Account management lifecycle

Ensuring users and services have the appropriate access to systems and data is a continuous process. Managing the access lifecycle involves regularly reviewing and updating access permissions, as well as deprovisioning access when it is no longer needed. Properly managing the access lifecycle helps support a secure environment and reduces the risk of unauthorized access.

What is access lifecycle management

Access lifecycle management is the process of managing user accounts and their access permissions throughout their lifecycle, from creation to deprovisioning. The management includes onboarding new users, modifying access as roles change, and removing access when it is no longer needed.

Why manage access lifecycle

Failing to manage identity and access for users and services can lead to incidents, whether malicious or accidental. For example, if a user leaves the organization or changes roles and their account is not deprovisioned, they may still have access to systems and data to which they are not authorized.

A publishing company in the 2000s let go of one of its system administrators but failed to deprovision their account in an email system that they had not securely managed. The former employee logged in and forwarded thousands of spam emails to employees, causing a significant disruption to their day. By properly managing accounts from creation through deletion, you can avoid incidents caused by unauthorized access.

By centralizing identity management, you can streamline the access lifecycle for provisioning and deprovisioning users. Centralizing identity management allows you to update group membership, reset passwords, or deprovision accounts when they are no longer needed.

When you combine centralized identity management with dynamic credentials, you further limit the attack surface by reducing the number of long-lived credentials that you need to manage.

NIST SP 800-53 outlines the account management process in detail, including the following key activities:

• Account creation and provisioning
• Account modification and review
• Account deprovisioning and removal
• Access reviews and audits

Following these practices helps you properly manage accounts and ensure your users and services that require access to a system have access.

Combining proper lifecycle management with securely storing secrets and rotating secrets builds a strong security foundation for your organization.

HashiCorp Vault fundamentally changes how you manage access lifecycle by eliminating long-lived credentials:

• Dynamic secrets - Instead of creating permanent credentials during user onboarding, Vault generates temporary credentials on-demand when users need access. These credentials automatically expire, removing the need for manual deprovisioning in many scenarios.
• Lease management - Every secret issued by Vault has an associated lease. When a user’s employment ends or their role changes, revoking their Vault token automatically revokes all associated dynamic credentials across databases, cloud providers, and other systems.

HashiCorp Boundary enforces access lifecycle through just-in-time access patterns:

• Session-based access - Rather than granting permanent access to infrastructure, Boundary creates temporary sessions. When a session ends, access automatically terminates.
• Time-limited targets - Configure targets with expiration times to automatically deprovision access to specific systems after a defined period.
• Identity integration - Connect Boundary to your identity provider so that when you deprovision a user from the identity provider, they lose the ability to create new sessions to infrastructure resources.

HashiCorp resources:

• Understand static and dynamic secrets
• Use Vault-backed dynamic secrets in HCP Terraform
• Connect to Kubernetes using Vault and Boundary
• HCP Boundary Vault credential brokering quickstart
• SSH certificate injection with HCP Boundary and Vault

External resources:

• NIST SP 800-53 Security and Privacy Controls for Information Systems

Next steps

Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.

• Define access requirements
• Grant least privilege
• Create permissions and guardrails
• Centralize identity management
• Implement strong sign-in workflows
• Use dynamic credentials
• Manage access lifecycle (this document)

In this section of Identity and access management you learned why its important to manage the full lifecycle of user accounts and permissions. Identity and access management is part of the Secure systems pillar.