The vast majority of employees who leave a company are honest, upstanding corporate citizens. But you never know when someone might leave on bad terms and then attempt to hack back into your corporate systems.
Protecting company assets from former employees is more difficult in today’s world where corporate data can live in so many places, from the cloud to the employee’s BYOD smartphone.
Here are steps to protect corporate data from former employees.
De-provision all devices
According to Joe DiVito in PricewaterhouseCoopers’ risk assurance practice, de-provisioning should be the first step in protecting data.
[ALSO: 12 of the worst data breaches of 2013]
"Many organizations wrestle with de-provisioning. They may do well at the network level, but the application level can be left open. The administration of application-level access is often decentralized and resident with application owners or business units," says DiVito
He adds that companies need processes in place that provide notice of terminations to all application owners." DiVito cautions that de-provisioning can be tricky, especially when access administration and associated controls are split between a central IT function and the data owner.
"There is a level of control risk associated with the design and operation of user provisioning controls. The organization needs to have an accurate accounting of the access assigned to an employee. Determine who owns the authorization and ongoing access to that data and ensure that you communicate amongst the parties when access needs to be modified or revoked. Often times the solution to managing that risk requires nothing more sophisticated than improved communication," he says.
At Steelcase, the office furniture company, a custom Microsoft .NET tool handles the task of de-provisioning. And IT is tightly coordinated with HR.
According to Steelcase CIO Bob Krestakos, “The .NET tool uses as many standard APIs as possible to reach various systems and disable or remove user accounts. For example, email accounts can be suspended or removed, access to our Active Directory can be removed, SharePoint access is removed via this application. Access to internal social media and product development systems are managed this way, too.” The .NET tool also eliminates SAP IDs, as well as the PTC product data vault in product development, he adds.
In addition, he adds, the application automatically sends email notifications to the user accounts manager, creating an audit trail.
"The .NET tools make it easy in a large IT environment to turn off access to all systems. It automates quite a few steps," says Krestakos. He adds that the whole process is triggered by the HR department.
"When someone is leaving or resigns, especially if they're in data-sensitive departments like corporate strategy or product development, we might start the de-provisioning process before they leave. In other cases, we let the manager of their department know, and we leave the accounts in place until he or she says it's OK to shut them off," says Krestakos.
Use automated tools
"When an employee leaves a company for any reason, that information should be immediately and automatically relayed by HR to IT for de-provisioning access to all accounts within the organization. There are many mature user provisioning programs available for this purpose," says Sally Hudson, an analyst at IDC.
In addition, say analysts, a number of off-the-shelf software applications can help ensure high-level employees in particular get shut off from corporate systems. These include software from IBM, Oracle, Quest Software (now owned by Dell) and CA Technologies, plus pure play vendors such as Cyber-Ark and Xceedium, which provide PIM solutions that are widely used in Fortune 2000 organizations.
There are checks and balances: Privileged Identity Management software makes sure that highly authorized former employees, including executives and systems admins are not able to exploit their former high levels of access and account privilege to do damage or mischief within the corporation.
— Sally Hudson, an analyst at IDC
"There are checks and balances: Privileged Identity Management software makes sure that highly authorized former employees, including executives and systems admins are not able to exploit their former high levels of access and account privilege to do damage or mischief within the corporation," says Hudson.
A holistic approach to de-provisioning is recommended by some. According to Michael Suby, an analyst at Frost and Sullivan, without going the holistic route, the identity and access management process can be ineffective.
"The location of data is getting so dispersed, it's difficult to maintain oversight. You also need to segment data, which is part of data governance. If I'm a business with plenty of employee information, such as their phone number, salary and personnel records, but I need to make sure that's stored separately in a physically separate system. And things like business plans and mergers and acquisitions are cordoned off from the general population. You need to manage access to that information. If you do it after the fact, it's like leaving the barn door open." he says.
IDC's Hudson adds, "A basic element of housekeeping for all large enterprises should be an automated attestation process, whereby all line of business owners attest to who has access to what based on their roles assigned within an organization. This used to be done manually with spreadsheets, but now software is available that automates and updates these inputs and sends out automatic alerts when anomalies are detected."
The IT department at Cisco also automates much of the de-provisioning process. As soon as an employee tells HR they're leaving, and HR acknowledges it, a series of actions takes place to prevent employee access to corporate data, says Brett Belding, senior manager, IT mobility services.
"After notifying HR, there's a whole series of actions that happen to employee access to data. Employees who decide to leave will hand in their corporate laptops and will lose system access to things like AnyConnect VPN, our ERP, HR system, and everything else they previously had access to. The length of time is different in different countries, but within the last week of employment is the common point. We shut off access to the VPN, for example, ahead of time," he says.
Adds Forrester analyst Andras Cser, "There has to be rapport between the application owners and HR. IT also has to maintain compliance with regulators, whether it's GRBA for finance, HIPPA for healthcare, or Sarbanes-Oxley, which states that the employee information must be accessible by a manager for 30 days as a best practice, in case there's an audit."
Scrub/Wipe devices
In BYOD environments, departing employees generally either have their devices wiped of data by IT departments, or handle the task themselves. But before that can happen, IT must know what data is on the device.
"Organizations need to determine what data is on the physical asset, such as the ID on a mobile phone. But even by examining that, some organizations struggle to know what should be scrubbed. Companies that are subject to regulatory oversight are better at it. Those like manufacturing are not as advanced,” says Pricewaterhouse Cooper’s DiVito.
Steelcase requires employees who bring their own devices to sign an agreement that they'll wipe them after they leave the company. With 3,000 mobile users in North America, half of them on the BYOD program, this has worked, says CIO Krestakos.
"Employees must agree to certain things via a written agreement. We don't have anything in place to make sure they don't retain corporate data, and we don't have solutions to monitor that, just their agreement. The agreement asks that the employee password protect their phone and maintain some type of applications that allow them to remotely access and wipe the contents."
As at Cisco, HR also gets involved. "When an employee leaves the company they have an exit interview with HR where a checklist is run through. HR collects all technologies issued to an employee and reminds them they're not allowed to keep corporate data on any personal device," he adds.
Keep an eye on the cloud
Employee access to the cloud can make for thorny issues after the departure of the worker, since the cloud is an uncontrolled channel. Having policies in place before an employee leaves eases the whole procedure, says Frost and Sullivan's Suby.
"An organization has to have a policy and procedure, and say what are the sanctioned Web sites, and if they aren't, you have to block them. You need to determine how to stop movement of data into places where you don't have visibility, like Dropbox or another cloud service."
At Cisco, internal and external cloud services are tied to its mobile application stack. The way IT managers get around people tampering with data in the cloud is to send only the presentation of an application, not the actual bits, says Belding.
"A lot of our mobile application stack is tied to cloud services, either internal or external. If you want to see financial data, you aren't downloading the actual data, only the presentation. We call it bits versus pixels. For cloud and mobile data, you only want to download pixels. That way, there's less and less data on the device. If you're editing a spreadsheet in the browser, that's all in pixels, and when I turn off the service, you can't access it anymore," he says.
Steelcase limits the types of data that can be uploaded to the Google Drive cloud used by the company. Corporate strategy and product development data are among the most critical data types, and that data can't be stored in on Google Drive.
"People are advised they are working on sensitive project areas and asked to take precautions to protect the information," Krestakos says.
Webster is a freelance writer. He can be reached at johnwebstervt@gmail.com.