Skip to content

Page257

Provisioning and Deprovisioning

A commonly encountered theme found within the CISSP® guidance involves appropriately managing security throughout an asset’s lifecycle. The terms provisioning and deprovisioning further highlight this emphasis. Provisioning is the process through which an asset is brought into an operational state, sometimes referred to as being put into production. Security must be considered in advance of provisioning to ensure that the process is handled with sufficient rigor and in a manner that does not negatively impact the security posture that has been deemed acceptable.

Inevitably, a time will arise at which point an asset no longer needs to be operational. Deprovisioning is the process by which an asset is safely removed from production. This process too will require consideration from the vantage point of security. While provisioning/deprovisioning simply represent generic processes that could aptly be used in reference to any asset, these terms are more commonly encountered in discussions of user accounts, systems, and applications. Naturally, most pertinent to IAM would be considering the security associated with provisioning/deprovisioning users. Perhaps the most vital considerations when provisioning/deprovisioning users would be questions related to access control.

While obviously provisioning will be relevant when a new employee is being hired and deprovisioning when they subsequently leave employment, due consideration should also be given in situations where an employee has a substantial role change within the organization. Ideally, if an employee were to materially change the nature of their role, then their initial access would be deprovisioned and their now-needed access provisioned anew. However, in reality, fully stepping through the deprovisioning and provisioning process might be overly cumbersome. Still, extreme care should be taken to avoid the common situation in which employees simply accrue ever more access without having unnecessary access revoked.

Just-In-Time (JIT)

While the phrase just-in-time (JIT) has been used in the corporate world for many years, its application to information security is much more recent. The just-in-time phenomenon within access control stands in direct contrast to the traditional and typical permanent and perpetual access, which in the JIT worldview is termed standing access. Care will need to be taken to strike the proper balance between usability and security with JIT access. If the JIT access workflow becomes too cumbersome, then there will often be a desire to revert back to a standing access paradigm.

Imagine a classic scenario of an employee being hired and their account being provisioned with all the expected rights and permissions the organization anticipates that they employee requires. Some of those permissions will be wielded daily, while others might be rather infrequently employed. Especially in cases where the infrequently employed access has significant security ramifications, there might be an opportunity to implement JIT access. Employing JIT might then involve a process by which the employee, when needing to leverage that infrequent yet sensitive access permission, must instantiate an approval process to allow for temporary access to be provided.

JIT has touch points not only with supplying users with as-needed privileges, but also with user and system provisioning and remote access. An example of JIT remote access could be temporarily opening a remote access port (e.g., TCP/3389) only when access is needed rather than making that service always accessible, and thereby always under attack. JIT account provisioning involves only creating an account when expressly needed, and then automatically deprovisioning the account after the needed account and associated access has been wielded.