Companies spend thousands of dollars (sometimes hundreds of thousands) to recruit the right person, put them through the interview cycle, then onboard them. Once an employee is within the corporate ecosystem, far too many entities forget all that effort and expect whatever system is in place to ensure the employee remains compliant and security remains intact.
But retained access creates risk. Rare is the organization with a robust enough system to observe lateral movement or offboarding and companies lacking such processes and procedures become vulnerable when employee movements occur.
To avoid this risk, CISOs must make retained access a key performance indicator for not only the information technology team they support but also the various entities with whom they must collaborate, including human resources, finance, logistics, research and development, and operational business units.
We should think of retained access along the lines of the old farmer’s axiom: it is of no use to close the door after the horse has bolted.
People are a company’s greatest asset and greatest risk
Employees, contractors, and partners are granted access to corporate infrastructure because having such provides value. Human resources, logistics, accounting, and business units all have engagements with outside entities: some have contractors on staff, and all have employees. Their access to information is provided via the information technology teams during onboard provisioning and their access to data is determined by their supervisory hierarchy.
Visibility into their access must be an always-on, always-available metric and the same goes for devices — laptops, phones, tablets, mobile storage, etc. Inventory control and retained access to devices post-employment should be a line item on every entity’s offboarding process.
The 2021 Proofpoint lawsuits are a case in point. All who live in the realm of insider risk management are aware that once an employee or contractor has determined they are leaving, many choose to take the intellectual property of their employer with them.
Whether the separation was amicable matters little, many (too many) see their work as “their property” and carry it out the door. Others know that their work or that of others belongs to the employer yet have no problem swallowing their ethics and taking it with them. Such was the case with the Proofpoint lawsuits, as the company found itself chasing its intellectual property down the road when a former channel sales director admitted to having a “USB drive containing some of his work-related documents from Proofpoint.”
The mindset of what’s mine is mine and what’s yours is also mine, is alive and well.
Transparency around access should be paramount
Those who have been reading or listening to me for the past 20-something years have heard me mention time and time again the need for processes and procedures to follow people movement to ensure individuals have access to what they need, and that the access has been reviewed via process or hierarchy as necessary.
If you don’t know who is still engaged, then how will the IT or CISO know that what the logs are revealing isn’t simply the status quo on a normal day?
I engage in consulting from time to time and have found myself as the one reminding the entity to remove my access when the gig has concluded. This scenario has happened so often, that I now have as part of my “close out” process: “remind to remove my access.”
It would be far better if those doing the contracting, hiring, or engagement management had it in their built-in process that when a contract concludes or an employee moves or departs, IT is informed, accounting is informed, and human resources is informed.
It’s absurd to allow an employee to simply walk away and wait for a “no activity” alert — or in the case of the nefarious, a “too much activity” alert as they fleece or compromise the infrastructure to which they once had authorized access and now have “unauthorized” access.
Need-to-know 101
Admittedly, I’ve been steeped in the philosophy of “need-to-know” since I was a teen entering on duty at the CIA as a file clerk in the file room of the Office of Security. In the intelligence world, individuals are “read in” or “read out” of programs. It’s more than symbolic that the first thing that happens when someone is read out is the retrieval of their badge, which removes physical access to the premises.
I was taught on day one the meanings of limited access and environmental security and saw with my own eyes the machinations that took place when one transferred out of the unit to ensure their access was not retained — door combinations changed, access control logs updated, databases adjusted to reflect access, badge access deactivated (and yes, all of these are largely analog, as I am that old that these files were paper).
You see, the concept of least privileged access isn’t new, it is simply new to some and should always be viewed as “table stakes.”
The retained access conundrum affects government entities
Illustrating the need for control over retained access was the revelation by the United States Department of Energy’s Office of Inspectors General in 2021 that more than 10,000 contractors and federal employees who had separated from the department retained their badges and other means to access the department’s facilities.
Yes, the same facilities where the US government conducts nuclear research. Their report showed that 39% of those separated had not had their employment status updated in the system, 66% of IDs were not retrieved, and 30% didn’t have their access clearances terminated.
In-house collaboration is a necessity if you want to avoid such fiascos, says Jon Taylor, director, and principal of security at Versa Networks. “There needs to be coordination between HR and infosec — both in personnel moves as well as onboarding and offboarding, have a process in place. Use the process,” Taylor tells CSO.
My advice? The CISO needs to ensure that when changes of need-to-know, position, or employment occur, so does the requisite access to sensitive data and/or the infrastructure. It just doesn’t happen, make it happen.
The old farmer also has a message. Close the barn door now, dammit.