February 21, 2025 • 21 mins
"Everyone who's part of a health care organization or health care tech has access to really private information. And getting that access removed from somebody who's leaving the organization is key."
Key Moments
02:23 Streamlining Through Automation
05:55 Streamlining Tool Access and Security
08:54 Centralize Identity with Single Sign-On
11:41 Automated Offboarding: Quick and Secure
13:25 Automating Environment-Specific Challenges
17:10 Streamline Access to Protect Data
19:51 Streamlined Process vs. Disorganization
Streamlining secure departures is not just an operational necessity; it’s a pivotal component of our organization's security framework. During our latest discussion, we explore how automating the final logoff process can transform the way we handle employee departures. Bill Easton, a skilled staff security engineer at Redox, joins to highlight practices that can enhance our security posture.
The overarching theme is that automation is king. Bill emphasizes that efficient offboarding begins with a central access system integrated with our HR information system. By automating access removal, we significantly reduce the chances of oversight and enhance security resilience. A streamlined, repeatable process ensures no system is left vulnerable due to manual mishaps.
Meghan McLeod highlights the importance of role-based access rather than one-off permissions. This approach not only simplifies automation but also ensures that access can be efficiently managed across various roles within the company.
Bill shared his experience at Redox, where continuous improvement in automation is a priority. Even though achieving full automation is a journey, each step forward makes a difference. We’re currently at an 80:20 ratio, and the push for seamless automation continues.
To further safeguard our operations, Bill advises centralizing identity management through single sign-on (SSO). This strategy not only enhances user experience but also fortifies security by consolidating access control.
As we steadily build this framework, let’s ensure our team is aligned with these processes and ready to tackle future security challenges with precision and efficiency. As always, it’s about locking the back door to safeguard our most sensitive information.
Resources
https://redoxengine.com/
Have feedback or a topic suggestion? Submit it using this linked form.
Matt Mock mmock@redoxengine.com
Meghan McLeod mmcleod@redoxengine.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to Shut the Back Door brought to you by Redux.
Shut the Back Door is a health care security podcast dedicated
to keeping health data safe one episode at a
time. I'm your host, Jody Mayberry, and joining
us this episode is Megan McLeod, senior
security engineer at Redox, and Bill Easton,
(00:25):
staff security engineer at Redox. Hello, Megan and
Bill. It's so good to be with you. We're back with you, Megan and Bill,
with us for the first time. Welcome, Bill. Hi, Jody. Hi, Jody. It's
nice to be here again. Well, our topic this episode is
the final log off streamlining
secure departures. And I realized
(00:48):
as we get started on this episode that even in
my small business, I don't know if I've given this enough attention.
I look at all the jobs that I've had before. And when other
people left, how well did we do on the
secure departures? And I think I'm about to find out. So just
let's start with talking about the importance of streamlining
(01:11):
departures when an employee is no longer with
us? Yeah. I mean, it is important everywhere, like you said, even small
businesses, large businesses. But in health care, it's
critical. Everyone who's part of a health care organization
or health care tech has access to really
private information. And getting that access removed
(01:33):
from somebody who's leaving the organization is key.
The problem is, of course, if you're doing it kind of ad hoc manually
and system by system, that's a lot of burden. So
streamlining it kind of takes that burden off of you and and kind of eases
your mind. Yeah. Exactly. Even through my day to day to do list tasks, if
I don't write something on my to do list and it's all done manually, I'm
(01:56):
gonna forget it. So doing something on a larger scale, like
removing employees after they've departed from these systems, like you said,
if if you're trying to do it all manually, it it's it's not impossible, but
it's very difficult. And it's easy to forget, especially some of those,
like you said, ad hoc systems where you might not be in that system that
often. Yeah. Definitely. So one thing that we found is, you know,
(02:18):
the best way to streamline it is automation. If you have it, you know,
you have your central access system
connected to your your HR information system,
feeding that information in and letting it take care of
removing that information or removing that access, It's so much
easier than trying to do that. But, of course, that takes
(02:40):
work. You have to you have to get to that state where all of those
systems are interconnected, so you have to have a very clear
idea of what you want your final state to look like
to get it to where, you know, it comes from the HRIS.
