Episode 68 — Design Joiners-Movers-Leavers Provisioning and Deprovisioning That Prevents Orphan Access
This episode explains how to architect joiners-movers-leavers processes so access changes keep pace with real organizational change, which ISSAP often tests by presenting scenarios where stale entitlements create quiet, long-lived risk. You’ll learn how provisioning and deprovisioning should work across HR systems, identity directories, applications, and infrastructure, then translate that into architecture requirements for authoritative sources, automated workflows, approval gates, and periodic recertification. We’ll cover practical examples like immediate access revocation on termination, role-based provisioning for common job functions, time-bound access for contractors, and handling movers who retain old access because no one owns the cleanup. Troubleshooting considerations include delayed HR feeds that leave accounts active, manual tickets that never close, exceptions for “critical” users that become permanent, and service accounts that outlive their owners, so your identity architecture reduces orphan access and provides defensible evidence of lifecycle control during audits and incident reviews. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
