Security Manager's Journal: Massive layoff is a security issue

Computerworld - It's been a rough week. Today, my company announced a 15% cut in its workforce, or about 1,000 employees.

Naturally, I knew this well before today. Layoffs are never easy, and it can be agonizing to come into contact with co-workers -- some of them friends -- and say nothing, despite knowing that they will lose their jobs in a few days. But as the security officer, I needed to be privy to the list ahead of time because I had to take steps to ensure continued security.

My first task was to identify any layoff candidates who represented single points of failure, meaning they were the only employees who could perform a particular critical job function. Single points of failure, human or otherwise, are a bad idea. But it happens, and it's better to recognize them in advance than to realize your mistake after they've left the company.

I was also expected to identify employees who could pose a danger to themselves, others or company resources. This isn't really something that involves information security, but the "security" label in my title has drawn me into some areas related to physical security.

Finally, I had to secure our intellectual property. While some employees were asked to stay for one to three months, many were told to leave immediately. Those employees' accounts had to be terminated as quickly as possible. For example, many of them were service technicians, and we couldn't risk letting any of them retain access to the network and our highly valuable service documentation.

Ahead of the notification, I briefed my security engineers about the pending action and had them pay more attention than usual to our intrusion-detection sensors. Currently, our sensors are positioned to watch traffic running from the Internet to our DMZ and the data center. I wanted to watch for denial-of-service attacks and attempts to gain unauthorized access to our critical systems. I also had some extra rules put in place for our data-leak prevention infrastructure to watch for all PDF files, source code and CAD documents leaving the company, since these three file types represent a large portion of our valuable intellectual property.

Scaling Up

We've done this sort of thing before, but never on this scale, and it was a challenge to terminate hundreds of accounts in a very short period of time while minimizing the number of people who would know about the layoffs in advance.

Since we don't have a robust identity management tool, several interfaces must be used to remove access. The most important deactivation is the domain account, since many of our critical business systems are configured with single sign-on. Other systems, such as our SecureID servers, BlackBerry Enterprise Servers and remote access, couldn't be tackled ahead of time. And because we were laying off some network engineers, we had to remove access to resources such as routers, switches and telephony systems that are managed independently of the single sign-on environment, and we had to change all administrative passwords. Some of this was handled in advance by using scripts that kicked in after the notification was announced, but scripts don't always work as anticipated.

Notification day is drawing to a close, and so far we have seen a few sensitive documents being sent to Yahoo addresses -- events that I have started to investigate. Otherwise, everything has been quiet, with all the scripts and account terminations working well. My next task is to figure out how to do more with less, which I'll discuss in my next column.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Read more about Security in Computerworld's Security Topic Center.