When someone leaves the company, the HR department is quick to grab the employee's laptop. But what about the data on other equipment? How can the organization know what's on her mobile devices? Does anyone know to which websites and cloud-based software the employee has access? Here’s how IT (working with HR) can help ensure the company's data doesn't walk out the front door. (Hint: Don’t expect easy answers.)
In an ideal world, people leave your company only under friendly circumstances, because the organization treats every employee with respect. The hiring process is so streamlined that few bad hires are made, so it’s rare for anybody to need to clean out his desk with an HR person looming over him, keeping an eye on what goes out the door.
It’s too bad that we don’t live in an ideal world.
In this one, people are laid off, employees become disgruntled and search for a new position, and others are invited to Spend More Time With Their Families. It's nice to think we can trust employees and hire great people, but the reality is that a single bad hire can wreak untold chaos, destruction, and financial loss – particularly when the employee has access to corporate data after Elvis Has Left The Building.
While the off-boarding process is managed by the human resources (HR) department, IT needs to be brought in to make sure that the now-ex employee is not a walking-and-talking security breach. That’s why HR has to work with a sysadmin to turn off access to every system to which the employee has access.
...Assuming the sysadmin can even know what those systems are. According to a recent survey by my friend Phil Lieberman (we worked together 20 years ago), more than 13% of respondents still can access a previous employers' systems using their old credentials. And, he adds, a surprising percentage still have access into two or more ex-employers' systems.
I admit it: I’m among them. I can peek at an old client’s website stats (nobody’s left at the company who even remembers the project). For a few years I could log in to another organization’s database (access only disappeared when they changed service providers). It’s only my sense of ethics (and the fact that those people did treat me with respect) that protects those organizations from untraceable Loki-inspired mischief.
How can a sysadmin minimize the risk? Let’s start with the easy stuff. Most sysadmins rely on standard ways to control employee access, such as a single sign-on system on which the user’s password is deactivated, often managed through Active Directory or its ilk. The best methods here, one Web operations specialist told me, are a solid access control policy in addition to centralized authentication. “Centralized authentication make most things easy to shut off. Essentially, all access gets a ticket, which creates an audit trail. Upon termination, that system can be audited. This helps cover Software as a Service products easily.”
(Note, too, that similar controls should be in place when an employee changes departments. Since it's not a departure, most companies forget to double check, and all former rights remain.)
HR knows about work-related sites to which most employees have access, such as payroll systems, GotoMeeting accounts, accounting software accounts, and travel services. Whether HR pulls the access for those logins or IT does so, it doesn’t really matter – as long as someone takes care of it, and a process is in place for turning things off. Too often, it’s a few days before anybody tells IT that the employee is gone – which is exactly the time during which an individual is most motivated to grab anything that might be useful.
For example, one IT worker told me about a situation when a senior person in Accounting was let go. The first step was removing access to every system IT knew about (two minutes before HR gave the employee the bad news), changing passwords on external sites, and collecting company equipment (BlackBerry, laptop, building access cards). IT also needed to make the guy’s email records available to the CFO, who had to notify the banking systems that the employee was no longer authorized to act on the company’s behalf.
But what about external sites to which employees have access: website analytics, blogs, stock photo sites? Social media is a huge security gap in terms of access to data and also the ability to post and publish by ex-employees. De-commissioning employees is a very manual process and unless you enforce it no one is going to do it. There are plenty of tales of woe from companies who learned this the hard way.
What about all the BYOD devices on which employees collect data? How many of them does the average sysadmin even know about, much less know how to kill its access? Too few, really.
Some of these have technical solutions – and Druva inSync provides some that are valuable for this purpose (largely as a happy side effect). The functionality that permits Druva inSync to wipe the corporate data off a lost or stolen laptop or iPad also lets IT wipe the corporate data (but not the personal data) off the employee’s BYOD devices.
Another advantage: Because the data was backed up from the employee’s laptop, it’s accessible to anyone in the company who needs it. For example, the sales forecast figures that the employee had on her local drive are available to the organization because Druva inSync was automatically backing up the system. Her old boss can download it to his own computer instead of having to consider the data gone forever.
But what about all the other logins?
“For internal systems we have a central database system that records all the access rights granted to an employee,” one senior software developer told me. “But no one knows all of the external vendor sites on which I registered with my corporate email ID; by doing so I have corporate access rights to licensed software.”
And that’s just the beginning. One sysadmin told me, “I have access to various company accounts (github, registrars, chat systems, client lists, etc.) that should be easy to revoke, but in many of these cases I may have archived copies – heck, Github's model borderline requires me to have a full clone locally!”
