System Access Who Has What?
Business
problem
The biggest security risk for every business by far
is its own workers. Although few wish to cause deliberate harm,
many seek the most expedient way to get work done, heedless of any
security problems this causes. To manage this risk, every business
needs to know at the very least who has access to
which systems and whether they are using their access.
Connecting
everything
If your organization is large enough and wealthy enough to afford
a user provisioning system with single-sign-on for all systems,
read no further. But I work for a health care organization, and
even the few health care organizations which can afford a user provisioning
system will have some specialized systems that are not worth the
effort to integrate.
We
found it surprisingly difficult to obtain good data about user accounts,
starting with the most basic account for the corporate network.
A network engineer was able to create an automated process to extract
a list of all active Windows domain accounts from the primary domain
controller, together with the most recent login for the account.
These two text files were created daily and then imported to a database
by another automated process. When the organization later moved
to Active Directory, it was easier to extract this data.
Even
with current domain account data, we still needed a way to connect
the domain accounts to our database of workers. Initially, we created
a table of all workers, containing e-mail address, domain account,
employee ID number, name, active status, etc. Later, when we built
a more sophisticated user access application, all these bits of
data became attributes of the worker, connected by the ITID and
tracked in the user access database.
Next
we began to work our way through the list of systems used in the
organization, mining them for user account data. Most systems have
a database containing the user accounts and some auditing data for
those accounts. From those we pull the list of user accounts, and
where available, the date/time of last login. In many cases, we
also send automated requests for new system accounts to the system
administrator for fulfillment. The graphic below shows the full
set of connections between the intranet and other systems (click
the image for a full-size PDF version).

For
the first time, the organization had complete and accurate data
about all user accounts and usage. The initial effort was painful
and time-consuming, but we worked through thousands of domain accounts,
either connecting the account to a current worker or canceling the
account. During this initial cleanup, over 2,000 network accounts
for former workers were removed.
Now,
with accurate data about user accounts and usage, we could implement
security policies for account management (more about that in System
access Use it or lose it).
Posted
17 March 2008
|