The system automatically kicks off all the automation
to go through all of those systems and remove all of that
(03:03):
access. Bill, how do you, like, kind of map out
that ideal end state? Is there a process that you go through or do you
just take notes? Like, I'm just curious from your side how you do
that. Yeah. So the first thing you have to know is
kind of what a person has as far as access is concerned,
also what systems you have within your
(03:26):
environment. So with that knowledge, then you can map it out. You
can create what a role a person who's typically
doing that particular job has as far as access is
concerned. So you can map that out and make that determination
that this is what this person would have because they are a
sales engineer or because they are, you know, a an
(03:48):
accountant or whatever that particular role is. This is
interesting, Bill, to hear you say that it's automation
because I was thinking, oh, a checklist would really help. But you're
talking automation. Right? So you have something that it can be
repeated the same way every time. So how much
of what you're talking about is done
(04:11):
automatically without you going in manually, and how much is just
going through your checklist? Yeah. I mean, obviously, the checklist has to
exist. Right? You can't even if you don't know what systems
you have and what the user has, then obviously, you have
to go come down that list. Well, we know that they, you know, they could
have this, so we have to check that. What we've done at Redux is tried
(04:33):
to automate as much as possible. So probably right now, we're
at, I would say, probably like an eighty twenty, definitely not
100, and we are certainly always working to get further
into automation as much as we possibly possibly can so that we
don't have to do those manual things because so many manual things can be
forgotten. Even with a checklist, you can, you know, you forgot or you
(04:54):
checked it off that you didn't necessarily remember that you didn't go in there.
So, yeah, automation is definitely the clear way to go. Yeah. And
with automation, just thinking about it, it really can't
exist unless you have those rules like you're talking about. So role based,
if we were trying to do automation just based on every individual user,
you just really wouldn't be able to do that. Because if I was saying, oh,
(05:17):
let's remove Megan McCloud, and we have to remove x y z
access, but there's nothing tied to a role or
anything like that, it just seems like that that would be impossible. Yeah.
Pretty much. I mean, really, the only way that you could do that, just ignoring
automation for a minute, is to go into every single system
that that person could conceivably have, check to see whether or not they
(05:39):
have it, then remove it, then move on to the next. It's just a lot
of steps, not only in, you know, picking that
one person out of all of the systems, but it's it's just a lot to
do and take a lot longer than doing automation. Definitely. Or
even having Especially if we have a lot of different tools.
Like, when you only have, say, like, two things that you use, maybe that seems
(06:01):
a little more conceivable. But if we're working in, you know,
dozens of different areas, there's it just makes it a lot
more cumbersome to try to do it like that. And I think that what I've
seen at different places that I've worked is there's, you know, a bit of a
disconnect between people understanding what they need in
order to do their job and then understanding how that
(06:23):
process needs to work in order for that automation and access to be as
secure as possible. So someone might say, oh, well, I need to have this
access. And it's like, well, you need to be in a role that needs to
have that access. It can't just be these one offs that are created all the
time. Otherwise, we're creating that kind of snowball effect like like we were
mentioning where it it just gets harder and harder to
(06:45):
remove these people upon departure. Yeah. 100%.
If somebody gets access outside of the role, then you have to be able to
track that access outside of that role. So it would be much
better to either create a new role, hopefully not for one person,
but for a group of people that need that role as opposed
to just granting a person access to that one thing that they
(07:06):
claim they need. Bill, you mentioned that Redux is
currently at a roughly eightytwenty on automation. Can you tell
us a little bit about how you plan and implement
the automation that you do when someone departs? Yeah.
So the first thing that you really have to have is a repeatable
process to remove that access. Without
(07:29):
it being repeatable, then it's really kind of impossible to
automate. So you need to have some
some methodology to kind of go down
that checklist that you're talking about manually to kind of do it
in an automated fashion. So kind of what
we did was create an automation that cascades
(07:51):
down through systems. So, you know, the very first thing that it
does is that it kind of shuts off our our single, you know,
single sign on system. So it shuts that off so that they can't get
access to anything else. But then it goes through and will
kind of go down a list of things that it needs to remove,
you know, on down even to our own application. So it'll cascade down
(08:14):
and it will do things like we use Gmail.
