User Access Provisioning
Description
The entity registers and authorizes new users. Access credentials are provisioned and changes are authorized.
⚠️ Risk Impact
Poor user provisioning leads to orphaned accounts and unauthorized access.
🔧 Remediation
Implement identity lifecycle management with automated provisioning and deprovisioning.
💀 Real-World Attack Scenario
A terminated employee's cloud accounts were not deprovisioned for 45 days after their last day. During that window, the former employee accessed the company's CRM system and downloaded the entire customer database, including contacts and deal history, and shared it with their new employer.
💰 Cost of Non-Compliance
Average cost of insider-threat data theft: $756K per incident. Orphaned accounts are found in 60% of SOC 2 audits. Remediation and re-audit cost: $150K-$300K.
📋 Audit Questions
- 1.What is your new user provisioning process?
- 2.How quickly are accounts deprovisioned after termination?
- 3.Show evidence of quarterly access reviews.
- 4.Are access changes documented and approved?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Deprovisioning only the primary account but not cloud provider IAM, CI/CD, and SaaS tool access
- ⛔Not automating deprovisioning through SCIM/JIT provisioning
- ⛔Access reviews that check existence but not permission levels
📈 Business Value
Automated provisioning/deprovisioning reduces insider threat risk and demonstrates governance maturity to auditors. It directly reduces SOC 2 audit findings.
⏱️ Effort Estimate
2-4 hours per employee for manual onboarding/offboarding
EchelonGraph detects orphaned cloud accounts and tracks access lifecycle
🔗 Cross-Framework References
Automate SOC 2 CC6.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →