovisioning

In this video, you will learn about the deprovisioning process; that is, removing access to a system.
6.7
So deprovisioning, this is when we are removing access. And again, we’re looking for some kind of formal approval, somebody to request this as a process, somebody to trigger this process. What is the trigger for the deprovision? Is this a management notification? Is it the removal of the individual from the HR system? Is it a lack of activity over a period of time for a particular account? We want to understand the completeness of the deprovisioning process. We want all systems and privileges to be removed. And this can be difficult with access to shared keys. If we have somebody who has access to service accounts, door codes, router passwords, how do we manage that consistently?
51.2
Again, if we’ve got individual line of business systems, we need to revoke permissions to all of those individual systems and services. Sometimes, we may wish to consider disabling a user rather than deprovisioning as a cautionary step. So when we get the request to deprovision, we may want to disable the account for a period of maybe a week before we process the actual deletion, in case somebody hands the notice in but then withdraws and decides to stay in the organization. Or whether there’s a need for information relating to that account to be recovered. We do need to be careful of personally identifiable information, though. A good example of this was with social media sites like Facebook, where you deleted your account.
102
But actually if you click ‘Delete account’, it did not delete the account. If you logged in a year later, all of your information came back. This is no longer acceptable if you have personally identifiable information under the European Union General Data Protection Act, General Data Protection requirement, that we will look at in more detail later in the course. So our process needs to cater for different sets of circumstances. Ideally, the manager is involved in this process. The manager of the departing owner of the account has some perspective, has some involvement. Common to have a retention period for information. Some of our records may need to be treated differently, though, as we’ve said regarding personally identifiable information.
151.5
But we want to make sure that the business records associated with the account are not deprovisioned. Quite often, the work that a user has done, related to their credential, needs to survive. We do have some common issues. Again, that I’m sure you guys see, and that I certainly see, day-to-day, which is recovering passwords that have been stored in a mailbox, or information that’s been stored in an email account. Good examples of this are Word documents, Excel documents that have been stored in a shared area but which are password protected. And five years later, you need access to that document, the employee has left the organisation, and nobody has any memory of what the document password is.
198.2
So do we need to structure information prior to the departure, prior to the deprovisioning? Do we need to archive any information?

In this video, you will learn about the deprovisioning process; that is, removing access to a system.

Once you have watched the video, consider the following:

  • do you need to deactivate or deprovision a user?
  • beware of retaining any identity-related information.
  • how will you archive the data?

Reflect and share: How do you handle the deprovisioning process? What experience can you share with your fellow learners?

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education