So we want to move, like, people's documents and
their drive to somebody else so that that will be
triggered as part of the automation. So I think what you have to do is
make sure that you have that repeatable process and then
creating that in an automated fashion so that it can be
(08:37):
done every time. Well, a lot of what you've talked
about in the automation is streamlining, and
maybe we don't have that currently in our
organization. Can you give us some things we can do to get
quick wins when it comes to streamlining? Yeah. I think the
the first thing that you can do is centralize your I'm your identity and
(08:59):
access management. Get it into a single system, something
that has single sign on. You know, there's multiple vendors
that offer that. So, you know, kind of get that in there and
single, you know, do single sign on for all the things that you have
within your system. You've already talked about and we've talked about, you know,
knowing what all of those systems are. So get all of those things in single
(09:21):
sign on. That way, when somebody leaves, you can just shut off that
and that prevents them from being able to access any of those things that are
behind single sign on regardless of whether or not you remove the back
end system itself, you know, the account from there, then at
least you know that they can't access in the meantime. The second
thing is because you're using it, you want to make sure a
(09:43):
single sign on system, you want to try to make sure that anything that you
procure in the future has that capability to do
single sign on. And if they have an API
webhook or, you know, something along those lines or SCIM,
something that is allowing you to automate the onboarding and
offboarding, so much the better. It should be a high priority to actually
(10:05):
bring that particular tool on. All of that combined kinda makes a better
user experience anyways. So that would be my quick
win is put it behind single sign on. Oh, definitely.
And when you're talking about a better user experience just as an
end user myself, like, I I absolutely know that I
prefer to be able to go to my single dashboard and be able
(10:27):
to click on an app and automatically log in that way, having
to memorize different passwords or, like, utilize
a bunch of different logins. I mean, we're getting into a whole other security element
in that way as well. So it just makes the most sense for a lot
of reasons to have SSO implemented. I think this
is so important. I've I've realized how
(10:49):
valuable that can be, not only for people
that are working with you, whether it's employees or contractors, but even for
yourself to not have to know passwords, to not
have that piece of paper or notebook that you think is hidden in your
desk and no one will find and it has all your passwords written on it,
that's a big piece of security right there just to not have to
(11:11):
worry about that. Oh, 100%. Yeah. It's much easier to remember
just that one thing, that one password to get into that one thing and
have everything that you you need right there at hand.
It also creates, not that we're talking about you know, we're talking
more about offboarding, but for onboarding, when you have somebody that's
a a new hire, then they can sign in on their first day
(11:34):
and have access to everything all from the
beginning, that's just a much better experience all around.
Yeah. And and back on the the offboarding portion of it too, when we're talking
about automation versus manual, I mean, of course, ideally,
you're mostly having, like, an offboarding experience
where it's mutually beneficial or you're partying on good terms, but
(11:56):
that's not always going to be the case. So if there are times when you
need to be able to cut access immediately or in a very quick
turnaround time, automation is is key to that because
otherwise, you're having to go through and and manually go through quickly.
And if you're having a potentially malicious off
border who is departing, that that could be enough time for them to come in
(12:18):
and do whatever they wanna do to harm the systems.
Oh, yeah. 100. Plus, you have to try to prioritize, you
know, what is the most likely thing that they may try to target
and try to be ahead of them of that. Right? You know, is it more
important for them to get into mail so that they can, you know, send out
an email from their business email address that disparages the
(12:40):
company? Or, you know, is it going into your infrastructure
and trying to do some sort of destruction there or something along those
lines? And you have to try to figure out which one of those that they're
gonna try to do and try to get there before them. Automation's much
better than that. Megan has given us our first hint on
how these topics will all thread together because
(13:01):
this offboarding, when someone departs,
if it's a malicious actor, the ability to just turn it off
immediately is a huge benefit. Well, we've talked about all the
good things about streamlining, making it easier,
but I'm I'm sure there's some challenges in it. If you haven't
streamlined your organization yet, what are some of the challenges
(13:24):
in in getting there? The biggest challenges that you're gonna see are those
one off things that are in your environment. So kind of the advice
here is gonna be generalized because it's gonna be unique to
your environment, but you're gonna wanna prioritize kind of automation
of automation for systems where you
can. Just to give an idea, let's say that you have
(13:46):
an Internet of Things device in your environment, a hospital, and
you have a little little device that somebody your patient carries around or
something like that, and, you know, you have somebody that's leaving that had
access to that data, they may have direct access to it. There may be a
direct authentication there. So you're gonna have to think about how to deal with that,
or maybe it's in a portal. Maybe it's, you know, where you can you can
(14:08):
put that behind SSO, and maybe they have an API where you can
can automate the removal of that, either if it's on device or in the
portal. But those type of things you'll need to think about because it probably isn't
something that is protected, you know, kind of largely, but you have to
think about that part. And then things like your own custom apps.
