What is the Principle of Least Privilege?

The Principle of Least Privilege (PoLP) means that users receive only the minimum necessary access rights to perform their tasks. This principle reduces security risks.

Compliance means operating in a way that ensures your organisation meets applicable laws and regulations, industry and sector standards, and internal policies. Governments, partners, and customers increasingly expect organisations to demonstrate compliance proactively.

Deprovisioning Explained: Automating Access Revocation in IAM

Q: What is deprovisioning?

Deprovisioning is the process of removing access rights and user accounts when an employee leaves the organisation or changes role. Deprovisioning helps reduce security risks by terminating unused access rights.

What is deprovisioning?

Deprovisioning is the process within identity and access management of revoking accounts and access rights that were previously granted. Deprovisioning is an important process, because organising it well prevents users from unnecessarily retaining costly access rights. This knowledge article focuses specifically on the key deprovisioning considerations. We do so using the different provisioning approaches within a modern Identity and Access Management solution such as HelloID.

Why is deprovisioning important?

Organising the provisioning of accounts and access rights naturally receives ample attention when setting up your identity and access management processes. Most people also quickly realise that a solid deprovisioning strategy is at least as important, for the following reasons:

With automatically granted accounts and rights, timely deprovisioning can usually be automated as well. However, in many organisations about 20% of all rights are configured manually. Automated deprovisioning will then not apply.
Legislation and regulation do not distinguish between automatic and manual rights management. The Principle of Least Privilege applies to all rights. You must therefore ensure that manually granted accounts and rights are also deprovisioned in time.
Non-compliance can have a major impact, particularly if it leads to data breaches. It can result in sanctions, claims for damages, and reputational damage.
Keeping accounts and rights active unnecessarily can lead to very high licence costs. Managers often fail to monitor this and users rarely return rights proactively; people tend to accumulate rights.
At the same time, you improve the user experience by ensuring that rights are deprovisioned on time. This demonstrates professionalism and shows that you handle their personal data with care.

How do automated provisioning and deprovisioning work in practice

At HelloID, we automate the issuance of accounts and rights based on Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). Under these models you grant accounts and rights based on consistently recorded user data. A person’s job title or role within the organisation can be used, as can other attributes such as department, location, or competences. This data is recorded unambiguously in a source system such as the HR application, which allows HelloID to determine which accounts and access rights a person needs. The platform then ensures that these settings are automatically applied in the relevant target systems. For example, in HelloID you can use business rules to ensure that nurses in a hospital automatically receive access only to patient data for the department where they work. This prevents unauthorised access to other departments.

The benefit of this automated allocation is that changes are also processed automatically. If someone changes role or moves to a different department, these changes are recorded in the HR system. HelloID detects the changes and automatically adjusts the relevant accounts and access rights. This also includes automatic deprovisioning when certain rights or accounts are no longer required. Rights are revoked, accounts are blocked and, depending on the configured business rules, eventually decommissioned. When employment ends, all accounts are automatically deprovisioned in the same way. There is therefore not only automated provisioning but also automated deprovisioning.

With this automation you ensure that everyone complies at all times with the Principle of Least Privilege (PoLP). This principle means that every person receives only the accounts and rights that are strictly necessary for their tasks and responsibilities. With our automated allocation, a person always receives only the minimum necessary rights; and through automated deprovisioning we ensure that superfluous rights are revoked immediately. You always have the required rights, never more than that.

Deprovisioning individual rights

Our experience is that around 80% of accounts and access rights can usually be automated based on RBAC or ABAC. At the same time, there will always be individual access rights required. If someone, in addition to their regular role, takes on duties as a company emergency response officer, you may need additional licences or rights; although such an extra task is usually not recorded in the HR system. The same applies if someone participates in a specific project. You will not find that in HR data either, while access to an associated project folder or a specific licence may be needed.

Such accounts and rights can therefore only be granted individually, and requests for them are often submitted and fulfilled manually via the service desk. With the HelloID Service Automation module we can streamline and automate these requests further. For example, you can process requests as much as possible through a self-service portal, using configurable workflows to automatically request approval from the appropriate manager(s). All processed requests are also recorded automatically for audit purposes.

Even though we streamline the individual issuance of accounts and rights in this way, deprovisioning remains critical. With automatic allocation of rights, we also know that the same rights will be deprovisioned automatically when no longer required. With individual access rights it is often unclear how long people need the rights, which results in users keeping them for far too long. How do we solve that? We describe it below.

