comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

User Account Lifecycle

All corporate employees fall under the user accounts umbrella. Identity management refers to the management of all of the accounts within the corporate domain. Each account has an account life cycle that must be managed by the IT department. This management of user accounts during the account life cycle is called identity management. A general account policy should be established with standards and procedures to be followed during the account life cycle. Finally, a person or department should be specified to carry out the account life cycle tasks. The following events or activities are included as account mainte- nance during the account life cycle:

Provisioning

During the provisioning phase, accounts are created, and the appropriate application licenses, system rights, and privileges are assigned to the account. User entitlement refers to the rights and privileges provided to a user. An important consideration when establishing a new user account is naming and identifying standards established by the policies. This maintains a consistency of account names, email addresses, and private folder names. To speed this provisioning process, many IT departments have established a number of user groups of like roles or privileges and assigned the individual to the appropriate group. These groups might be the accounting department, sales department, senior executives, marketing department, and so on.

This grouping of roles also involves assigning various security privileges, which in this case is role-based access control (RBAC). Some organizations use an automated provisioning application where the HR department enters various new-hire information, including an assigned group or role, and the software application provisions the account using this department-supplied information.

Password Maintenance

This is generally a corporate policy that is usually enforced by a Windows Server Group Policy manager. Passwords should conform to the length and complexity, expiration date, minimum password age, password history, and other provi- sions within the corporate password policy.

Account Audit

Accounts should be audited on a schedule as specified in a corporate account policy to determine if the current account access rights and privileges match the current role and requirements of the existing position. This prevents privilege escalation with job rotation or reassignment.

Account Proofing

The term account proofing has various meanings in different circles. Microsoft has used it to mean requiring an authentication validation, such as a phone number, address, or zip code. In other scenarios, the term refers to verifying that the account belongs to the stated individual through the use of various authentication tests and audit techniques.

Account Privilege Change

A change management process should be established to service the requirements of assigning additional rights and privileges to an individual account.

Account Entitlement

Account entitlement refers to the access enabled or available for any user account. Various government and fi nancial institution regulations require regular annual audits be performed on user accounts that access sensitive applications and data.

Account Deactivation

This is a procedure undertaken immediately upon resignation or termination of an account owner. A corporate policy or service-level agreement (SLA) should be established that triggers account deactivation immediately upon a separation event. All managers and HR individuals must be aware of the policy and how to take immediate action to protect the company assets. Account deactivation removes only the password and user access. All underlying folders and information remain intact.

Account Deprovisioning

This is an organized disassembling of rights and privileges of the user account as well as archiving any folders, data, applications, user history, logs, or other user-specific information as required by policy. Ultimately, hardware is recycled, disposed of, or destroyed as required by policy.


Published on Mon 02 January 2012 by Anthony Norton in Security with tag(s): accounts