SBN

Automating your employee off-boarding process with Swimlane

As more organizations discontinue internal services and begin adopting an increasing number of third-party *aaS-based services, ensuring the appropriate access is revoked in a timely manner is critical. By using our new employee off-boarding use case, you can automatically gather historical data, add a user to a monitoring watch list, and finally remove access when it is time to off-board an employee.

The employee off-boarding use case contains two distinct applications to assist an organization with managing their employee off-boarding process. The first is the employee application, which contains all relevant information about the employee as well as references to the second application: assets. The assets application contains individual assets to which the employee has access. These assets can be applications, services or hardware.

Our employee off-boarding use case enables an organization to automatically schedule an employee’s off-boarding from either an email sent from your HR department or from an existing ticketing system. Once ingested, an employee off-boarding action date is either set or configured by a security analyst.

An asset can be manually assigned to a user, or your Swimlane admin can define a standard set of assets that all users have access to. This way, when a new employee off-boarding case is created, there are default associated services for each employee within your organization.

The employee off-boarding use case has several different statuses that describe different parts of the off-boarding process: new, scheduled, overdue and closed.

Employee Off-Boarding Statuses
A list of off-boarding record statuses.

Once a new off-boarding request is created in Swimlane, the application will immediately begin pulling information about the user from LDAP, Active Directory or Azure Active Directory. If you would like Swimlane to pull from a different location, you can do so easily by using another bundle we provide or writing your own custom integration using Python or PowerShell Core.

Employee Off-Boarding in Swimlane
A scheduled employee off-boarding record.
Once an action date is set, Swimlane will query your security information and event management (SIEM) for any additional data that is relevant to this employee’s off-boarding request.
Employee Off-Boarding SIEM Query
Swimlane can automatically construct a SIEM query to gather details about the employee.
Swimlane will also automatically retrieve host logs by either leveraging an EDR solution or a combination of WMI and Windows PowerShell. This information is collected and stored on the employee off-boarding record for future review.
Employee Off-Boarding User Logs
Swimlane can automatically pull user logs as well as take screenshots (depending on your EDR product or if you use PowerShell & WMI).
Once we have retrieved an employee’s relevant information, we then begin our off-boarding procedure by first disabling any relevant accounts/services used by the employee, as well as isolating their host machine. Any additional off-boarding procedures that may be required by your organization can be added using any number of our integrations and minor changes to this applications workflow.

Employee Off-Boarding Application
Employee off-boarding: Assets application showing the current account status as enabled.
Employee Off-Boarding Application Disabled
Employee off-boarding: Assets application showing the current account status as disabled.
You can find our new employee off-boarding use case on AppHub and join Josh Rickard and Jay Spann for their webinar discussing Swimlane and our new employee off-boarding use case.


*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Josh Rickard. Read the original post at: https://swimlane.com/blog/automating-employee-off-boarding-process/