Streamlining the JML Process: Best Practices

Preventing Data Breaches: Why Robust JML Processes Are Essential for SMEs

When employees leave an organisation, whether through resignation, redundancy, or dismissal, ensuring they no longer have access to company systems is critical. Many organisations are prioritizing efficient processes such as HR-driven provisioning and the Joiners, Movers and Leavers (JML) process.

A recent incident involving unauthorised access by a former contractor at the British Museum underscores the importance of robust IT practices in managing staff transitions.

For small and medium-sized businesses (SMEs), this highlights a crucial question: how can we safeguard sensitive resources when employees or contractors exit?

In this article, we explore how SMEs can strengthen their Joiners/Movers/Leavers (JML) processes with IT best practices, focusing on identity management, authentication, and privileged access control.

What are Joiners, Movers, and Leavers?

Joiners, Movers, and Leavers refer to the three critical stages of an employee’s lifecycle within an organisation.

Joiners are new employees who need access to various systems, data, and resources to perform their job functions effectively.

Movers are existing employees who transition to new roles or departments, necessitating updates to their access privileges to align with their new responsibilities.

Leavers are employees who exit the organisation, requiring the prompt revocation of their access rights to prevent any unauthorised access.

Understanding and managing these stages effectively ensures that access privileges are granted appropriately and revoked promptly, thereby maintaining the security and integrity of the organisation’s resources.

Understanding the Importance of JML Processes

JML (Joiners, Movers, and Leavers) processes are a cornerstone of an business identity and access management (IAM) strategy.

These processes ensure that user access is meticulously managed throughout an employee’s lifecycle, from the moment they join the company to their departure.

Effective JML processes are vital for maintaining security, ensuring compliance, and boosting operational efficiency.

By automating repetitive tasks and streamlining access management, organisations can significantly reduce the risk of security breaches, enhance productivity, and improve the overall user experience.

This proactive approach to managing user access and leavers processes is essential for safeguarding sensitive information and maintaining a secure IT environment.

The Risks of Inadequate Leavers Processes

Failing to revoke access for departing employees can have dire consequences. From unauthorised data access to potential sabotage, the risks extend far beyond just IT systems.

Consider the following scenarios:

• Data Theft: A disgruntled employee downloads sensitive client or financial data.
• Sabotage: An ex-employee disrupts services or deletes critical files.
• Brand Damage: Unauthorised actions are traced back to your company, harming your reputation.

For SMEs, the stakes are high. Limited resources and smaller teams often mean less room for error, making effective processes vital.

Building a Robust JML Process

An effective JML process ensures seamless onboarding, smooth role transitions, and secure offboarding. Implementing self-service entitlement management allows users to directly request access, reducing delays and IT workload while ensuring that access requests are managed in an auditable and secure manner.

Here’s how SMEs can optimise each stage:

Joiners: Simplified Onboarding

Efficient onboarding ensures new employees can access the tools they need without unnecessary delays while minimising security risks. Implementing a single point of authentication via an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) can streamline this process.

Key practices include:

• Role-Based Access Control (RBAC): Assign access permissions based on roles to ensure new joiners have only the access they need.
• Automated Provisioning: Use tools to automatically create accounts and assign permissions, reducing manual errors.
• Granting Temporary Access: Grant temporary access to new employees until their permanent roles are established to ensure security and compliance.

Movers: Sealess Transitions

When employees change roles, their access requirements often shift. Without clear processes, outdated permissions can accumulate, leading to security risks.

Key steps include:

• Regular Access Reviews: Periodically review and update permissions to match current responsibilities.
• Auditable Changes: Use tools like Microsoft Entra ID’s Access Reviews feature to maintain an audit trail of access adjustments.

Leavers: Secure Offboarding

When employees leave, removing their access quickly and comprehensively is essential. Steps to secure offboarding include:

• Immediate Deactivation: Disable accounts immediately upon departure to prevent unauthorised access.
• Physical Security Measures: Recover physical security tokens (e.g., Yubikeys) or retire them if recovery isn’t possible.
• Data Retention Policies: Ensure email and file data are retained according to organisational policies before account deactivation.

