Nudge Security IT offboarding

Employee offboarding isn’t anybody’s favorite task—but it’s a critical IT process that needs to be executed diligently and efficiently.

According to recent research on employee offboarding, 70% of IT professionals say they've experienced the negative effects of incomplete IT offboarding, whether in the form of a security incident tied to an account that wasn't deprovisioned, a surprise bill for resources that aren't in use anymore, or a missed handoff of a critical resource or account.

As organizations’ SaaS footprints continue to expand, it is exponentially more difficult (and time-consuming) to ensure that all access is deprovisioned or transferred when an employee departs.

Because modern employees can easily adopt new cloud and SaaS applications whenever and wherever they want, the old IT offboarding playbook of "disable AD account, forward email, recover and wipe device, and call it a day" is no longer enough.

5 IT offboarding pitfalls to avoid

First, it’s important to avoid the traps. Here are five of the most common pitfalls of IT offboarding in a SaaS-first world:

  1. Suspending or deleting the email account before completing other critical steps. It may seem logical to suspend or delete the employees' Google Workspace or Microsoft 365 account as the first step in the offboarding process. However, this will make the account inaccessible to everyone, even admins, which could interfere with your ability to complete other offboarding tasks like transferring files and data.
  2. Considering only what's in IdP or SSO. When you limit your offboarding scope to only the sanctioned cloud and SaaS applications that are managed within your identity provider (IdP) or enterprise single sign-on system (SSO), you miss a lot. It’s essential to open the aperture of your IT offboarding to encompass all managed and unmanaged cloud and SaaS access.
  3. Overlooking business-critical cloud and SaaS resources. It is easy to forget to transfer the ownership of critical resources like corporate social media accounts, root account ownership, and registered domains. IT organizations should be sure to identify and transfer ownership of any business-critical resources, automations, or integrations as an early step of the offboarding process.
  4. Not involving the business owners of each SaaS application. The rapid rise of business-led IT means that more IT administration is happening outside of central IT. Before the departing employee's account within a particular app is shut down, the application business owner may need to transfer ownership of data, integrations, or workflows.
  5. Overlooking app-to-app OAuth integrations. In most organizations today, a web of app-to-app OAuth integrations exists in order to automate data updates and tasks across apps. When employees leave the organization, revoking grants without careful review could lead to business disruption, and not revoking grants could lead to increased risk.

Automate SaaS offboarding with Nudge Security

Nudge Security is a SaaS management platform for modern IT governance and security. It discovers every cloud and SaaS account ever created by anyone in your organization giving you a single source of truth for departing users' accounts and OAuth grants that need to be deprovisioned, revoked, or transferred.

The platform’s employee offboarding playbook walks you through a comprehensive checklist developed in alignment with Google and Microsoft best practices.

The playbook can help you save up to 90% of the time and effort involved in SaaS offboarding by automating time-consuming, easy-to-miss tasks like revoking OAuth grants and resetting passwords for accounts outside of single sign-on (SSO).

‍Let's take a look at how Nudge Security helps you with each step, so you can ensure complete offboarding of SaaS accounts.

1. Revoke access to Google Workspace or Microsoft 365.

Once you've selected the employee you need to offboard, the first step is to verify the status of their Google or Microsoft account.

Initially, you'll want the employee's Google or Microsoft account to remain active while you complete other offboarding tasks. However, you'll want to make sure the user can no longer access the account by resetting their password and disabling any recovery methods they may have set up.

Nudge Security helps you verify the status of each of these steps so you can ensure that access has been revoked.

Revoke access to Google Workspace or Microsoft 365

2. Transfer ownership of critical resources.

Before you begin deprovisioning your departing employee's accounts, you'll want to identify and transition ownership of essential resources like AWS root user accounts, corporate domains, social media accounts and more.

Nudge Security automatically identifies critical resources owned by your departing employee and guides you through how to transfer ownership to other team members. For each resource, Nudge Security provides detailed instructions with helpful links and a summary of other app users who could take over responsibility for each resource.

As you go through the list, you can confirm that you have transferred ownership or log your decision to ignore a particular resource that doesn't need to be transferred.

Transfer ownership of critical resources

3. Review and update app-to-app integrations.

OAuth grants are often used to enable app-to-app integrations and automation so if a departing employee's OAuth grants are revoked without review, this could disrupt day-to-day operations.

Nudge Security shows you all app-to-app OAuth grants and scopes for the departing employee so you can assess the potential business impact of each integration and determine if it should be recreated with another account. You'll also see who the other users of that application are so you can engage them as needed.

This step of the offboarding process will help ensure that automated business processes continue to work as expected after the employee leaves the organization.

Review and update app-to-app integrations

4. Revoke SSO-managed accounts.

This step is easy. With the click of a button (and without leaving the Nudge Security dashboard), you can revoke access to all of the accounts managed by your single sign-on (SSO) provider, like Azure AD or Okta. Later on, the playbook will also walk you through cleaning up the contents of those accounts.

Revoke SSO-managed accounts

5. Revoke access to apps authenticated via OAuth.

OAuth grants make it easy for employees to create new accounts simply by choosing the option to authenticate with Google Workspace or Microsoft 365. Nudge Security makes it just as easy for security and IT teams to identify and revoke departing users' OAuth grants directly from Nudge Security.

Now that you've already reviewed and recreated any scopes related to app-to-app integrations, you can revoke the remaining app access granted via OAuth.

Revoke access to apps authenticated via OAuth

6‍. Revoke access to unmanaged accounts.

OAuth grants and SSO-managed accounts only provide a partial view of your departing employee's access. Lingering SaaS sprawl can leave doors open for illegitimate access to sensitive resources and data after an employee leaves your organization.

Luckily, Nudge Security also inventories unmanaged accounts that your employee may have created with their work email outside of standard IT or procurement processes.

Not only will Nudge Security show you the list of unmanaged apps, but you can trigger automated password resets from within the platform to prevent further access by the departing employee.

Without this automation, it could take hours to do this manually, if you even know the accounts exist in the first place.

Revoke access to unmanaged accounts

‍7. Clean up revoked accounts.

Once the user's access has been revoked, it's important to clean up their accounts to avoid orphaning corporate data or continuing to pay for unused licenses.

Nudge Security enables you to send an automated "nudge" to the technical or business owner for each SaaS application with instructions to delete or move sensitive data, reallocate licenses, and reassign ownership of resources to another user.

Clean up revoked accounts

‍8. Document offboarding activities with a built-in report.

Nudge Security records all of the offboarding steps you've taken, so you can always go back and check what was completed for each employee.

Once you've finished offboarding a departing employee's SaaS and cloud accounts, you can generate a .pdf report of the activities you completed and share it with internal users or auditors.

Document offboarding activities with a built-in report

‍Transition employees seamlessly with Nudge Security

Nudge Security helps you offboard departing users efficiently and completely, enabling you to protect corporate resources and avoid business disruptions without wasting precious time on tedious, repetitive tasks.

Learn more about how you can automate IT offboarding with Nudge Security and start a 14-day trial.

Sponsored and written by Nudge Security.

Related Articles:

Criminal IP Partners with Sumo Logic on Threat Intelligence Data Enrichment

Start mastering ethical hacking with $1,000 off this training bundle

Get started in ethical hacking with $98 off this training bootcamp

Dark Web Monitoring: What's the Value?

Save $684 on a full 26-course cybersecurity online training library