System Access — Who Has What?

Business problem
The biggest security risk for every business — by far — is its own workers. Although few wish to cause deliberate harm, many seek the most expedient way to get work done, heedless of any security problems this causes. To manage this risk, every business needs to know — at the very least — who has access to which systems and whether they are using their access.

Connecting everything
If your organization is large enough and wealthy enough to afford a user provisioning system with single-sign-on for all systems, read no further. But I work for a health care organization, and even the few health care organizations which can afford a user provisioning system will have some specialized systems that are not worth the effort to integrate.

We found it surprisingly difficult to obtain good data about user accounts, starting with the most basic account for the corporate network. A network engineer was able to create an automated process to extract a list of all active Windows domain accounts from the primary domain controller, together with the most recent login for the account. These two text files were created daily and then imported to a database by another automated process. When the organization later moved to Active Directory, it was easier to extract this data.

Even with current domain account data, we still needed a way to connect the domain accounts to our database of workers. Initially, we created a table of all workers, containing e-mail address, domain account, employee ID number, name, active status, etc. Later, when we built a more sophisticated user access application, all these bits of data became attributes of the worker, connected by the ITID and tracked in the user access database.

Next we began to work our way through the list of systems used in the organization, mining them for user account data. Most systems have a database containing the user accounts and some auditing data for those accounts. From those we pull the list of user accounts, and where available, the date/time of last login. In many cases, we also send automated requests for new system accounts to the system administrator for fulfillment. The graphic below shows the full set of connections between the intranet and other systems (click the image for a full-size PDF version).

For the first time, the organization had complete and accurate data about all user accounts and usage. The initial effort was painful and time-consuming, but we worked through thousands of domain accounts, either connecting the account to a current worker or canceling the account. During this initial cleanup, over 2,000 network accounts for former workers were removed.

Now, with accurate data about user accounts and usage, we could implement security policies for account management (more about that in System access — Use it or lose it).

Posted 17 March 2008