Every service uses an authorization process to determine the access rights of
individuals. Lots of services make authorization decisions only during the authentication process
and though the process the information about access rights is valid for the whole session. The
other common approach is to run the authorization process for single each request from the
user.
Both of the these approaches are commonly used and they are sufficient for most
services.
However there are services that enable users to work with persistent resources.
An example of such services are cloud infrastructures which enable users to start virtual
machines or use data storages for storing large amounts of data. Apart from the aforementioned
authorization done whilst user is interacting with the service, there is a need to know that the
user is still authorized to use the resources, even though the user is not interacting with the service.
Such knowledge enables services to free the persistent resources which were occupied by the
user who is no longer authorized.
Deprovisioning is the process which enables service to know about users who are
no longer authorized. It is the opposite of the well-known provisioning process, which is
used in cases where the services need to know the users in advance of their first usage of
the service.
In this paper we describe the importance of the deprovisioning process based on
real use-cases and services. Moreover we will focus on possible options to implement
deprovisioning in existing infrastructures. Last but not least, we will describe similarities
between a standard deprovisioning process and the suspension of users on services due to security
incidents. Based on those similarities, we will demonstrate on a real system how to utilize the
deprovisioning process to automate mitigation of security incidents