What is the process that you guys follow to maintain authentication details like login ids and passwords? There will be definitely some shared passwords. So, the target is to minimize the impact when someone is leaving the company.
By "shared password", I mean, the account, which is shared among multiple people in the company.
The issues that the process should address are: -
Affected areas. Quickly find the resources to which the leaving user was having access to.
Forgetting password. What happens if a user forgets an authentication details? How does he get it? I think he shouldn't ask a team mate. I mean no-verbal communication.
Find dependencies of a resource. Suppose I am changing the password for a mail account, which is getting used by some automated scripts to send mails. Here, the scripts are dependent on the mail account, so changing the password of the mail account means we have to change the password in the script too. So, how do find all the dependencies of a resource?
I'd prefer a process which addresses these issues. But you can also recommend products which are open source and not hosted. I have gone through PassPack, but they don't solve #4.
There is a similar question here. But that does not exactly answer my question.
Centralized accounts
Centralized account management would be the first step to go for. One place for credentials and one place only - or at least only one master record being replicated to other systems so there's only one place to make changes including disabling accounts.
A routine to follow when someone is leaving needs to be put in place. This can be highly manual to begin with but still needs to be written and then adhered to throughout the entire company.
System owners
Whoever is responsible for a specific system, and all systems must have an owner and an administrator, needs to adhere to the written policy eg when someone is leaving and do the needed cleanup if any in their system(s).
No shared accounts
I'd simply ban shared accounts - everything should be personal including router/switch logins and other appliances where people for some reason don't think this is possible. It is, always been.
Randomize or remove local administrative account passwords for computers, don't use them for anything.
Resource/service accounts should be regenerated when changes are needed, or upgrade to systems that can manage service account passwords automatically in the background (eg using Windows 2008 R2 for Windows systems). If a dependency cannot be found I'd blame it on a lack of documentation or a system that assumes too much oldschool thinking like hard-coding passwords in scripts. Throw those solutions away promptly.
Yes, it might be hard or impossible to do, but always strive towards Utopia - being half-way there, everything sails much smoother already ^^
There're many concepts and software solutions around Identity Life-cycle Management which many companies provide - Microsoft included. But for 50 people most would be on-paper policies imo and a strict pragmatic approach to IT systems - reduce the number of systems, adhere to the DRY (Don't Repeat Yourself) principle and only purchase systems that integrate well with the existing platform(s).