As the holiday season approaches many retailers are creatively leveraging the gig economy to help increase seasonal staff to accommodate the increased demand for both in store and online sales.
Since most data breaches start with a compromised identity, it is important organizations have a simple way to onboard and offboard this surge in new employees so that it isn’t complicated and cause unnecessary risk and costs.
The seasonal workforce must be able to access the systems and data they need to ensure a successful holiday season, but also ensure their access is controlled, limited only to what they need, and can be deprovisioned or adjusted immediately following the season.
Here is a quick checklist to control your identity naughty or nice list as you ramp up staff for the season:
1. Have an Identity Lifecycle Management plan – remember, with a transient workforce, it’s important to manage the identity lifecycle from when someone joins until they leave. And it needs to be simple so you can quickly onboard a new hire and revoke their privileges after the peak surge.
2. Understand what access you want to grant to these temporary employees.
3. Create an access governance plan which puts rules/policies in place to ensure the right people have the right access. There are three types of policies that are most relevant to retail.
- Joiner, Mover & Leaver policies: These policies help manage the identity lifecycle– they prompt an access request when someone joins and access reviews when someone moves and leaves.
- Time based: To help manage a transient workforce and seasonal workers, time based policies are beneficial because it allows you to give someone access for a finite period of time and to set access reviews to occur on a regular cadence.
- Segregation of Duties: Makes sure that there are no toxic combinations and flags it in the system. For example, you can’t submit and approve an expense report.
4. Role Management - since there will be different types users which fall into a small number of roles such as corporate users, in-store, contractors - create the roles upfront so that the management of the different types of users will be that much easier. For example, temporary call center users may need to have access to customer data where hourly register workers may need access to input their time cards and to the right POS system.
5. Schedule Regular Access Reviews to Remain Audit Compliant- Auditors want to know who has access to what– and regular access reviews keep you audit compliant.
Now that you have the steps, let’s walk through how this would look in practice.
If your organization hires Alice as a cashier during the holiday peak season and you convert her to full time afterwards, it is important to have flexibility in your identity lifecycle management plan.
When Alice joins the organization, she needs to be quickly onboarded. The first step is to provide her with the right access – so an access request happens. Then, her manager can leverage preset roles with the proper entitlements.
She’s been doing a great job for the past 3 months and is promoted to a new role as head cashier. This should prompt a review to make sure she has the right access to do her new job and remove entitlements she won’t need.
Several months later Alice decides to leave. This should prompt another access review where her manager will review and revoke Alice’s access. The review and revocation of access needs to happen quickly so that she no longer has access to company systems. If there is too long of a wait revoking access, the company will be vulnerable with orphaned accounts. Orphaned accounts are accounts that no one manages. A criminal or a disgruntled employee can get into the organization through these accounts.
# # #
Learn how the approaches noted above not only work for peak holiday season staffing, but can simplify your Identity lifecycle and governance strategy all year long.
Author: Angel Grant, CISSP
Category: RSA Point of View, Blog Post
Keywords: Access Governance, Identity Governance and Access, Identity & Access Management, IAM