4.6.1 Provisioning & De-provisioning
Provisioning and de-provisioning are the cradle-to-grave administrative processes used to manage the lifecycle of user accounts, software applications, and cloud infrastructure.
User Account Lifecycle Standardized processes ensure that users have exactly what they need to perform their jobs without compromising security through over-privileged access.
- Provisioning: The act of creating a user account, assigning it to a department/group, and granting initial permissions.
- Onboarding: The organizational process of integrating a new employee, which triggers the technical provisioning task.
- De-provisioning: The formal removal of access rights and the disabling or deletion of accounts when an employee leaves or changes roles.
- Offboarding: The administrative workflow (exit interviews, hardware return) that concludes with account de-provisioning.
- Permission Auditing: Periodic reviews to ensure users haven't accumulated "privilege creep" during their tenure.
Infrastructure and Software In modern DevOps and cloud environments, provisioning refers to the automated deployment of resources.
- Infrastructure as Code (IaC): Using machine-readable definition files (like Terraform or CloudFormation) to provision servers, networks, and storage instantly.
- Resource Deprovisioning: Shutting down virtual machines or cloud instances that are no longer in use to prevent sprawl and reduce monthly costs.
- Asset Tags: Metadata assigned during provisioning to track ownership, department, and expiration dates for resources.
- Orchestration: The automated coordination of multiple provisioning tasks to manage complex environments at scale.
Security Implications Failures in the provisioning lifecycle often lead to the most common vulnerabilities in an enterprise.
- Orphaned Accounts: Accounts that remain active after an employee has left the organization. These are high-value targets for attackers because they are rarely monitored.
- Privilege Creep: Occurs when a user moves from Department A to Department B but retains the permissions from their old role.
- Shadow IT: When users provision their own software or cloud services without IT oversight, bypassing security controls.
- JIT (Just-in-Time) Provisioning: A security best practice where accounts or permissions are created dynamically as needed and removed immediately after use.
Quick Recall - Trigger word "Life Cycle": Always refers to the stages of provisioning, maintenance, and de-provisioning. - Immediate Action: De-provisioning must occur immediately upon termination to prevent disgruntled insider threats. - Automation: Use automation to reduce human error in account creation and to ensure consistent security baselines. - Least Privilege: The primary goal of a strict provisioning policy.