Periodic User Cleanup & Deletion

Use Apono's periodic user cleanup by deleting inactive users for security and compliance purposes

Intro

Many compliance and regulation standards require to delete inactive users periodically, often quarterly (every 90 days), or less.

πŸ“˜

Common compliance and regulation standards: user deletion

ISO 27001, SOX, NIST 800-53, PCI DSS, HIPAA and GDPR all mandate that users are deleted immediately after leaving the company or when access is no longer required.

These standards also require periodic access reviews to make sure unneeded access is revoked and stale users are deleted.

Apono already provides credentials rotation out-of-the-box for users it generates in databases, servers and other non-SSO integrations. (Read more here).

Now, you can take things a step further and also delete the users altogether.

For highly-regulated environments and sensitive resources, some compliance standards require deleting inactive users periodically. Use the Apono users' cleanup feature to define how many days after access has been revoked the user should be deleted, and not just have their password rotated.

πŸ‘

When users are deleted or disabled in your Identity Provider (IdP), Apono deletes non-SSO users immediately.

This way you can rest assured no stale users remain in your environment, even if their access has been cut off by Apono's automated deprovisioning.

How to: Enable periodic users cleanup

When turned on, Apono will delete the user from the integration after the defined time period elapses from the last access request revocation.

For example: if on the morning of January 1st a user requests access to a MySQL database for 5 hours, they will receive a username and password from Apono. After 5 hours the access is revoked, but the user remains in the MySQL Users table. If the user deletion policy is turned on for a 90 days period, the user will continue to exist until March 31st at noon. Then, the user will be deleted.

If credentials rotation is enabled as well, the user's password will be regularly rotated per the admin setting as long as the user exists.

Global user deletion policy

Use the global policy to set one cleanup time for all of your integration at once.

  1. Go to the Apono Account Settings

  2. Find the User Deletion setting:

  3. Turn on the toggle as demonstrated above and set the desired number of days.

πŸ“˜

Tip: delete users every time their access is revoked by setting this value to 0.

  1. Your setting will be saved and users will start being deleted from the next access request revocation, even if the request was created before the policy was enabled.

Integration-level user deletion policy

Use the per-integration policy to set different cleanup times for different integrations, for example to set a stricter policy for your production instances or sensitive databases.

Between the global and per-integration policies, the stricter policy will be applied.

  1. Create a new integration or edit an existing one.

  2. Find the setting for User Cleanup:

  3. Fill in the desired number of days.

    1. This policy is optional, and if left empty Apono will not apply it.

πŸ“˜

Tip: delete users every time their access is revoked by setting this value to 0.

  1. Finish up by clicking Integrate or Update.