Deprovisioning and compliance

With individual allocation, the risk is that it is for an indefinite period. A manager may have requested access to a project folder or a separate licence for an employee. At the time of the request, it is checked explicitly whether the person really needs these facilities and whether it fits within policy. After that, the right in question often drops out of sight. The risk is that from that point onwards the person has the relevant rights, no one keeps an eye on them, and the user retains the rights until they leave the organisation. This is undesirable for two reasons:

The strength of automatic allocation and deprovisioning of rights is that you comply with the Principle of Least Privilege at all times. Granted rights are also revoked again in good time automatically. With individual allocation, this is not guaranteed, so you are not compliant with this concept. For both the GDPR and information security standards such as ISO 27001, the BIO, or NEN 7510, this is a key requirement.
You also incur unnecessary costs for expensive licences. Instead of granting a licence temporarily for a few months, the person keeps the licence for the rest of their employment, sometimes for years. If organisations have no visibility of such individually granted licences, this can become a significant cost item without being noticed.

It is therefore important to build processes for timely deprovisioning into those individual accounts and rights as well. With HelloID we provide two mechanisms for automated deprovisioning:

First, when issuing individual licences and rights, you can set a limited validity period immediately, for example six months. The rights are then revoked automatically. For accounts and rights where we already know at the start how long the period should run, this is the simplest approach.
For rights granted for an indefinite period, you can schedule recertification campaigns with the Governance module. Using specific filters, for example expensive licences or high-risk access rights, you can compose campaigns in which the managers who previously approved such rights must review them again. Only if the manager re-approves the right and there are no other blockers; for example, an application may no longer align with IT policy; will the right be extended. If not, the account or access right is deprovisioned.

With these two measures you can also guarantee timely deprovisioning for individually granted rights. This keeps us compliant with the relevant laws and regulations and saves on our licence costs.

Summary: difference between provisioning and deprovisioning

It is clear that professional identity and access management requires not only well-organised provisioning of accounts and rights. Timely and correct deprovisioning of rights and accounts must also be assured. We aim to automate this as far as possible. This gives the best assurance of compliance with laws and regulations. Below we summarise the role of provisioning and deprovisioning, based on the different phases within a person’s identity lifecycle.

	Provisioning	Deprovisioning
Onboarding process	Based on user attributes, for example a person’s job role, accounts and rights are provisioned automatically	-
Job change process	When changes occur (new role, department, etc.) new accounts and/or rights may be required. These are provisioned automatically	When changes occur, previously granted accounts and/or rights may no longer be required. These are deprovisioned automatically
Individual requests	Where relevant and on request, individual accounts and/or rights can be provisioned. This can be via the service desk or through self-service.	If a previously granted individual account and/or right is no longer required, deprovisioning must take place.
Offboarding process	-	When a user leaves the organisation, all accounts and rights are first blocked. They are then deprovisioned at the right time based on policy.

Deprovisioning tips & tricks

We have already outlined the importance of automated deprovisioning. This prevents non-compliance, data breaches, and claims for damages. For the deprovisioning of occasionally granted rights, we also mentioned tools such as the recertification functionality. There are more options to ensure that unused rights are cleaned up as quickly as possible. We list a few:

Awareness. Especially for occasionally granted licences and rights, it is important to make managers and employees aware of the costs and the risks. No one deliberately leaves the tap running, and you should foster the same awareness around your IT facilities.
Keep optimising. With the Governance module you have tools such as role mining to improve your role model. You can also prevent the issuance of conflicting rights. It helps you grant as few rights as possible and to automate this as much as possible.
Safeguard consistency between the accounts and rights recorded in your IAM platform and the actual situation in target systems. This prevents accounts and rights from no longer existing administratively while still being active in the target systems. You can use the HelloID reconciliation functionality for this.

More information about HelloID deprovisioning capabilities?

With the automated user provisioning functionality, HelloID ensures that deprovisioning is carried out automatically as much as possible. In addition, our Service Automation module can ensure that individually granted rights are deprovisioned automatically again after a specific period. Finally, with the governance features we can ensure that rights are not granted unnecessarily or for too long. You can find more about the capabilities in our HelloID module overview.

HelloID module overview