|
1 | | -// Placeholder for Manage Access Lifecycle |
| 1 | +--- |
| 2 | +page_title: Manage account access lifecycle |
| 3 | +description: Create a plan to manage the lifecycle of user accounts and their access permissions. |
| 4 | +--- |
| 5 | + |
| 6 | +# Manage account access lifecycle |
| 7 | + |
| 8 | +Ensuring users and services have the appropriate access to systems and data is a |
| 9 | +continuous process. Managing the access lifecycle involves regularly reviewing |
| 10 | +and updating access permissions, as well as deprovisioning access when it is no |
| 11 | +longer needed. Properly managing the access lifecycle helps support a secure |
| 12 | +environment and reduces the risk of unauthorized access. |
| 13 | + |
| 14 | +## What is access lifecycle management |
| 15 | + |
| 16 | +Access lifecycle management is the process of managing user accounts and their |
| 17 | +access permissions throughout their lifecycle, from creation to deprovisioning. |
| 18 | +This includes onboarding new users, modifying access as roles change, and |
| 19 | +removing access when it is no longer needed. |
| 20 | + |
| 21 | +## Why manage access lifecycle |
| 22 | + |
| 23 | +Failing to manage identity and access for users and services can lead to |
| 24 | +incidents, whether malicious or accidental. For example, if a user leaves the |
| 25 | +organization or changes roles, and their account is not deprovisioned, they may |
| 26 | +still have access to systems and data they are not authorized to access. |
| 27 | + |
| 28 | +A publishing company in the 2000's let go of one of their system |
| 29 | +administrators, but failed to deprovision their account in an email system that |
| 30 | +was not centrally managed. The former employee logged in, and forwarded |
| 31 | +thousands of spam emails to employees, causing a significant disruption |
| 32 | +to their day. By properly managing accounts from creation, through |
| 33 | +deletion, you can avoid incidents caused by unauthorized access. |
| 34 | + |
| 35 | +By [centralizing identity |
| 36 | +management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management), |
| 37 | +you can streamline the access lifecycle for provisioning and deprovisioning |
| 38 | +users. This allows you to update group membership, reset passwords, or |
| 39 | +deprovision accounts when they are no longer needed. |
| 40 | + |
| 41 | +When you combine centralized identity management with [dynamic |
| 42 | +credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials), |
| 43 | +you further limit the attack surface by reducing the number of long-lived |
| 44 | +credentials that you need to manage. |
| 45 | + |
| 46 | +NIST SP 800-53 outlines the account management process in detail, including |
| 47 | +the following key activities: |
| 48 | + |
| 49 | +- Account creation and provisioning |
| 50 | +- Account modification and review |
| 51 | +- Account deprovisioning and removal |
| 52 | +- Access reviews and audits |
| 53 | + |
| 54 | +Following these practices helps you properly manage accounts and ensure only |
| 55 | +those users and services that require access to a system have access. |
| 56 | + |
| 57 | +HashiCorp resources: |
| 58 | + |
| 59 | +- [Understand static and dynamic secrets](/vault/tutorials/get-started/understand-static-dynamic-secrets) |
| 60 | +- [Use Vault-backed dynamic secrets in HCP Terraform](/terraform/cloud-docs/workspaces/dynamic-provider-credentials/vault-backed) |
| 61 | +- [Connect to Kubernetes using Vault and Boundary](/boundary/tutorials/kubernetes-connect/kubernetes-getting-started-intro) |
| 62 | +- [HCP Boundary Vault credential brokering quickstart](/boundary/tutorials/credential-management/hcp-vault-cred-brokering-quickstart) |
| 63 | +- [SSH certificate injection with HCP Boundary and Vault](/boundary/tutorials/credential-management/hcp-certificate-injection) |
| 64 | + |
| 65 | +External resources: |
| 66 | + |
| 67 | +- [NIST SP 800-53 Security and Privacy Controls for Information Systems](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) |
| 68 | + |
| 69 | +## Next steps |
| 70 | + |
| 71 | +Following these documents in order ensures a logical progression through the key |
| 72 | +concepts and best practices, helping you build a strong foundation to build your |
| 73 | +identity and access management program. |
| 74 | + |
| 75 | +- [Define access requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements) |
| 76 | +- [Grant least privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege) |
| 77 | +- [Create permissions and guardrails](/well-architected-framework/secure-systems/identity-access-management/create-permissions-guardrails) |
| 78 | +- [Centralize identity management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management) |
| 79 | +- [Implement strong sign-in workflows](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows) |
| 80 | +- [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials) |
| 81 | +- **Manage access lifecycle (this document)** |
| 82 | + |
| 83 | +In this section of **Identity and access management** you learned why its |
| 84 | +important to manage the full lifecycle of user accounts and permissions. |
| 85 | +Identity and access management is part of the [Secure |
| 86 | +systems](/well-architected-framework/secure-systems) pillar. |
0 commit comments