How do you provision & de-provision permissions for technical staff at scale?

14.4k views1 Upvote5 Comments

VP of Engineering, 10,001+ employees
Because we have so many servers, databases, & developers, we need a reasonable way to manage access. Before, managing requests for access was pretty much manual. With 90 engineers that can become unmanageable. We get pitched all the time on a variety of products and for the most part we're pretty self-sufficient. We're an open source shop. We don't need too many tools. One that we've been pretty happy with is strongDM. Our infrastructure team uses strongDM to manage people's' ability to connect to different databases. When someone’s on-boarded or off-boarded, we simply give them access to strongDM. You can use whatever client you want to talk to a database so there’s really no training necessary.There was one key driver for us: de-provisioning. Not having to worry about revoking ssh keys or database credentials when somebody leaves the organization. strongDM provides that simplicity of management for our Infrastructure & DevOps teams. It provides the layer of security we’ve been looking for.
SVP CIO in Telecommunication, 5,001 - 10,000 employees
There are several solutions in the “Priviledged Identity Managment” “Provledged Access Managment” space. Some of the leaders in the space include: Centrify, BeyondTrust, CyberArk
CTO in Software, 11 - 50 employees
We have a small team consists of 18 people, currently we manage these things manually. As our whole system is on AWS, we would be able to provide everyone custom access to whole system using their IAM feature.
Chief Technology Officer in Services (non-Government), 501 - 1,000 employees
The first challenge of to ensure you have, as much as possible, a single identity across all systems for these employees. I have always made it a priority to connect these identities into the HR system as, ideally, it shouldn't be IT's responsibility to know when someone starts, leaves, or changes roles as it's more often than not HR that would know this first. Using simple scripting, you should then be able to change access privileges based on activity within the HR system.Obviously, if have a large number of systems and employees, and multiple authentication mechanisms, then investing in some of the tools mentioned above starts to make a lot of sense.
Assistant Director IT Auditor in Education, 10,001+ employees
De-provision permissions is always a challenge in every organization I worked. The process for de-provision must be simplified and followed by all in the organization. 

Content you might like

Lack of a centralized view22%

Siloed tools and lack of integration across clouds36%

Too many manual processes19%

Inconsistent governance policies across clouds10%

Difficulty ensuring compliance4%

Lack of automated identity provisioning/deprovisioning and syncing across clouds6%

Lack of real-time detection and remediation for over-privileged accounts2%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.9k views130 Upvotes318 Comments