User Account Provisioning
Provisioning is the process of deploying an account, host, or application to a target production environment.
- involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions
- IT department must keep track of all assets under management
- user accounts are a type of asset
- User accounts are provisioned for
- new employees
- temporary access
Process
- Identity Proofing
- verifies that the person is who they say they are by checking official documents and records
- might also need a background check
- verifies:
- current and previous addresses
- education or previous employment
- whether the person has a criminal record or credit issues
- verifies:
- Issuing Credentials
- allows the user to select a password known only to them and/or enroll them with biometric or token-based authenticators
- Issuing Hardware and Software Assets
- user will need, typically a computer and/or smartphone and possibly local copies of licensed software apps
- employees with insufficient resources may obtain hardware/software independently (shadow IT)
- Teaching Policy Awareness
- scheduling training and providing access to learning resources so that the employee or contractor is aware of security policies and risks
- must also be aware of policies for personal use of any IT assets issued to them
- Creating Permissions Assignment
- identifying the work roles that the account must support and configuring the appropriate rights
- If the account is granted privileged access,
- it should be tagged for close monitoring
Deprovisioning is the process of removing an account, host, or application from the production environment.
- involves
- revoking any privileged access that had been assigned to the object
- removing the account from any roles or security groups
- might be disabled for a period and then deleted or deleted immediately