Tata Consultancy Services (TCS), the massive outsourcing provider in India, has just lost a legal battle with one of its clients. At issue in the case was whether a Tata employee improperly used login credentials. Here is a summary of what happened.
Tata began working with it’s client Epic Systems Corp. in 2005. Tata hired a employee who had previously been a third party contractor with Epic. This contractor, now a Tata employee, maintained login credentials to Epic’s systems and continued to access and download sensitive data belonging to Epic.
The larger legal fight alleges improper use of that intellectual property by Tata for another client, in the same field as Epic. Besides the legal battle, this case raises serious issues about user credentials, logical security, and de-provisioning of user access once an employee or contractor ceases to work for the company.
MSPs Take Heed
MSPs should pay close attention to this case because this could likely be the beginning of future litigation amongst the MSP and cloud computing profession. MSPs have a tremendous amount of access to customer systems and data. Users need to be on-boarded according to a process driven checklist to ensure proper access is granted. This process is important because it must also be followed when that same user leaves the employment of the MSP.
Make a Checklist
One of the easiest ways to make sure your employees have only the access they require is to make an on-boarding checklist. This is a step by step process for taking a job candidate through the hiring process and once they are formally hired, granting the user access to the MSP’s systems (and eventually customer systems).
Enforcing such a checklist is greatly simplified when using a ticketing system as many of the steps can be documented using tickets. This on-boarding checklist can then be reversed when it comes time to de-provision a user because they are leaving or being terminated from their position.
A de-provisioning checklist is arguably as or more important than the on-boarding since the user now has more knowledge of the MSP and customer systems and has the potential to do more harm, either accidentally or intentionally.
I am not aware of any such cases involving a MSP failing to secure a former employee’s user credentials. However, cases like this one involving Tata do raise the stakes for MSPs as more and more companies will be aware of logical access policies.