Mixing
How to better track identities within company? [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
-1
down vote
favorite
One of my responsibilities at work is to perform periodic user access reviews. A frustrating problem has been inconsistent to poor documentation,such as it becomes difficult to map users to roles. This poor documentation and general slipshod record keeping is making it difficult for me to properly audit whether user accounts are legitimate, and increases risk of unauthorized access to company data. Some quarters ago, there was an account where no-one knew the purpose of the account and the owner of the account has long since been termed.
Like many places,access management is centrally managed through MS Active Directory at my company. Loose IAM gives rise to related headaches such as IT in the shadows.
I have talked to my manager, but our job function is not viewed favorably for obvious reasons in the company. Audit is necessarily a adversarial activity, and one will make enemies. IA and Security departments are our most reliable allies.
What are some practical ideas to improve tracking of electronic employe identities within a smaller company?
communication employees security
asked May 18 '16 at 2:02
Anthony
5,1431255
closed as too broad by Jim G., gnat, Lilienthal♦, Jan Doggen, paparazzo May 18 '16 at 7:55
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
suggest improvements |Â
up vote
-1
down vote
favorite
One of my responsibilities at work is to perform periodic user access reviews. A frustrating problem has been inconsistent to poor documentation,such as it becomes difficult to map users to roles. This poor documentation and general slipshod record keeping is making it difficult for me to properly audit whether user accounts are legitimate, and increases risk of unauthorized access to company data. Some quarters ago, there was an account where no-one knew the purpose of the account and the owner of the account has long since been termed.
Like many places,access management is centrally managed through MS Active Directory at my company. Loose IAM gives rise to related headaches such as IT in the shadows.
I have talked to my manager, but our job function is not viewed favorably for obvious reasons in the company. Audit is necessarily a adversarial activity, and one will make enemies. IA and Security departments are our most reliable allies.
What are some practical ideas to improve tracking of electronic employe identities within a smaller company?
communication employees security
asked May 18 '16 at 2:02
Anthony
5,1431255
closed as too broad by Jim G., gnat, Lilienthal♦, Jan Doggen, paparazzo May 18 '16 at 7:55
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
1
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45
suggest improvements |Â
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
One of my responsibilities at work is to perform periodic user access reviews. A frustrating problem has been inconsistent to poor documentation,such as it becomes difficult to map users to roles. This poor documentation and general slipshod record keeping is making it difficult for me to properly audit whether user accounts are legitimate, and increases risk of unauthorized access to company data. Some quarters ago, there was an account where no-one knew the purpose of the account and the owner of the account has long since been termed.
Like many places,access management is centrally managed through MS Active Directory at my company. Loose IAM gives rise to related headaches such as IT in the shadows.
I have talked to my manager, but our job function is not viewed favorably for obvious reasons in the company. Audit is necessarily a adversarial activity, and one will make enemies. IA and Security departments are our most reliable allies.
What are some practical ideas to improve tracking of electronic employe identities within a smaller company?
communication employees security
asked May 18 '16 at 2:02
Anthony
5,1431255
One of my responsibilities at work is to perform periodic user access reviews. A frustrating problem has been inconsistent to poor documentation,such as it becomes difficult to map users to roles. This poor documentation and general slipshod record keeping is making it difficult for me to properly audit whether user accounts are legitimate, and increases risk of unauthorized access to company data. Some quarters ago, there was an account where no-one knew the purpose of the account and the owner of the account has long since been termed.
Like many places,access management is centrally managed through MS Active Directory at my company. Loose IAM gives rise to related headaches such as IT in the shadows.
I have talked to my manager, but our job function is not viewed favorably for obvious reasons in the company. Audit is necessarily a adversarial activity, and one will make enemies. IA and Security departments are our most reliable allies.