You know, maybe your organization built something for a purpose, you
(14:31):
know, scheduling app or something like that, but nobody else is using. And
that's another one you have to kind of think about, and you want to prioritize
some sort of method to automate removal of that or legacy
apps. You know, you bought something from a company that maybe
they're no longer around or maybe they don't support this tool anymore. They don't
update it or anything like that. Those are gonna be the toughest
(14:53):
thing to kind of automate. Now there may not be any support for
it, but you just have to do what you can. Automate as much as you
can of those, but those are definitely the challenges. Those things that are not standard.
Yeah. And then I also view as a challenge it's like
the more you have that is not streamlined or automated, the
more of a challenge it's going to be. So the earlier you can get in
(15:13):
on this process I mean, and don't worry if you're already further down that line
and you're thinking, okay, well, I wanna do this now. But if possible,
it's good to start early on in the organization. So if you
get in there and you have this organization and you're just
already at the very beginning starting an automation and streamlining
process, your job is going to be so much easier because then you're setting yourself
(15:36):
up for success down the road. So I think thinking in, like,
a future mindset to think like, okay, this might not be an issue with these
two apps that we have now. But as we're building and growing and getting
more and more applications that we need to have access to, it's going to
become a challenge. So having this mentality of understanding what your
future will look like is going to set yourself up for success. Oh,
(15:58):
yeah. 100%. When I, first started at Redux, there was no
automation. So building it was I was at
that standpoint. I know exactly what you're talking about, that fear of, oh, I
have to to do this. It's such a long road. But like anything
else, do it one step at a time. Do it one bit by bit, one
application by application. You know, get them all into your into
(16:21):
your SSO and get them all automated as much as you can
throughout time. Just make it easier on yourself over time. Well, yeah. And
like you said, even at Redox, we're it's still a continuous
process. I mean, we're always looking to make it better. So
it will be a continuous process for the entire life of the company.
Definitely. We've had a good conversation about
(16:43):
the final departure and streamlining and why
that benefits final departure. One thing we did not really touch on,
though, and perhaps this is the part of the
conversation to, raise the alarm to show how important
this is. Give us a glimpse of what can
happen if you don't pay attention to the final,
(17:04):
like, log off and make sure the departures are
streamlined and secure. Yeah. So ignoring
for a second the compliance part of it, health care being
a a heavily regulated industry, we all know that you have to meet
certain deadlines when it comes to to that function.
But just taking that out for a second, we talked a little bit
(17:27):
about somebody who is malicious and because we're,
you know, because we're letting them go and they may want to do something on
the systems that you have. But it goes even beyond that. Even
somebody that's leaving on good terms, if you leave that access there,
they may get a wild idea and maybe they'll try to log in again
at some point in the future. And they may if they still have access to
(17:49):
that, then you're basically exposing that sensitive
data to somebody who no longer has really a
right to see that. So you're putting your organization
and the that data at risk by not
streamlining it and taking all of that access as quickly as you
can away. Well, yeah. And like you said, it it does it doesn't have to
(18:11):
be someone necessarily intending to be malicious. I mean, people are
curious by nature. So say you left this company a couple
years ago, but you still have access to their entire Google Drive. You might
be like, oh, well, I'm curious about what's going on in the company right
now. And then files might get downloaded. They might share stuff with their friends
because it's interesting to them. People are just curious by nature. So
(18:34):
it's better to have those technical controls in place than to just
rely on it not going into the wrong hands at a certain
point. Yeah. Definitely. And then, you know, from a
compliance standpoint, we talked about being heavily regulated. You know,
HITRUST requires, as as an example, a compliance
framework. HITRUST requires that somebody is off
(18:55):
boarded within a, you know, a reasonable period of time.
They're looking at, like, you know, twenty four hours. If you have a lot
of of applications, which Redux is
a company that is like this, as Megan knows, it takes a
long time to do that manually. So we have to do automation even
to meet that compliance. So it may be something
(19:18):
more even that you're taking a risk of not being compliant by
not doing it. Well, Megan, you did touch on a a good point
that maybe not everybody's a bad actor. People
are just curious. And if they realize they still have
access, who knows? Just they might look just to see.
I wonder what Bill is up to. We used to work together.
(19:40):
And I I just love this idea of streamlining doing
things the same way every time. There's nothing to worry about. An
employee leaves, and you know we've got our process down.
Everything's taken care of. Where if you don't do it this way, you're always gonna
wonder. And I'm I'm gonna share an example that is
not data or health care related, but I'm I'm gonna assume you're
(20:03):
not gonna share this episode with my wife. When I come home,
I put my keys and my wallet in the exact same place every
time. And then when I go to leave, they are exactly where they should
be. And when my wife goes to leave, she has to spend the next
twenty minutes looking for her sunglasses, phone, and keys. And this is
the same way. I have a streamlined process, and and she does
(20:25):
not. And I can leave quicker than she can. It's very similar
to that. Yep. Exactly. And it takes the stress out of it as well. Like,
you're not stressed, I'm sure. As you're going out the door, you know exactly what
you need to grab. Exactly. I know what I need to grab, and I know
exactly where it will be. Well, this has been a great conversation.