User Access and Provisioning

User access and provisioning are fundamental components of the JML process. User access refers to the permissions and rights granted to employees, enabling them to access necessary systems, data, and resources.

Provisioning involves the creation, modification, and deletion of user accounts, as well as the assignment of access privileges.

Effective user access and provisioning ensure that employees have the right access at the right time, minimising the risk of unauthorised access.

By leveraging tools, organisations can automate these processes, ensuring that user accounts and access privileges are managed efficiently and accurately throughout the employee lifecycle.

The Role of Identity Providers in Secure Access Management

Using a centralised identity provider like Microsoft Entra ID enhances security by providing a single point of authentication for all services.

This ensures that:

• Unified Access Control: All resources are accessible through a single, secure platform.
• Conditional Access: Multi-factor authentication (MFA) policies can be applied to sensitive resources.
• Audit Trails: Every login attempt and access change is logged, enabling thorough auditing.

Enhancing Security with Physical Tokens

For users with elevated privileges, physical security tokens like Yubikeys add a robust layer of protection. Unlike traditional passwords or software-based MFA, physical tokens:

• Are immune to phishing attacks.
• Require possession of the token for access, significantly reducing the risk of unauthorised entry.
• Should be recovered or deactivated immediately upon an employee’s departure to prevent misuse.

Automating JML Processes: Tools and Best Practices

Automation reduces the risk of human error and ensures consistency by significantly reducing repetitive manual tasks, freeing up HR and IT teams to concentrate on more strategic initiatives.

Here are some tools and strategies SMEs can adopt:

• Identity Management Platforms: Tools like Microsoft Entra ID automate provisioning and deprovisioning based on predefined workflows.
• HR System Integration: Connect IT systems to HR platforms so that employee status changes automatically trigger access updates.
• Self-Service Portals: Enable employees to request access changes through an approval workflow.

Implementing a Successful JML Process

Implementing a successful JML process requires a strategic combination of technology, policies, and procedures. Organisations should focus on automating repetitive tasks, such as user account creation and access provisioning, optimising the use of tools.

Establishing clear policies and procedures for managing user access is crucial, including guidelines for granting and revoking access privileges.

Regular audits and compliance reporting are essential to ensure the effectiveness of the JML process. By conducting these audits, organisations can identify and address any discrepancies in user access, ensuring that access privileges are aligned with current roles and responsibilities.

Best Practices for SMEs

Small and medium-sized enterprises (SMEs) can greatly benefit from implementing a robust JML process.

Best practices for SMEs include:

• Automating Repetitive Tasks: Use tools to automate user account creation and access provisioning.
• Establishing Clear Policies and Procedures: Develop and enforce guidelines for managing user access and access privileges.
• Implementing a Centralised Access Management System: Use a centralised system to manage all user access and ensure consistency.
• Conducting Regular Audits and Compliance Reporting: Regularly review user access and conduct compliance reporting to identify and rectify any issues.
• Providing Training and Support: Educate employees on the importance of JML processes and how to follow them.
• Continuous Monitoring and Evaluation: Regularly assess the effectiveness of the JML process and make necessary adjustments.

By following these best practices, SMEs can ensure that their JML process is efficient, effective, and secure, ultimately contributing to the overall success of the organisation.

The Importance of Regular Audits

Even with automated processes, regular audits are critical to ensuring security.

SMEs should:

• Conduct quarterly access reviews to identify dormant or unnecessary accounts.
• Audit privileged accounts more frequently to detect unusual activity.
• Validate that all physical security tokens assigned to leavers have been recovered or retired.

Conclusion: Protecting Your Business Through Proactive Security

The British Museum incident is a stark reminder of the risks posed by inadequate offboarding processes. For SMEs, investing in robust JML processes, leveraging identity providers like Microsoft Entra ID, and implementing additional security measures like physical tokens are essential steps to protect sensitive resources and maintain operational integrity.

By taking a proactive approach, SMEs can minimise risk, ensure compliance, and safeguard their business against potential threats.

If you’re unsure where to start, Acora One is here to help. Our team of experts specialises in designing and implementing secure IT processes tailored to your business needs.