Security Strategy

How to keep access-control under control amid layoffs

Do you know who your admins are?
article cover

Woodblock via Giphy

· 3 min read

As layoffs and restructurings radically reshape organizations (some more chaotic and “extremely hardcore” than others) it may sometimes be unclear who has admin access and who does not, and if a terminated employee has truly relinquished their top IT access privileges on their way out the door. 

A number of strategies—consolidated access controls, visibility tools, and isolated offboarding practices—help organizations prepare for the risks that arise when people with administrator privileges are de-provisioned.

“That’s when you don’t want to screw up…when you’re letting an admin go, for whatever reason, and those people will literally have the ability to take down your production, your business, whatever it is that you hold dear to your organization,” Brian Haugli, CEO at the cybersecurity services company SideChannel, told IT Brew.

Shutdown mode. A Q3 report from the risk-advisory consulting firm Kroll saw insider threat peak to its highest quarterly level yet, accounting for “nearly 35% of all unauthorized-access threat incidents” seen by the company. One incident cited by Kroll revealed a terminated employee kept gigabytes of company data on multiple cloud networks.

And employees don’t have to take data to ruin a company’s reputation. As imposter accounts proved during Twitter’s tumultuous transition, rogue tweets can damage stock value. A secure offboarding process that blocks an exiting employee from company services, including social media, becomes an important risk-management strategy.

Haugli recommends the “easy” shutdown method: Put the person in a room with HR, away from devices, while others dismantle access, lessening the chance of data leaks caused by insider ire. “With a remote-heavy world now, this is proving a little bit more difficult to navigate, but not undoable,” said Haugli.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Aside from security threats, an IT overhaul may also lead to a lack of knowledge, like the details of a server or network setup.

Moses Frost, senior technical consultant at Neuvik and senior instructor at the SANS Institute, said the post-layoff question is rarely: Are we secure? But, rather: Does anybody know how to run this thing?

“Once something works, people don’t go back and make an operational guide of how it works,” Frost told IT Brew. Frost has seen companies rehire sacked employees as contractors in order to successfully document IT processes that have bewildered a new team.

Across the board. To prevent individual account shutdowns, companies like Okta and Ping Identity provide a federated, single sign-on option—a one-and-done switchoff for all services.

Log-aggregation from SIEM products also offers a level of consolidation, intaking telemetry data from, say, Active Directory logs, Microsoft 365 access, source IP addresses, and Dropbox downloads.

“You can’t contextualize all that stuff easily, until you’re centralized across the board. And generally, that means you’re leveraging some sort of log aggregation,” said Luke Tenery, partner with the advisory firm StoneTurn.

Another technology, privileged access management (PAM), places system-administrator credentials into a secure repository and logs their activity.

And if an account-management situation has become too chaotic to consolidate, there’s always “Martial law,” as Haugli calls it—a resource-intensive effort to lock everyone out and start over.

“Either shut all stuff down or shut down all access to very specific systems, and then regrant access based on roles,” said Haugli.—BH

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.