Worker offboarding isn’t anyone’s favourite job—however it’s a essential IT course of that must be executed diligently and effectively.
In accordance with current analysis on worker offboarding, 70% of IT professionals say they’ve skilled the unfavourable results of incomplete IT offboarding, whether or not within the type of a safety incident tied to an account that wasn’t deprovisioned, a shock invoice for sources that are not in use anymore, or a missed handoff of a essential useful resource or account.
As organizations’ SaaS footprints proceed to broaden, it’s exponentially tougher (and time-consuming) to make sure that all entry is deprovisioned or transferred when an worker departs.
As a result of trendy workers can simply undertake new cloud and SaaS purposes each time and wherever they need, the outdated IT offboarding playbook of “disable AD account, forward email, recover and wipe device, and call it a day” is now not sufficient.
5 IT offboarding pitfalls to keep away from
First, it’s essential to keep away from the traps. Listed below are 5 of the most typical pitfalls of IT offboarding in a SaaS-first world:
- Suspending or deleting the e-mail account earlier than finishing different essential steps. It could appear logical to droop or delete the workers’ Google Workspace or Microsoft 365 account as step one within the offboarding course of. Nevertheless, it will make the account inaccessible to everybody, even admins, which may intrude along with your capability to finish different offboarding duties like transferring recordsdata and information.
- Contemplating solely what’s in IdP or SSO. If you restrict your offboarding scope to solely the sanctioned cloud and SaaS purposes which are managed inside your id supplier (IdP) or enterprise single sign-on system (SSO), you miss quite a bit. It’s important to open the aperture of your IT offboarding to embody all managed and unmanaged cloud and SaaS entry.
- Overlooking business-critical cloud and SaaS sources. It’s straightforward to overlook to switch the possession of essential sources like company social media accounts, root account possession, and registered domains. IT organizations ought to make sure to determine and switch possession of any business-critical sources, automations, or integrations as an early step of the offboarding course of.
- Not involving the enterprise house owners of every SaaS utility. The speedy rise of business-led IT signifies that extra IT administration is going on exterior of central IT. Earlier than the departing worker’s account inside a selected app is shut down, the appliance enterprise proprietor could have to switch possession of knowledge, integrations, or workflows.
- Overlooking app-to-app OAuth integrations. In most organizations as we speak, an online of app-to-app OAuth integrations exists with the intention to automate information updates and duties throughout apps. When workers depart the group, revoking grants with out cautious overview may result in enterprise disruption, and never revoking grants may result in elevated threat.
Automate SaaS offboarding with Nudge Safety
Nudge Safety is a SaaS administration platform for contemporary IT governance and safety. It discovers each cloud and SaaS account ever created by anybody in your group providing you with a single supply of fact for departing customers’ accounts and OAuth grants that have to be deprovisioned, revoked, or transferred.
The platform’s worker offboarding playbook walks you thru a complete guidelines developed in alignment with Google and Microsoft greatest practices.
The playbook may also help you save as much as 90% of the effort and time concerned in SaaS offboarding by automating time-consuming, easy-to-miss duties like revoking OAuth grants and resetting passwords for accounts exterior of single sign-on (SSO).
Let’s check out how Nudge Safety helps you with every step, so you’ll be able to guarantee full offboarding of SaaS accounts.
1. Revoke entry to Google Workspace or Microsoft 365.
As soon as you have chosen the worker you want to offboard, step one is to confirm the standing of their Google or Microsoft account.
Initially, you may need the worker’s Google or Microsoft account to stay energetic when you full different offboarding duties. Nevertheless, you may wish to be certain that the consumer can now not entry the account by resetting their password and disabling any restoration strategies they could have arrange.
Nudge Safety helps you confirm the standing of every of those steps so you’ll be able to be certain that entry has been revoked.
2. Switch possession of essential sources.
Earlier than you start deprovisioning your departing worker’s accounts, you may wish to determine and transition possession of important sources like AWS root consumer accounts, company domains, social media accounts and extra.
Nudge Safety mechanically identifies essential sources owned by your departing worker and guides you thru the right way to switch possession to different crew members. For every useful resource, Nudge Safety gives detailed directions with useful hyperlinks and a abstract of different app customers who may take over accountability for every useful resource.
As you undergo the listing, you’ll be able to affirm that you’ve got transferred possession or log your determination to disregard a selected useful resource that does not have to be transferred.
3. Evaluate and replace app-to-app integrations.
OAuth grants are sometimes used to allow app-to-app integrations and automation so if a departing worker’s OAuth grants are revoked with out overview, this might disrupt day-to-day operations.
Nudge Safety exhibits you all app-to-app OAuth grants and scopes for the departing worker so you’ll be able to assess the potential enterprise affect of every integration and decide if it must be recreated with one other account. You may additionally see who the opposite customers of that utility are so you’ll be able to interact them as wanted.
This step of the offboarding course of will assist be certain that automated enterprise processes proceed to work as anticipated after the worker leaves the group.
4. Revoke SSO-managed accounts.
This step is straightforward. With the clicking of a button (and with out leaving the Nudge Safety dashboard), you’ll be able to revoke entry to the entire accounts managed by your single sign-on (SSO) supplier, like Azure AD or Okta. In a while, the playbook may also stroll you thru cleansing up the contents of these accounts.
5. Revoke entry to apps authenticated by way of OAuth.
OAuth grants make it straightforward for workers to create new accounts just by selecting the choice to authenticate with Google Workspace or Microsoft 365. Nudge Safety makes it simply as straightforward for safety and IT groups to determine and revoke departing customers’ OAuth grants instantly from Nudge Safety.
Now that you have already reviewed and recreated any scopes associated to app-to-app integrations, you’ll be able to revoke the remaining app entry granted by way of OAuth.
6. Revoke entry to unmanaged accounts.
OAuth grants and SSO-managed accounts solely present a partial view of your departing worker’s entry. Lingering SaaS sprawl can depart doorways open for illegitimate entry to delicate sources and information after an worker leaves your group.
Fortunately, Nudge Safety additionally inventories unmanaged accounts that your worker could have created with their work e mail exterior of ordinary IT or procurement processes.
Not solely will Nudge Safety present you the listing of unmanaged apps, however you’ll be able to set off automated password resets from inside the platform to forestall additional entry by the departing worker.
With out this automation, it may take hours to do that manually, in the event you even know the accounts exist within the first place.
7. Clear up revoked accounts.
As soon as the consumer’s entry has been revoked, it is essential to scrub up their accounts to keep away from orphaning company information or persevering with to pay for unused licenses.
Nudge Safety lets you ship an automatic “nudge” to the technical or enterprise proprietor for every SaaS utility with directions to delete or transfer delicate information, reallocate licenses, and reassign possession of sources to a different consumer.
8. Doc offboarding actions with a built-in report.
Nudge Safety data the entire offboarding steps you have taken, so you’ll be able to at all times return and examine what was accomplished for every worker.
As soon as you have completed offboarding a departing worker’s SaaS and cloud accounts, you’ll be able to generate a .pdf report of the actions you accomplished and share it with inside customers or auditors.
Transition workers seamlessly with Nudge Safety
Nudge Safety helps you offboard departing customers effectively and utterly, enabling you to guard company sources and keep away from enterprise disruptions with out wasting your time on tedious, repetitive duties.
Be taught extra about how one can automate IT offboarding with Nudge Safety and begin a 14-day trial.
Sponsored and written by Nudge Safety.