What are some practical ideas to improve tracking of electronic employe identities within a smaller company?
communication employees security
asked May 18 '16 at 2:02
Anthony
5,1431255
asked May 18 '16 at 2:02
Anthony
5,1431255
asked May 18 '16 at 2:02
Anthony
5,1431255
asked May 18 '16 at 2:02
Anthony
5,1431255
5,1431255
closed as too broad by Jim G., gnat, Lilienthal♦, Jan Doggen, paparazzo May 18 '16 at 7:55
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as too broad by Jim G., gnat, Lilienthal♦, Jan Doggen, paparazzo May 18 '16 at 7:55
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
1
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45
suggest improvements |Â
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
1
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
1
1
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45
suggest improvements |Â
3 Answers
3
active
oldest
votes
up vote
2
down vote
Get together with the security department. Send a joint email to all staff saying that all users are to be audited. Have buy-in from the CEO (even try to get the email sent from their office), and any politics are already sorted.
Then run a list of all users. Any users who are not recognized should be suspended. If that happens to be a real user, you'll find out within a few hours from their manager when they complain.
Sell the exercise on the basis of minimum access; If a user does not have access to a particular resource, then they won't be blamed or fired if that resource is exposed in some way.
answered May 18 '16 at 3:18
PeteCon
12.5k43552
suggest improvements |Â
up vote
2
down vote
The other answers are dead on. It is the responsibility of your department apparently to monitor for exactly these issues, and presumably to take action. If you are authorized to do so, a periodic revalidation is absolutely warranted. Each user must complete a form requesting access, with supervisor's approval, dated, and stored. It expires after a set amount of time, or not depending on your chosen policy. Get reports from AD showing last login dates, and script up account locks for anyone not logged in for X days. Get regular reports from HR of who has been terminated in the past X days and go through and manually lock their accounts, or better yet have your department added to the checklist they go through when someone exits the company.
It is imperative that they understand the ramifications of allowing a potentially malicious disgruntled former employee continuing access to their data. I would document the concerns (politely) in an e-mail, showing some specific areas of concern (e.g. your rogue unknown accounts) and including impact of a breach on the company, staff, etc. Send that to your boss or whomever needs to see it.
Then it is on them to choose what to do. If you aren't empowered to impose policies, all you can do is sound the alarm. If they choose to ignore the alarm you have done all you are allowed to do. By all means continue to motivate change, but if you are not authorized to solve the problem then you are not responsible for a failure caused by that problem.
answered May 18 '16 at 4:45
Dave
1911
suggest improvements |Â
up vote
0
down vote
Obvious answer is to make accounts justify themselves periodically, with copy of the request to their managers. Those not responding get closed.
If you don't know the account's owner, you have a bigger problem and need to fix that first. But that's technical, not workplace.
answered May 18 '16 at 3:06
keshlam
41.5k1267144
suggest improvements |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Get together with the security department. Send a joint email to all staff saying that all users are to be audited. Have buy-in from the CEO (even try to get the email sent from their office), and any politics are already sorted.
Then run a list of all users. Any users who are not recognized should be suspended. If that happens to be a real user, you'll find out within a few hours from their manager when they complain.
Sell the exercise on the basis of minimum access; If a user does not have access to a particular resource, then they won't be blamed or fired if that resource is exposed in some way.
answered May 18 '16 at 3:18
PeteCon
12.5k43552
suggest improvements |Â
up vote
2
down vote
Get together with the security department. Send a joint email to all staff saying that all users are to be audited. Have buy-in from the CEO (even try to get the email sent from their office), and any politics are already sorted.
Then run a list of all users. Any users who are not recognized should be suspended. If that happens to be a real user, you'll find out within a few hours from their manager when they complain.
Sell the exercise on the basis of minimum access; If a user does not have access to a particular resource, then they won't be blamed or fired if that resource is exposed in some way.
answered May 18 '16 at 3:18
PeteCon
12.5k43552
suggest improvements |Â
up vote
2
down vote
up vote
2
down vote
Get together with the security department. Send a joint email to all staff saying that all users are to be audited. Have buy-in from the CEO (even try to get the email sent from their office), and any politics are already sorted.
