Provisioning and deprovisioning in network security are critical components of Identity and Access Management (IAM). These processes control how user access is granted, modified, and revoked across an organization’s IT infrastructure. When implemented correctly—especially through automation—they significantly reduce security risks, compliance violations, and insider threats.

What Is Provisioning in Network Security?

Provisioning is the process of creating user identities and granting access to systems, applications, and network resources based on predefined roles and policies.

Key Functions of Provisioning

User Onboarding:

#. Automatically creates digital identities for new employees and assigns birthright access such as email, collaboration tools, VPN, and internal applications.

#. Role-Based Access Control (RBAC):
Access is granted according to job role, department, or seniority—ensuring consistency and security.

#. Least Privilege Principle:
Users receive only the permissions required to perform their tasks, reducing the attack surface and limiting lateral movement.

#. Security Risk in Provisioning

Over-provisioning is a major security weakness. Excess permissions increase the likelihood of data leaks, privilege escalation, and insider attacks.

What Is Deprovisioning in Network Security?

Deprovisioning is the systematic removal of access when a user no longer requires it—such as during employee exit, role changes, or project completion.

Key Functions of Deprovisioning

Immediate Access Revocation:
#. Accounts must be disabled as soon as employment ends to prevent unauthorized access.


Elimination of Orphaned Accounts:
#. Inactive or forgotten accounts (“zombie accounts”) are frequently exploited by attackers.


Full Identity Cleanup:
#. Includes revoking API keys, terminating active sessions, removing SSH keys, and reassigning file ownership.

Security Risk in Deprovisioning

Delayed or incomplete deprovisioning is a leading cause of post-employment data breaches.

Why Automation Is Essential for IAM Security

Manual provisioning and deprovisioning processes are slow, inconsistent, and prone to human error—one of the primary causes of enterprise security breaches.


Benefits of Automated Identity Lifecycle Management


#. Real-Time Access Control:
Integration with HR systems such as Workday or SAP SuccessFactors ensures instant updates to user access.

#.Compliance and Audit Readiness:
Automated logs provide immutable audit trails for GDPR, HIPAA, SOX, ISO 27001, and other regulations.

#. Prevention of Privilege Creep:
Old or unnecessary permissions are automatically removed when roles change.

Role of SCIM in Automated Provisioning and Deprovisioning

SCIM (System for Cross-domain Identity Management) is an open standard used to automate identity lifecycle events across cloud and enterprise applications.

How SCIM Improves Network Security

#. Automatically syncs users between Identity Providers (IdPs) like Okta or Microsoft Entra ID
#. Ensures consistent access across SaaS platforms such as Salesforce, Dropbox, GitHub
#. Reduces manual errors and provisioning delays




Best Practices for Secure Provisioning and Deprovisioning


#. Implement Role-Based Access Control (RBAC)
#. Enforce least privilege access
#. Automate IAM workflows using SCIM
#. Conduct regular access reviews
#. Monitor logs for identity anomalies

Conclusion

Provisioning and deprovisioning are essential pillars of network security and IAM. Automated identity lifecycle management reduces attack surfaces, strengthens compliance, and prevents unauthorized access. Organizations that neglect these processes expose themselves to data breaches, regulatory penalties, and operational risk.

Wireshark Packet Navigation

Packet Numbers

Wireshark calculates the number of investigated packets and assigns a unique number for each packet. This helps the analysis process for big captures and makes it easy to go back to a specific point of an event.  Wireshark Packet Navigation


 

Go to Packet

Packet numbers do not only help to count the total number of packets or make it easier to find/investigate specific packets. This feature not only navigates between packets up and down; it also provides in-frame packet tracking and finds the next packet in the particular part of the conversation. You can use the "Go" menu and toolbar to view specific packets.


Wireshark - go to packet

Find Packets

Apart from packet number, Wireshark can find packets by packet content. You can use the "Edit --> Find Packet" menu to make a search inside the packets for a particular event of interest. This helps analysts and administrators to find specific intrusion patterns or failure traces.

There are two crucial points in finding packets. The first is knowing the input type. This functionality accepts four types of inputs (Display filter, Hex, String and Regex). String and regex searches are the most commonly used search types. Searches are case insensitive, but you can set the case sensitivity in your search by clicking the radio button.

The second point is choosing the search field. You can conduct searches in the three panes (packet list, packet details, and packet bytes), and it is important to know the available information in each pane to find the event of interest. For example, if you try to find the information available in the packet details pane and conduct the search in the packet list pane, Wireshark won't find it even if it exists.

Mark Packets

Marking packets is another helpful functionality for analysts. You can find/point to a specific packet for further investigation by marking it. It helps analysts point to an event of interest or export particular packets from the capture. You can use the "Edit" or the "right-click" menu to mark/unmark packets.

Marked packets will be shown in black regardless of the original colour representing the connection type. Note that marked packet information is renewed every file session, so marked packets will be lost after closing the capture file.

Packet Comments

Similar to packet marking, commenting is another helpful feature for analysts. You can add comments for particular packets that will help the further investigation or remind and point out important/suspicious points for other layer analysts. Unlike packet marking, the comments can stay within the capture file until the operator removes them.

Export Packets

Capture files can contain thousands of packets in a single file. As mentioned earlier, Wireshark is not an IDS, so sometimes, it is necessary to separate specific packages from the file and dig deeper to resolve an incident. This functionality helps analysts share the only suspicious packages (decided scope). Thus redundant information is not included in the analysis process. You can use the "File" menu to export packets.

Export Objects (Files)

Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared files and save them for further investigation. Exporting objects are available only for selected protocol's streams (DICOM, HTTP, IMF, SMB and TFTP).

Time Display Format

Wireshark lists the packets as they are captured, so investigating the default flow is not always the best option. By default, Wireshark shows the time in "Seconds Since Beginning of Capture", the common usage is using the UTC Time Display Format for a better view. You can use the "View --> Time Display Format" menu to change the time display format.

Expert Info

Wireshark also detects specific states of protocols to help analysts easily spot possible anomalies and problems. Note that these are only suggestions, and there is always a chance of having false positives/negatives. Expert info can provide a group of categories in three different severities. Details are shown in the table below.

Frequently encountered information groups are listed in the table below. You can refer to Wireshark's official documentation for more information on the expert information entries.

You can use the "lower left bottom section" in the status bar or "Analyse --> Expert Information" menu to view all available information entries via a dialogue box. It will show the packet number, summary, group protocol and total occurrence.

Disclaimer