This question may sound trivial. Before discussing further, let me narrate an incident:
About three years ago, on March 17, 2010, at Austin, Texas hundreds of cars purchased from a particular car dealer went honking uncontrollably. Still worse, the owners were not able to start the cars as the ignition system had been disabled. Car owners had no clue as to what was happening. They had no other option but to disconnect the battery.
Following hundreds of such complaints and anxious moments, the car dealer carried out an investigation with the help of police and found that a sacked employee had gained unauthorized access to an internal IT application and turned on the web-based vehicle-immobilization system normally used to draw the attention of the customers delinquent in their auto payments. The techie had apparently taken revenge on the dealer for laying him off.
Soon after sacking him, the car dealer had promptly terminated all access, including the one to the vehicle-immobilization IT application. But, he had known the credentials of a colleague, using which he gained unauthorized access to the application.
Now, coming back to the question: How do you handle passwords when an employee leaves the organization? Does your organization have an effective ‘de-provisioning’ process in place to ensure that the former colleague will not continue to access your applications or data?
The saying ‘out of sight, out of mind’ might not hold good in all cases. Most of the employees leaving the organization will forget their former employer and start concentrating on the happenings in the new organization. Rarely, a disgruntled ex-colleague or a sacked employee or a terminated contractor or a greedy techie might turn bad and you will have to encounter problems.
The Austin cars honking incident is a classic example for the kind of insider threats organizations are prone to. A single disgruntled employee leaving the organization can wreak havoc to the very business or cause huge financial loss, if user de-provisioning is not handled properly. De-provisioning includes not just terminating access to key IT systems and applications, but also resetting the passwords.
Conversely, certain online accounts might be ‘owned’ by the person leaving the organization. If he fails to ‘hand over’ or ‘reveal’ the account details to someone else, the account will practically become an orphan posing a different kind of problem.
Tracing Access – The Key Challenge
When an employee leaves the organization,
- it is essential to carry out a careful review of the access permissions granted to him/her
- access has to be terminated and passwords must be reset
- passwords owned by the person should be transferred to someone else
- the password sharing scenario has to be reviewed. Users often tend to reveal passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence – Manager revealing the password of an application to a senior member when he has gone on vacation.
The key challenge here is finding out the list of all applications and resources accessed by the person leaving the organization. With the proliferation of online applications, it is indeed a daunting task to trace all the applications to which the person possessed access. Tracing the ‘shared passwords’ is another tricky scenario.
If you can’t trace access, the safest option is to change the passwords of all applications, sites and resources. Needless to say, this is cumbersome, arduous and time-consuming.
Centralized Password Repository – The Ideal Solution
The ideal solution to tackle this problem is establishing and maintaining a centralized password repository using a Password Manager. You can keep all your logins in the centralized vault and grant access to employees selectively based on job roles/responsibilities. By looking at the dashboard, you will know ‘who’ is having access to ‘what’ applications and accounts. When an employee leaves the organization, within minutes you can take a report on the applications accessed by him/her and change the passwords of those sites or applications alone. You can also overcome the sharing-related issues by using a Password Manager. In addition, you may even restrict the passwords from being shown in plain-text to the users while sharing passwords with them. The users will just be allowed to launch a direct connection to the site/application without viewing the password.
If you are wondering which password manager to use, take a look at Zoho Vault, an online password manager that serves as the centralized repository for all your passwords. It helps you securely store, share and manage your passwords and other sensitive data and access them from anywhere. Try Zoho Vault, now!