Then run a list of all users. Any users who are not recognized should be suspended. If that happens to be a real user, you'll find out within a few hours from their manager when they complain.
Sell the exercise on the basis of minimum access; If a user does not have access to a particular resource, then they won't be blamed or fired if that resource is exposed in some way.
answered May 18 '16 at 3:18
PeteCon
12.5k43552
Get together with the security department. Send a joint email to all staff saying that all users are to be audited. Have buy-in from the CEO (even try to get the email sent from their office), and any politics are already sorted.
Then run a list of all users. Any users who are not recognized should be suspended. If that happens to be a real user, you'll find out within a few hours from their manager when they complain.
Sell the exercise on the basis of minimum access; If a user does not have access to a particular resource, then they won't be blamed or fired if that resource is exposed in some way.
answered May 18 '16 at 3:18
PeteCon
12.5k43552
answered May 18 '16 at 3:18
PeteCon
12.5k43552
answered May 18 '16 at 3:18
PeteCon
12.5k43552
answered May 18 '16 at 3:18
PeteCon
12.5k43552
12.5k43552
suggest improvements |Â
suggest improvements |Â
up vote
2
down vote
The other answers are dead on. It is the responsibility of your department apparently to monitor for exactly these issues, and presumably to take action. If you are authorized to do so, a periodic revalidation is absolutely warranted. Each user must complete a form requesting access, with supervisor's approval, dated, and stored. It expires after a set amount of time, or not depending on your chosen policy. Get reports from AD showing last login dates, and script up account locks for anyone not logged in for X days. Get regular reports from HR of who has been terminated in the past X days and go through and manually lock their accounts, or better yet have your department added to the checklist they go through when someone exits the company.
It is imperative that they understand the ramifications of allowing a potentially malicious disgruntled former employee continuing access to their data. I would document the concerns (politely) in an e-mail, showing some specific areas of concern (e.g. your rogue unknown accounts) and including impact of a breach on the company, staff, etc. Send that to your boss or whomever needs to see it.
Then it is on them to choose what to do. If you aren't empowered to impose policies, all you can do is sound the alarm. If they choose to ignore the alarm you have done all you are allowed to do. By all means continue to motivate change, but if you are not authorized to solve the problem then you are not responsible for a failure caused by that problem.
answered May 18 '16 at 4:45
Dave
1911
suggest improvements |Â
up vote
2
down vote
The other answers are dead on. It is the responsibility of your department apparently to monitor for exactly these issues, and presumably to take action. If you are authorized to do so, a periodic revalidation is absolutely warranted. Each user must complete a form requesting access, with supervisor's approval, dated, and stored. It expires after a set amount of time, or not depending on your chosen policy. Get reports from AD showing last login dates, and script up account locks for anyone not logged in for X days. Get regular reports from HR of who has been terminated in the past X days and go through and manually lock their accounts, or better yet have your department added to the checklist they go through when someone exits the company.
It is imperative that they understand the ramifications of allowing a potentially malicious disgruntled former employee continuing access to their data. I would document the concerns (politely) in an e-mail, showing some specific areas of concern (e.g. your rogue unknown accounts) and including impact of a breach on the company, staff, etc. Send that to your boss or whomever needs to see it.
Then it is on them to choose what to do. If you aren't empowered to impose policies, all you can do is sound the alarm. If they choose to ignore the alarm you have done all you are allowed to do. By all means continue to motivate change, but if you are not authorized to solve the problem then you are not responsible for a failure caused by that problem.
answered May 18 '16 at 4:45
Dave
1911
suggest improvements |Â
up vote
2
down vote
up vote
2
down vote
The other answers are dead on. It is the responsibility of your department apparently to monitor for exactly these issues, and presumably to take action. If you are authorized to do so, a periodic revalidation is absolutely warranted. Each user must complete a form requesting access, with supervisor's approval, dated, and stored. It expires after a set amount of time, or not depending on your chosen policy. Get reports from AD showing last login dates, and script up account locks for anyone not logged in for X days. Get regular reports from HR of who has been terminated in the past X days and go through and manually lock their accounts, or better yet have your department added to the checklist they go through when someone exits the company.