It was wonderful to have you with us, Bill. And you can
(20:47):
join us next episode as we discuss more security
challenges impacting health care and practical ways to address
them. Before we go, Bill and Megan, do you have anything
else you'd like to say? Thank you for having me. It was a good
conversation. If you have any questions or anything like that, feel free to reach out
to us. We'll be happy to help. Yeah. We will have, as
(21:09):
always, a link in the show notes showing a
form that you can fill out for any questions or topic ideas. We do
have a lot of ideas, but we also love to hear from everyone else to
hear what is interesting. And don't forget to lock the back door.
Welcome to Shut the Back Door brought to you by Redux.
Shut the Back Door is a health care security podcast dedicated
to keeping health data safe one episode at a
time. I'm your host, Jody Mayberry, and joining
us this episode is Megan McLeod, senior
security engineer at Redox, and Bill Easton,
(00:25):
staff security engineer at Redox. Hello, Megan and
Bill. It's so good to be with you. We're back with you, Megan and Bill,
with us for the first time. Welcome, Bill. Hi, Jody. Hi, Jody. It's
nice to be here again. Well, our topic this episode is
the final log off streamlining
secure departures. And I realized
(00:48):
as we get started on this episode that even in
my small business, I don't know if I've given this enough attention.
I look at all the jobs that I've had before. And when other
people left, how well did we do on the
secure departures? And I think I'm about to find out. So just
let's start with talking about the importance of streamlining
(01:11):
departures when an employee is no longer with
us? Yeah. I mean, it is important everywhere, like you said, even small
businesses, large businesses. But in health care, it's
critical. Everyone who's part of a health care organization
or health care tech has access to really
private information. And getting that access removed
(01:33):
from somebody who's leaving the organization is key.
The problem is, of course, if you're doing it kind of ad hoc manually
and system by system, that's a lot of burden. So
streamlining it kind of takes that burden off of you and and kind of eases
your mind. Yeah. Exactly. Even through my day to day to do list tasks, if
I don't write something on my to do list and it's all done manually, I'm
(01:56):
gonna forget it. So doing something on a larger scale, like
removing employees after they've departed from these systems, like you said,
if if you're trying to do it all manually, it it's it's not impossible, but
it's very difficult. And it's easy to forget, especially some of those,
like you said, ad hoc systems where you might not be in that system that
often. Yeah. Definitely. So one thing that we found is, you know,
(02:18):
the best way to streamline it is automation. If you have it, you know,
you have your central access system
connected to your your HR information system,
feeding that information in and letting it take care of
removing that information or removing that access, It's so much
easier than trying to do that. But, of course, that takes
(02:40):
work. You have to you have to get to that state where all of those
systems are interconnected, so you have to have a very clear
idea of what you want your final state to look like
to get it to where, you know, it comes from the HRIS.
The system automatically kicks off all the automation
to go through all of those systems and remove all of that
(03:03):
access. Bill, how do you, like, kind of map out
that ideal end state? Is there a process that you go through or do you
just take notes? Like, I'm just curious from your side how you do
that. Yeah. So the first thing you have to know is
kind of what a person has as far as access is concerned,
also what systems you have within your
(03:26):
environment. So with that knowledge, then you can map it out. You
can create what a role a person who's typically
doing that particular job has as far as access is
concerned. So you can map that out and make that determination
that this is what this person would have because they are a
sales engineer or because they are, you know, a an
(03:48):
accountant or whatever that particular role is. This is
interesting, Bill, to hear you say that it's automation
because I was thinking, oh, a checklist would really help. But you're
talking automation. Right? So you have something that it can be
repeated the same way every time. So how much
of what you're talking about is done
(04:11):
automatically without you going in manually, and how much is just
going through your checklist? Yeah. I mean, obviously, the checklist has to
exist. Right? You can't even if you don't know what systems
you have and what the user has, then obviously, you have
to go come down that list. Well, we know that they, you know, they could
have this, so we have to check that. What we've done at Redux is tried
(04:33):
to automate as much as possible. So probably right now, we're
at, I would say, probably like an eighty twenty, definitely not
100, and we are certainly always working to get further
into automation as much as we possibly possibly can so that we
don't have to do those manual things because so many manual things can be
forgotten. Even with a checklist, you can, you know, you forgot or you
(04:54):
checked it off that you didn't necessarily remember that you didn't go in there.
