IT Employment

General discussion


Why negative confirmation is a BAD idea.

By The Admiral ·
Did you ever have an employee that just hung around? You might see a co worker?s name pop up in distribution lists or you may get return messages back from an invalid email address. But when you do a directory search on the employee you find that while they have been gone for two, three, or longer weeks, that they still are listed in the employee directory.

You send a note to the email address on the employee directory and it doesn?t bounce. It sits in the mailbox until finally, after four weeks, the process catches up with the now retired or laid off employee and deletes their ID and their access and removes them from the overall corporate system. Security checks based on the negative confirmation White Paper show that this is a fantastic idea, since you can remove people from the lists as soon as they are officially gone. But how long does it take?

I submit to all of the whitepaper and corporate security folks that negative confirmation is a BAD idea. What negative confirmation does is allow a userid to linger in a system for a long time (in some cases several weeks) in which the former employee still has access to the network and resources. The fact of the matter is that if we are placing security on a bounced email message, then we are not securing resources. Here?s a scenario that plays out all too often:

John Applegate is a contractor that ABC, Inc. has hired to do some consulting work while their consultant is out with a high maintenance customer. While John is at ABC, Inc. he comes up with an application that streamlines the sales & manufacturing areas and allows ABC, Inc. to better determine how much of their products they can manufacturer in a time period, giving them the ability to better size projects and costs. Once everything is settled, John?s services are no longer needed and he is laid off. The papers were processed on his leave, and his paperwork was working through the corporation in the removal from the system. Four weeks later, it was found out that someone had backed up his work and removed it from the server it was on, as well as found out that someone was logging in with his account information through the connectivity package and later downloading other corporation property.

Since the company does not perform computer forensics, they could not point directly to John as the person who did this deed. However, an internal audit focused on processes that caused the problem. They found that because the system did not take care of removing the appropriate actions fast enough, the breach was due to negative confirmation not being done in a more timely and effective manner. They decide that negative confirmation still has value, but the process has to be adjusted to close the time gap.

This is what I have been advocating since long before September 11, 2001. When a person who is a contractor or other is brought online to perform work, and they are let go, the effective date of the release of the employee is relayed to HR so that they can put it in the system, and when the person is walked to the door, it is then on that day all of the ID?s and accesses are removed. Say you know two weeks from today that George will be leaving the company. It takes HR a week and a half to process and remove the ID?s. You would submit the paperwork on Tuesday, and then on that last Friday, he would not have access.

Additionally, internal processes need to be upgraded so that the company is not waiting on any one particular group to finish processing. In an e-commerce world (e-business if you want to call it that), once an effective date is placed into the system, the HR application should be able to override the system and remove those on the day they are due to walk out & within the specific time.

This lack of due diligence on the part of managers and security aficionados concerns me, especially when we are banging employees on the head for security problems with their workstation, and avoiding a potential security breach by using negative confirmation when an employee leaves the company, or potential problems when an employee has the ?Out on Vacation? auto response turned on.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

I absolutely agree.

by stress junkie In reply to Why negative confirmation ...

Happily I have managed to work at places that did this sort of thing properly. Either the manager of the person who was leaving would call the IT department manager or a system administrator, or HR would provide a daily report of employee terminations. The second method leaves a gap of several hours so that is mostly useful as a backup to the first method. I guess I've just been lucky about working for places that at least did this process well.

Collapse -

Weeks? How about years!

by royhayward In reply to Why negative confirmation ...

In our defense the company that I had this experience with started as a small startup in the dot com era, and those setting things up had the best of intentions.


Several mergers later I start looking at some of our systems and we have user account that are still active because the user was a developer or a dba and used their personal account when installing a service or job on the production machines. Then thru the poor documentation practices of the starting up company they forget about it.

After they left for another startup opportunity, the Domain Admins disabled their account, production system broke. No one could find why and they re-enabled the account out of desperation.

Years pass. I and I am doing a security audit on our database and start seeing users I don't know with DB owner access on my server. (don?t just disable or remove them) I find out why and kick them out during a maintenance window where I can afford the down time to find the services that start producing errors.

Lesson 1: Startups or small companies (and sometimes large ones) can foster bad security habits.

Lesson 2: Don?t assume that the person that managed the server before you is really gone, their ghost may still be in the machine and actively doing things. Look for their login and audit what it does for a week or month before you perform the exorcism.

Lesson 3: (this one is just for me) Don?t show your anger at the appalling security situation that is left for you. This is why you are employed here.

Collapse -

I've been lucky

by Jaqui In reply to Why negative confirmation ...

in my employers, they have better reaction time than that.
within 1 day of someone leaving everything relating to them has been removed from active status.

since starting on my own, I personally delete my own access accounts when a contract is finished, and get the admin to change the admin password then and there, so they KNOW that I have no access afterwards.
Naturally, that is when I had to have admin access, not always the case, and if I don't need admin access to do the task(s) contracted, then I don't have it. I just make sure that the admin removes my account at the end of the contract.

Collapse -

Good Point, but... thin ice too.

by dawgit In reply to Why negative confirmation ...

maybe I've had the displeasure to have been removed from the books in such a case, just because I had been else-where. (& yes, I've been listed as dead more than once, by dumb-a$$ HRs just because they hadn't seen me in a while) In these days of out-soursing employees, off site projects, and even Mil.Reserve duty, those people whom you might not have seen in a while. (in some reservists cases, even years) may have to be kept on the books (for many various reasons, some legal!) The best practice is to know your people (well somebody in the organization anyway) -d

Collapse -

Six months

by RFink In reply to Why negative confirmation ...

My personal record is six months. I was laid off from a former job. Prior to being laid off I was "relieved" of my duties but had six weeks to find a position elsewhere in the company. To protect my privacy from the nosey e-mail admins I set up a rule to forward my e-mail to another e-mail account then delete it. I was still receiving e-mail six months later.

When they finally deleted my mail box I e-mailed the corporate auditor with the proof of this gross violation of corporate policy. He dealt with it.

Related Discussions

Related Forums