The project certainly has security implications, but I have another incentive to help out. All managers in my company are eligible for bonuses at the end of the fiscal year (which comes at the end of June), and these bonuses depend in part on meeting personal and departmental strategic objectives. One of my personal strategic objectives, for example, is to successfully deploy laptop encryption. If I don't do this by a certain date, I lose points that are used to calculate my bonus. And my peers lose points as well.
So we are motivated to help one another, and that's part of the reason why the project for automating account termination drew my attention.
Simply stated, we want to ensure that former employees can't gain access to any of our systems or the network. Doing so is a control objective tied to compliance with the Sarbanes-Oxley Act, but it's also a strategic objective of the company. Ultimately, we want the automated system to work so that when the human resources department marks an employee's PeopleSoft account as terminated, a series of activities will be triggered to automatically remove or disable that user's account from other user account repositories.
We use Microsoft Active Directory (AD) as our main directory infrastructure, and we have configured it so that users' accounts are automatically removed when they are marked as terminated in the PeopleSoft database. Those deletions mean that terminated employees no longer have access to Microsoft Exchange, file shares, SharePoint, our single sign-on infrastructure and several other applications.
The problem is that when a person is no longer allowed to access our systems, the process will have to include the automatic termination of RSA SecurID accounts. We currently use SecurID tokens to provide two-factor authentication to two main environments: our virtual private network and our extranet portal. Regular employees are authorized for VPN access, and portal access is extended to suppliers, partners and contractors. Using the portal across a Secure Sockets Layer VPN, these third parties get a controlled subset of access to our company's internal resources. Eventually, I plan to expand SecurID two-factor authentication for gaining access to our network gear (i.e., routers, switches and firewalls) and our Unix and Windows NT servers, and to integrate it into core applications, such as SAP and our upcoming product life-cycle management infrastructure. Shutting former employees out of the SecurID authentication server is a big part of keeping them out of company resources.