So, yeah, automation is definitely the clear way to go. Yeah. And
with automation, just thinking about it, it really can't
exist unless you have those rules like you're talking about. So role based,
if we were trying to do automation just based on every individual user,
you just really wouldn't be able to do that. Because if I was saying, oh,
(05:17):
let's remove Megan McCloud, and we have to remove x y z
access, but there's nothing tied to a role or
anything like that, it just seems like that that would be impossible. Yeah.
Pretty much. I mean, really, the only way that you could do that, just ignoring
automation for a minute, is to go into every single system
that that person could conceivably have, check to see whether or not they
(05:39):
have it, then remove it, then move on to the next. It's just a lot
of steps, not only in, you know, picking that
one person out of all of the systems, but it's it's just a lot to
do and take a lot longer than doing automation. Definitely. Or
even having Especially if we have a lot of different tools.
Like, when you only have, say, like, two things that you use, maybe that seems
(06:01):
a little more conceivable. But if we're working in, you know,
dozens of different areas, there's it just makes it a lot
more cumbersome to try to do it like that. And I think that what I've
seen at different places that I've worked is there's, you know, a bit of a
disconnect between people understanding what they need in
order to do their job and then understanding how that
(06:23):
process needs to work in order for that automation and access to be as
secure as possible. So someone might say, oh, well, I need to have this
access. And it's like, well, you need to be in a role that needs to
have that access. It can't just be these one offs that are created all the
time. Otherwise, we're creating that kind of snowball effect like like we were
mentioning where it it just gets harder and harder to
(06:45):
remove these people upon departure. Yeah. 100%.
If somebody gets access outside of the role, then you have to be able to
track that access outside of that role. So it would be much
better to either create a new role, hopefully not for one person,
but for a group of people that need that role as opposed
to just granting a person access to that one thing that they
(07:06):
claim they need. Bill, you mentioned that Redux is
currently at a roughly eightytwenty on automation. Can you tell
us a little bit about how you plan and implement
the automation that you do when someone departs? Yeah.
So the first thing that you really have to have is a repeatable
process to remove that access. Without
(07:29):
it being repeatable, then it's really kind of impossible to
automate. So you need to have some
some methodology to kind of go down
that checklist that you're talking about manually to kind of do it
in an automated fashion. So kind of what
we did was create an automation that cascades
(07:51):
down through systems. So, you know, the very first thing that it
does is that it kind of shuts off our our single, you know,
single sign on system. So it shuts that off so that they can't get
access to anything else. But then it goes through and will
kind of go down a list of things that it needs to remove,
you know, on down even to our own application. So it'll cascade down
(08:14):
and it will do things like we use Gmail.
So we want to move, like, people's documents and
their drive to somebody else so that that will be
triggered as part of the automation. So I think what you have to do is
make sure that you have that repeatable process and then
creating that in an automated fashion so that it can be
(08:37):
done every time. Well, a lot of what you've talked
about in the automation is streamlining, and
maybe we don't have that currently in our
organization. Can you give us some things we can do to get
quick wins when it comes to streamlining? Yeah. I think the
the first thing that you can do is centralize your I'm your identity and
(08:59):
access management. Get it into a single system, something
that has single sign on. You know, there's multiple vendors
that offer that. So, you know, kind of get that in there and
single, you know, do single sign on for all the things that you have
within your system. You've already talked about and we've talked about, you know,
knowing what all of those systems are. So get all of those things in single
(09:21):
sign on. That way, when somebody leaves, you can just shut off that
and that prevents them from being able to access any of those things that are
behind single sign on regardless of whether or not you remove the back
end system itself, you know, the account from there, then at
least you know that they can't access in the meantime. The second
thing is because you're using it, you want to make sure a
(09:43):
single sign on system, you want to try to make sure that anything that you
procure in the future has that capability to do
single sign on. And if they have an API
webhook or, you know, something along those lines or SCIM,
something that is allowing you to automate the onboarding and
offboarding, so much the better. It should be a high priority to actually
(10:05):
bring that particular tool on. All of that combined kinda makes a better
user experience anyways. So that would be my quick
win is put it behind single sign on. Oh, definitely.