Even if the organization turns off access to corporate resources, the data might exist somewhere. The same sysadmin has a MacBook Pro for work and personal use. “If I leave a company, what rights does the company have with respect to searching it? I don't have an answer to that one, but I'd be highly reluctant to expose the internals of my personal machine to my (now ex-)employer unless compelled to.” Plus, he backs up the data on that computer to a Time Machine drive, as well as using remote backup services with a "changes over time" view.
How much are you willing to bet that this guy cannot harm the organization after job termination? “Ultimately, there's a strong element of trust here,” he told me. “There's no way that my employer could ever compel me to provably delete all of these things and rest assured it had been done. Who's to say I don't have a second, third, or eighth backup hard drive buried in the woods somewhere?”
Shutting the barn door after the horse is gone…
The issue of how much the sysadmin can and should do to protect a newly-ex employee’s access depends on the company’s perception of the value of its data. That also starts with the day the employee is hired – not the day he leaves. Many of these policies support the company goal of policing data access, but sometimes at the cost of employee convenience (which encourages dangerous workarounds, since people do want to get their work done), and the unstated message that employees aren’t trustworthy. That’s a balance that each organization must find for itself.
How far should the IT department go? Some organizations routinely put glue in the USB ports of workstation computers to minimize the ease of flash drive transfers. They block access to outside sites that employees might use for malicious reasons, such as file sharing sites to which a planning-to-leave employee could copy the customer database. (Yet another reason that Druva inSync can appeal to IT, since its file sharing features give IT more control and visibility over who has access to company data. Look, you know I had to make this relevant.)
Organizations that are serious about protecting data – and not just when an employees leaves – establish access rights via logons, with a password policy that requires strong passwords that change every N days. All data is encrypted at rest and in motion, and automatically backed up and replicated to central servers (ahem, that’d be us again). Any devices connected to the PC are automatically encrypted and won't decrypt on non-company PCs. (If this leaves you disheartened, once you compare it to your existing company policies: Both of these data security policies are ignored by most organizations, including, I’m told, the NSA. Okay, now you can feel even more disheartened.)
In these “we’re serious about it” scenarios, traffic to external sites is logged, so as to catch anyone sending documents to themselves via webmail or cloud storage and to establish an audit trail in the event intellectual property or other confidential documents are stolen. Ideally such sites are blocked and permission is granted on an individual basis. Company policy may dictate that all logins to cloud services are issued by IT and logged in a database. Mobile access usually has Mobile Device Management (MDM) installed to track device usage.
In larger organizations, it’s wise to put in place a process that audits all of these things and keeps them clean on a regular basis. Someone should have it as a job duty to go through Active Directory and eliminate or disable unnecessary accounts (and ideally make it an automated process). Regular assessments need to be made to ensure that no back-door accounts into organization resources can be found (which can uncover things like unauthorized accounts). The specifics vary, but the main idea is that user access is looked at with an eye for thoroughness and prevention, not hasty reaction.
However, if you make the process of giving people access to things too cumbersome and untrusting, then you're just daring them to screw you over when they leave. So any processes you put in place to track this sort of thing should be supportive to the employees rather than a bureaucratic nightmare. As Gartner researcher David Cearley commented during the recent symposium, all roads to the digital future lead through security, but businesses have to balance risk versus reward. “Build too high a barrier and people will climb over it,” said Cearley.
One such option is password managers, which reduce the need for passwords-on-Post-Its. As Larry Seltzer wrote:
The main value in an enterprise password manager, just as with a single-user password manager, is to make it easier for users to use passwords securely: to make them complex, unique for each site and easier to change periodically. At certain times, such as when "offboarding" an employee, they show added value by providing audit information on what resource the employee has had access to and logged into.
How much did the employee know?
But all that is secondary to employee awareness and education. If employees’ website usage is tracked, they should be reminded of the surveillance regularly. On the day someone is hired, the employee should sign an employment agreement which includes a technology policy to which they must adhere.
In fact, the biggest loophole in this situation may be an employer being unable to prove that an employee was ever told, during or at the termination of employment, that there was a duty of care associated with company data; that failure to exercise reasonable care during employment was a termination offense; and that abuse of access following termination of employment was a breach of contract, subject to civil remedies (read "preponderance of the evidence" rather than the stricter criminal standard of "beyond a reasonable doubt"). So HR needs to brief the employees: Hand them the piece of paper that says what they've been told, and get their signature.
Ultimately, this is not a technology problem as much as a people issue: An ex-employee with good intentions isn't going to disseminate the information no matter what. (I like to think that almost everyone falls in this category.) But an ex-employee with bad intentions probably can create havoc no matter what you try to do. It is, however, IT’s job to minimize the damage that individual can do, by locking all the doors possible.