Deprovisioning is the act of removing access from and freeing up resources reserved by end users and their file transfer workflows. Rapid removal of access upon termination or end of contract is key to any organisation. Freeing up of related resources (such as disk space, certificates, ports, etc.) is also important, but often follows removal of access by a day or more (especially when overnight processes are used to free up resources).
The act of deprovisioning should always be audited, and the audit information should include the identity of the person who authorised the act and any technical actions the system took to deprovision the user.
Most file transfer servers today allow administrators to chain up to Active Directory (AD), LDAP or RADIUS or other external authentication to allow centralised management (and thus deprovisioning) of authentication and access.
“Rollback” of deprovisioned users is a competitive differentiator across different file transfer servers, and varies widely from “just restore credentials”, through “also restore access” and on to “also restore files and workflows”.
BEST PRACTICE: Whenever possible, implementers of file transfer technology should use an external authentication source to control access and privileges of end users. When an external authentication source is used to control authentication in this manner, deprovisioning on the file transfer server occurs at the moment the user is disabled or deleted on the central authentication server.
See also “provisioning“.