And when you're talking about a better user experience just as an
end user myself, like, I I absolutely know that I
prefer to be able to go to my single dashboard and be able
(10:27):
to click on an app and automatically log in that way, having
to memorize different passwords or, like, utilize
a bunch of different logins. I mean, we're getting into a whole other security element
in that way as well. So it just makes the most sense for a lot
of reasons to have SSO implemented. I think this
is so important. I've I've realized how
(10:49):
valuable that can be, not only for people
that are working with you, whether it's employees or contractors, but even for
yourself to not have to know passwords, to not
have that piece of paper or notebook that you think is hidden in your
desk and no one will find and it has all your passwords written on it,
that's a big piece of security right there just to not have to
(11:11):
worry about that. Oh, 100%. Yeah. It's much easier to remember
just that one thing, that one password to get into that one thing and
have everything that you you need right there at hand.
It also creates, not that we're talking about you know, we're talking
more about offboarding, but for onboarding, when you have somebody that's
a a new hire, then they can sign in on their first day
(11:34):
and have access to everything all from the
beginning, that's just a much better experience all around.
Yeah. And and back on the the offboarding portion of it too, when we're talking
about automation versus manual, I mean, of course, ideally,
you're mostly having, like, an offboarding experience
where it's mutually beneficial or you're partying on good terms, but
(11:56):
that's not always going to be the case. So if there are times when you
need to be able to cut access immediately or in a very quick
turnaround time, automation is is key to that because
otherwise, you're having to go through and and manually go through quickly.
And if you're having a potentially malicious off
border who is departing, that that could be enough time for them to come in
(12:18):
and do whatever they wanna do to harm the systems.
Oh, yeah. 100. Plus, you have to try to prioritize, you
know, what is the most likely thing that they may try to target
and try to be ahead of them of that. Right? You know, is it more
important for them to get into mail so that they can, you know, send out
an email from their business email address that disparages the
(12:40):
company? Or, you know, is it going into your infrastructure
and trying to do some sort of destruction there or something along those
lines? And you have to try to figure out which one of those that they're
gonna try to do and try to get there before them. Automation's much
better than that. Megan has given us our first hint on
how these topics will all thread together because
(13:01):
this offboarding, when someone departs,
if it's a malicious actor, the ability to just turn it off
immediately is a huge benefit. Well, we've talked about all the
good things about streamlining, making it easier,
but I'm I'm sure there's some challenges in it. If you haven't
streamlined your organization yet, what are some of the challenges
(13:24):
in in getting there? The biggest challenges that you're gonna see are those
one off things that are in your environment. So kind of the advice
here is gonna be generalized because it's gonna be unique to
your environment, but you're gonna wanna prioritize kind of automation
of automation for systems where you
can. Just to give an idea, let's say that you have
(13:46):
an Internet of Things device in your environment, a hospital, and
you have a little little device that somebody your patient carries around or
something like that, and, you know, you have somebody that's leaving that had
access to that data, they may have direct access to it. There may be a
direct authentication there. So you're gonna have to think about how to deal with that,
or maybe it's in a portal. Maybe it's, you know, where you can you can
(14:08):
put that behind SSO, and maybe they have an API where you can
can automate the removal of that, either if it's on device or in the
portal. But those type of things you'll need to think about because it probably isn't
something that is protected, you know, kind of largely, but you have to
think about that part. And then things like your own custom apps.
You know, maybe your organization built something for a purpose, you
(14:31):
know, scheduling app or something like that, but nobody else is using. And
that's another one you have to kind of think about, and you want to prioritize
some sort of method to automate removal of that or legacy
apps. You know, you bought something from a company that maybe
they're no longer around or maybe they don't support this tool anymore. They don't
update it or anything like that. Those are gonna be the toughest
(14:53):
thing to kind of automate. Now there may not be any support for
it, but you just have to do what you can. Automate as much as you
can of those, but those are definitely the challenges. Those things that are not standard.
Yeah. And then I also view as a challenge it's like
the more you have that is not streamlined or automated, the
more of a challenge it's going to be. So the earlier you can get in
(15:13):
on this process I mean, and don't worry if you're already further down that line
and you're thinking, okay, well, I wanna do this now. But if possible,
it's good to start early on in the organization. So if you
get in there and you have this organization and you're just
already at the very beginning starting an automation and streamlining
process, your job is going to be so much easier because then you're setting yourself
(15:36):
up for success down the road. So I think thinking in, like,
a future mindset to think like, okay, this might not be an issue with these
two apps that we have now. But as we're building and growing and getting
more and more applications that we need to have access to, it's going to
become a challenge. So having this mentality of understanding what your
future will look like is going to set yourself up for success. Oh,
(15:58):
yeah. 100%. When I, first started at Redux, there was no
automation. So building it was I was at
that standpoint. I know exactly what you're talking about, that fear of, oh, I
have to to do this. It's such a long road. But like anything
else, do it one step at a time. Do it one bit by bit, one
application by application. You know, get them all into your into
(16:21):
your SSO and get them all automated as much as you can
throughout time. Just make it easier on yourself over time. Well, yeah. And
like you said, even at Redox, we're it's still a continuous
process. I mean, we're always looking to make it better. So
it will be a continuous process for the entire life of the company.
Definitely. We've had a good conversation about
(16:43):
the final departure and streamlining and why
that benefits final departure. One thing we did not really touch on,
though, and perhaps this is the part of the
conversation to, raise the alarm to show how important
this is. Give us a glimpse of what can
happen if you don't pay attention to the final,
(17:04):
like, log off and make sure the departures are
streamlined and secure. Yeah. So ignoring
for a second the compliance part of it, health care being
a a heavily regulated industry, we all know that you have to meet
certain deadlines when it comes to to that function.
But just taking that out for a second, we talked a little bit
(17:27):
about somebody who is malicious and because we're,
you know, because we're letting them go and they may want to do something on
the systems that you have. But it goes even beyond that. Even
somebody that's leaving on good terms, if you leave that access there,
they may get a wild idea and maybe they'll try to log in again
at some point in the future. And they may if they still have access to
(17:49):
that, then you're basically exposing that sensitive
data to somebody who no longer has really a
right to see that. So you're putting your organization
and the that data at risk by not
streamlining it and taking all of that access as quickly as you
can away. Well, yeah. And like you said, it it does it doesn't have to
(18:11):
be someone necessarily intending to be malicious. I mean, people are
curious by nature. So say you left this company a couple
years ago, but you still have access to their entire Google Drive. You might
be like, oh, well, I'm curious about what's going on in the company right
now. And then files might get downloaded. They might share stuff with their friends
because it's interesting to them. People are just curious by nature. So
(18:34):
it's better to have those technical controls in place than to just
rely on it not going into the wrong hands at a certain
point. Yeah. Definitely. And then, you know, from a
compliance standpoint, we talked about being heavily regulated. You know,
HITRUST requires, as as an example, a compliance
framework. HITRUST requires that somebody is off
(18:55):
boarded within a, you know, a reasonable period of time.
They're looking at, like, you know, twenty four hours. If you have a lot
of of applications, which Redux is
a company that is like this, as Megan knows, it takes a
long time to do that manually. So we have to do automation even
to meet that compliance. So it may be something
(19:18):
more even that you're taking a risk of not being compliant by
not doing it. Well, Megan, you did touch on a a good point
that maybe not everybody's a bad actor. People
are just curious. And if they realize they still have
access, who knows? Just they might look just to see.
I wonder what Bill is up to. We used to work together.
(19:40):
And I I just love this idea of streamlining doing
things the same way every time. There's nothing to worry about. An
employee leaves, and you know we've got our process down.
Everything's taken care of. Where if you don't do it this way, you're always gonna
wonder. And I'm I'm gonna share an example that is
not data or health care related, but I'm I'm gonna assume you're
(20:03):
not gonna share this episode with my wife. When I come home,
I put my keys and my wallet in the exact same place every
time. And then when I go to leave, they are exactly where they should
be. And when my wife goes to leave, she has to spend the next
twenty minutes looking for her sunglasses, phone, and keys. And this is
the same way. I have a streamlined process, and and she does
(20:25):
not. And I can leave quicker than she can. It's very similar
to that. Yep. Exactly. And it takes the stress out of it as well. Like,
you're not stressed, I'm sure. As you're going out the door, you know exactly what
you need to grab. Exactly. I know what I need to grab, and I know
exactly where it will be. Well, this has been a great conversation.
It was wonderful to have you with us, Bill. And you can
(20:47):
join us next episode as we discuss more security
challenges impacting health care and practical ways to address
them. Before we go, Bill and Megan, do you have anything
else you'd like to say? Thank you for having me. It was a good
conversation. If you have any questions or anything like that, feel free to reach out
to us. We'll be happy to help. Yeah. We will have, as
(21:09):
always, a link in the show notes showing a
form that you can fill out for any questions or topic ideas. We do
have a lot of ideas, but we also love to hear from everyone else to
hear what is interesting. And don't forget to lock the back door.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com