Understanding the crucial role of offboarding in IT security
Offboarding employees is a huge challenge for IT and security teams, particularly when it comes to ensuring all SaaS app accounts are closed. This article helps you to understand why account removal is essential and how you can streamline your offboarding process to ensure your company's IT security and compliance settings.
The offboarding problem: The risk of dormant accounts
It's common for companies to deactivate an employee's SSO when they leave, preventing further access to applications. However, this step doesn't fully address the risk associated with dormant accounts. Such accounts, even when inactive, can be potential entry points for security threats and require a more comprehensive solution.
Removing SSO is not enough
Picture an employee's SSO as the key to a room and the SaaS account (with a rental contract) as the actual room. Deactivating the key (the SSO) may restrict access, but the room (the account) still exists, potentially with sensitive data in it. That’s why it is essential not to just take the key away, but to properly close an account. Especially as there might be tons of accounts you are not aware of, as employees may have 'rooms' not tied to their SSO, but to individual log-in credentials.
The risks of incomplete offboarding
Incomplete offboarding with dormant accounts can expose your organization to two significant security threats:
- The first is the risk of a cyber attacker gaining access to a dormant account (potentially with sensitive data) - and you won’t even realise in the first place, as you are not aware of the account.
- The second risk involves the potential of an offboarded employee turning malicious, using left-behind accounts to cause damage.
Both scenarios pose significant security risks.
A checklist for manual offboarding
For a manual offboarding process, you can follow our IT offboarding checklist:
1: Identification of Access
- Identify all software, applications, and systems the employee has access to. This may involve checking with team leads, department managers, or HR, or reviewing an existing IT access record for the employee.
2: Prioritize Based on Sensitivity
- Prioritize the list based on sensitivity and criticality of data within the systems. Systems with more sensitive data should be addressed first.
3: Data Security and Transfer
- Before access revocation, ensure important data or documents owned by the leaving employee are safely transferred or backed up to prevent data loss.
- Confirm that the employee does not take sensitive data with them. This may involve checking their recent activity or discussing with them directly.
4: Hand Over Ownership
- Identify any applications or systems for which the employee has administrative access or ownership. Plan for a handover of these roles to another qualified employee.
- Ensure the new owner/admin understands their responsibilities and has the necessary training.
5: Access Revocation
- Start the process of revoking access. For each system, application, or software, remove the employee's user account, or disable it if immediate deletion isn't possible.
6: Shared Access Management
- Identify any shared accounts or access codes the employee may have been using. Change passwords or access codes for these accounts.
- After you've removed the employee's access, perform checks to confirm that they no longer have access to any systems.
- Document every step of the process, noting which systems the employee had access to, when their access was revoked, and any ownership or role changes that were made.
- Inform the relevant stakeholders (such as HR, the employee's manager, or the data protection officer) once the access revocation process is complete.
Automate offboarding to never miss an account
You can work with a manually generated offboarding checklist. In most cases, this is a cumbersome task though, as lists are most often not fully up to date.
Also, the fact that team members across various departments are often the actual owners of many applications, and are responsible for removing the departing employee, makes a list-based approach prone to errors
Automated solutions like Cakewalk can help streamline these steps and are therefore the easiest way to run effective offboardings.
These tools provide you with full transparency over all accounts that need to be removed. On that basis, they ensure that all accounts are actually deleted