It is imperative that they understand the ramifications of allowing a potentially malicious disgruntled former employee continuing access to their data. I would document the concerns (politely) in an e-mail, showing some specific areas of concern (e.g. your rogue unknown accounts) and including impact of a breach on the company, staff, etc. Send that to your boss or whomever needs to see it.
Then it is on them to choose what to do. If you aren't empowered to impose policies, all you can do is sound the alarm. If they choose to ignore the alarm you have done all you are allowed to do. By all means continue to motivate change, but if you are not authorized to solve the problem then you are not responsible for a failure caused by that problem.
answered May 18 '16 at 4:45
Dave
1911
The other answers are dead on. It is the responsibility of your department apparently to monitor for exactly these issues, and presumably to take action. If you are authorized to do so, a periodic revalidation is absolutely warranted. Each user must complete a form requesting access, with supervisor's approval, dated, and stored. It expires after a set amount of time, or not depending on your chosen policy. Get reports from AD showing last login dates, and script up account locks for anyone not logged in for X days. Get regular reports from HR of who has been terminated in the past X days and go through and manually lock their accounts, or better yet have your department added to the checklist they go through when someone exits the company.
It is imperative that they understand the ramifications of allowing a potentially malicious disgruntled former employee continuing access to their data. I would document the concerns (politely) in an e-mail, showing some specific areas of concern (e.g. your rogue unknown accounts) and including impact of a breach on the company, staff, etc. Send that to your boss or whomever needs to see it.
Then it is on them to choose what to do. If you aren't empowered to impose policies, all you can do is sound the alarm. If they choose to ignore the alarm you have done all you are allowed to do. By all means continue to motivate change, but if you are not authorized to solve the problem then you are not responsible for a failure caused by that problem.
answered May 18 '16 at 4:45
Dave
1911
answered May 18 '16 at 4:45
Dave
1911
answered May 18 '16 at 4:45
Dave
1911
answered May 18 '16 at 4:45
Dave
1911
1911
suggest improvements |Â
suggest improvements |Â
up vote
0
down vote
Obvious answer is to make accounts justify themselves periodically, with copy of the request to their managers. Those not responding get closed.
If you don't know the account's owner, you have a bigger problem and need to fix that first. But that's technical, not workplace.
answered May 18 '16 at 3:06
keshlam
41.5k1267144
suggest improvements |Â
up vote
0
down vote
Obvious answer is to make accounts justify themselves periodically, with copy of the request to their managers. Those not responding get closed.
If you don't know the account's owner, you have a bigger problem and need to fix that first. But that's technical, not workplace.
answered May 18 '16 at 3:06
keshlam
41.5k1267144
suggest improvements |Â
up vote
0
down vote
up vote
0
down vote
Obvious answer is to make accounts justify themselves periodically, with copy of the request to their managers. Those not responding get closed.
If you don't know the account's owner, you have a bigger problem and need to fix that first. But that's technical, not workplace.
answered May 18 '16 at 3:06
keshlam
41.5k1267144
Obvious answer is to make accounts justify themselves periodically, with copy of the request to their managers. Those not responding get closed.
If you don't know the account's owner, you have a bigger problem and need to fix that first. But that's technical, not workplace.
answered May 18 '16 at 3:06
keshlam
41.5k1267144
answered May 18 '16 at 3:06
keshlam
41.5k1267144
answered May 18 '16 at 3:06
keshlam
41.5k1267144
answered May 18 '16 at 3:06
keshlam
41.5k1267144
41.5k1267144
suggest improvements |Â
suggest improvements |Â
Can you outline what system is in place now? Do random people just add accounts to the AD?
– nvoigt
May 18 '16 at 2:59
1
I'm voting to close this question as off-topic because it seems much more appropriate on Information Security, even with the workplace component, as your main focus seems to be account management, not getting customer buy-in.
– Lilienthal♦
May 18 '16 at 6:45