Citigroup announced it may fire as many as 50,000 employees. Hidden amid Citigroup's perceived savings is the cost of managing to shut down access to as many as 1 million accounts, user names and passwords that falls on the IT department. Managing that process effectively can be the difference between a data breach and peace of mind.
More than 50,000 layoffs at Citigroup; plans for as many as 6,000 at Sun Microsystems. With the current state of the economy, many companies are going to be faced with the prospect of managing the retirement of numerous accounts.
While it sounds simple enough, a study by eMediaUSA released earlier this year found 27 percent of respondents had more than 20 orphaned accounts within their organization. The survey, which was commissioned by Symark, also revealed it took many of the respondents more than three days to terminate an account after an employee or contractor left. Twelve percent said it took more than a month.
As the breach at LendingTree this year illustrated, the presence of such accounts can pose a serious security risk. In that case, former employees helped mortgage lenders gain access to confidential information through orphaned accounts. Such behavior may not be as rare as we want to believe-a Cisco-sponsored survey of 2,000 employees and IT professionals released this month revealed one in 10 end users had either stolen technology, accessed someone else's computer and stolen information and sold it, or known of co-workers who did.
Add up these facts, and you're left with the importance of managing the retirement of user accounts effectively. At Thrivent Financial for Lutherans, a financial services organization based in Minneapolis and Appleton, Wis., the process begins when the human resources department is notified that an employee has been terminated.
"The responsibility to terminate access falls on the line manager," explained Craig Cooper, senior project manager at Thrivent. "When HR receives a termination notice, our IDM [identity management] solution automatically terminates accounts and removes them from the target systems. This process is used for tracking employees and non-employees. If the manager does not terminate the account, the employee is still on the payroll."
The HR system tells the IDM system about the termination, which then communicates the appropriate changes to the target systems, he continued. In some cases, access to the target systems is automatically terminated by the IDM system, but in other cases the IDM system sends a work request to a security administrator to handle. Once it's completed, it marks it as done in the IDM system, he added.
"This standard process is used for terminations as well as new hires and job changes," Cooper said. "Access cannot follow an employee throughout their career. If it does, you end up with potential segregation of duties issues."
Managers review access semiannually for employees and quarterly for contractors. Cooper stressed that there is no manual element to the process. That is likely a good thing, as handling the process manually can be time-consuming in large environments.
"If the processes are well-defined with complete workflows identified and responsible parties participating at the right portions of the process, much of this can be addressed manually," said Gartner analyst Earl Perkins. "However, it can be labor-intensive in complex environments or in large-scale ones without an automated system of some kind."
There is no shortage of technology to help businesses automate the process. Sun, Oracle, IBM and others all have identity management tools on the market. However, having the right policies and procedures in place can be just as important as technology, particularly when it comes to mass layoffs or mergers.
"In these cases, it is important that IT not only work with HR but also provide necessary communication to the business managers in each department," said Matt Shanahan, senior vice president of marketing and strategy at AdmitOne Security. "Without strong communications, IT help desk will be flooded with questions about access to information and applications."