What happens when a company forgets to revoke access after firing an employee?
In one case in Singapore, a former employee accessed the company’s test system and deleted 180 virtual servers, causing losses of nearly S$918,000 ($720,000 USD).
This is an unfortunate outcome of a poorly managed joiner-mover-leaver process.
So, what is Joiner-Mover-Leaver (JML)?
The Joiner-Mover-Leaver (JML) lifecycle is the framework that governs how user access is managed during their entire duration in an organisation; from the time they join to the time they leave.
The goal is simple, to ensure users have the access they need to do their job – nothing more, nothing less. JML can be broken down into 3 stages: joiners, movers and leavers.
Joiner
This is the first stage of the JML lifecycle. It is part of onboarding and involves setting up a new user with the access they need to do their work once they join an organisation.
The joiner process begins when HR enters a new user in the system and should typically end on day one once the user gains both birthright and role-based access. Essentially, the joiner process ensures that a new hire is up and running as fast as possible.
Mover
This is the second stage of the JML lifecycle. It deals with updating the access rights of existing employees in the event of a role change. When a role change occurs, a user should be granted the access they need to carry out their new job function while also removing access that they no longer need.
This is the most complicated stage to manage and often leads to privilege creep where users accumulate more access than they need if not properly deprovisioned. To combat privilege creep, organisations should implement periodic Access Reviews in the mover phase to ensure old permissions are stripped away.
Leaver
This is the third and final stage of the JML lifecycle. All access to company resources is removed from a user once they stop working for an organisation. The leaver process should be swift.
This ensures that the user can no longer act on behalf of the company or access proprietary information after they leave . It also prevents malicious activities from disgruntled former employees like in the Singapore case we mentioned earlier.
JML Automation
As you can imagine, managing the JML lifecycle can be quite overwhelming especially when dealing with a large number of users. That is where automation comes in. JML can be automated using a variety of tools available in the market. The magic happens when you integrate HR systems with identity providers.
The HR systems are used as a master source to guide the actions of the identity provider. For example, when a new user joins an organisation, HR adds their details in the HR system which triggers the identity managements system to assign birthright access to the new user automatically. This kind of integration makes the JML lifecycle easier to manage.
All in all, the JML lifecycle guides the seamless implementation of Identity and Access Management in an organisation. It is crucial to understand each phase in order to create a seamless user experience.
Does your organization automate its JML process, or is it still a manual HR to IT handoff?
