SaaS and the SMB – Passwords
July 7, 2008
In this post on application auditing, I wrote how we found some “orphan accounts” hiding in some of our databases and applications. These orphans are old accounts belonging to staff that no longer work with us.
In my opinion it is critical that you have a complete, and documented resource exit process for any staffer that leaves your organization. This process should be a complete checklist of all activities and actions required by your internal departments to ensure that nothing will be forgotten.
This checklist can include fairly obvious items such as obtaining physical assets such as keys, codes, laptops or cellular phones, to less obvious items such as forwarding incoming email (especially important for customer facing roles) to removing network, VPN and any other accounts.
This urgency increases for any Software as a Service accounts that you may be using. Failure to remove login priveledges for an ex-employee to a hosted application(s) can allow an ex employee to access that data from absolutely anywhere.
A few recent articles point out the critical nature of ensuring that passwords are appropriately managed.
Thomas Claburn at Information Week Canada quotes Google;
Password security is particularly important for Google because Google Account passwords unlock the keys to an individual’s Google kingdom from anywhere in the world.
And John Jainschigg at Baseline quotes;
That lack of central control can be problematic when users leave the company, as IT management may forget to revoke their access to SaaS applications.
In the SMB space, it is often a Human Resources Manager, or an employees direct superior that takes the lead when an employee leaves. They may remember “Retrieve Keys” and “Get Mail address for final papers” etc. But too often any other issues or assets are performed only as an “if Remembered” basis.
A documented process will ensure that “if remembered” becomes “always remembered”
You can subscribe to this blog by clicking the RSS icon on the Home Page!