The security issues that arise when an employee leaves an organization can create a lot of work and subsequent headaches for IT managers. In his recent article, “Take security precautions when an IT staff member leaves the company,” TechRepublic member Mark Gonzales outlined tips for ensuring that the network remains secure when someone leaves. Based on comments from a current TechRepublic discussion, TechRepublic members feel that maintaining a directory of all user passwords, security keys, and other user account information is the best and most efficient way to safeguard security-critical information.
A valuable time-saver
TechRepublic member Paul Kelley, a senior software engineer, finds it hard to believe that any manager would neglect to include a directory in his or her core business infrastructure. Directories are capable of storing all information that gives an employee access privileges to data. If a directory system is in place when an employee leaves, there’s no need for IT staff to spend time hunting down access information and bar it from the system.
“For example, if a user's object is deleted, the deletion of the object is replicated throughout the entire directory and, as a result, nullifies that user's privileges to old applications, accounts, groups, hardware, etc.”
A few options
Network Administrator Brian Volpone is one of several members who use Novell’s NDS independent, cross-platform directory. The directory has saved a considerable amount of time and hassle for him.
“I don’t have to notify multiple admins or check every server for passwords. Everything is managed in one place (except the obvious—accounts to databases and applications that exist outside of the directory).”
But, according to Michael Grinwis, a senior IS auditor, there are limitations to Novell’s directories:
“A Novell directory does not always work with mainframe or other proprietary systems for tracking access. We keep an Access database of all user access to monitor this.”
Member Mike New also suggests using an Access program for efficient maintenance of all access information.
“Policy-based provisioning systems like Access 360 can automatically cancel access rights across all systems when someone leaves, recognize any new account that is created outside the system, and compare active accounts with a directory or database of authorized users.”
These directories may not be appropriate for all kinds of organizations. Often, one person will be put in charge of maintaining the actual directory and, according to Web developer Sanders Kaufman, that’s like vesting one single person with the key to launching a Patriot missile.
“[Novell] NDS, Active Directory, and such are all well and fine for centralized management of security. But many larger and security-intensive organizations have a distributed policy of checks and balances.”
With several groups or individuals keeping a watchful eye on security issues, the process of tracking access data is a more hands-on procedure.
“These kinds of distributed, high-security systems negate the value of those technologies managing security.”
Do you have any horror stories about an ex-employee who stole data or sabotaged your organization’s system? Would a directory have prevented this from happening? Start a discussion and share your thoughts with other TechRepublic members.