In the age of SaaS, the old IT offboarding playbook of “disable AD account, forward email, recover and wipe device, and call it a day” is no longer enough.
Employee offboarding is a critical IT process that needs to be executed diligently and efficiently. That’s easier said than done, especially considering that IT organizations have less visibility and control over employees’ IT use than ever. Today, employees are capable of adopting cloud and SaaS whenever and wherever they need, and the old IT offboarding playbook of “disable AD account, forward email, recover and wipe device, and call it a day” is no longer enough.
When it comes to offboarding an employee’s cloud and SaaS access, there are several pitfalls that IT organizations should avoid to make sure the transition is complete and smooth. Here, we’ll detail five of the most common pitfalls of SaaS offboarding and how to navigate around them. This information is helpful for IT system administrators looking to streamline your offboarding process as well as cybersecurity analysts looking to protect your organization from unauthorized access by former employees.
One of the most common offboarding pitfalls is limiting the scope to only the sanctioned cloud and SaaS applications that are managed within your identity provider (IdP) or enterprise single sign-on system (SSO.) While it seems logical to design an offboarding process with a single identity kill-switch, the reality we all live with is that not everything is behind SSO, and by narrowing your scope, you risk overlooking all of the unsanctioned or “shadow” SaaS assets an employee introduced during their tenure. Such unsanctioned SaaS accounts are often created with a username and password, which can easily walk out the door on a Post-it note or be left abandoned and later compromised by a threat actor. To avoid this pitfall, start by opening the aperture of your IT offboarding to encompass all managed and unmanaged cloud and SaaS access.
Need help getting visibility of unmanaged cloud and SaaS accounts? Learn how Nudge Security discovers it in minutes. ->
If you avoid the first pitfall by broadening your offboarding process to all cloud and SaaS access, including unsanctioned accounts, you’ll likely encounter the next pitfall: not knowing everything that needs to be offboarded. Don’t worry, you’re not alone. Our recent survey found that IT teams typically spend over an hour just to gather a list of all cloud and SaaS access that needs to be offboarded. What’s more, the majority of respondents had to cross-reference three or more different repositories to compile this list. We call this the “world’s worst scavenger hunt.”
If you’re starting each offboarding effort by compiling a list of all cloud and SaaS access, it’s a problem. It’s too time-consuming and error-prone to do while you’re offboarding, which too often comes in the form of an urgent Friday afternoon request. You can avoid this pitfall by starting the SaaS discovery and inventory process on Day One. Start by recording all of an employee’s birthright access and from there, ensure that any new cloud or SaaS account is recorded as soon as it’s granted. Automating this process of SaaS asset discovery and inventory is key, given that employees of a midsize organization add a new SaaS asset roughly every 20 minutes.
Too often, companies forget to transfer the ownership of critical resources like corporate social media accounts and registered domains. This mistake can lead to business disruption or leave accounts orphaned and inaccessible. In fact, more than half of the IT professionals in our survey (53%) had experienced business disruption due to incomplete SaaS offboarding. To ensure this doesn't happen, IT organizations should transfer ownership of any business-critical resources, automations, or integrations as an early step of the offboarding process.
There are so many different stakeholders involved in employee offboarding, including direct line supervisors, human resources, operations teams, and business application owners. This can make the offboarding process feel a lot like herding cats—if all the cats left early on Friday and aren’t responding to your Slack messages.
The rapid rise of business-led IT means that more IT administration is happening outside of central IT. This means more people to engage in the offboarding process, including application business owners and business technologists who manage the budgets and licenses for their SaaS applications. While it’s important to coordinate with these folks to ensure that licenses are reclaimed, our survey found that the majority of IT professionals (58%) had experienced wasted SaaS spend as a result of incomplete SaaS offboarding.
The key to coordinating with offboarding stakeholders and avoiding this pitfall is two-fold: first, you have to know who the right people are to engage, which requires a robust SaaS security and governance platform. Second, you need a way to streamline and even automate engagement with all stakeholders in order to effectively orchestrate the multitude of offboarding tasks that non-IT administrators must complete.
Learn how Nudge Security does this in our employee offboarding playbook. ->
When employees who are offboarded had OAuth access granted between SaaS applications, not revoking grants could lead to fragmented data, business disruption, and increased risk. As part of the offboarding process, be sure also to carefully review and revoke OAuth grants granted between SaaS applications.
Learn how Nudge Security tracks OAuth integrations and surfaces risky integrations. ->
SaaS offboarding presents a significant challenge to organizations, which is why it's essential to be mindful of these offboarding pitfalls and plan accordingly. Executing thorough and efficient SaaS offboarding means organizations can safeguard sensitive data and ensure the smooth functioning of their operations. Avoiding the five SaaS offboarding pitfalls mentioned in this post will help organizations realize a more complete SaaS offboarding result faster.
Nudge Security helps to eliminate up to 90% of the manual IT effort of SaaS offboarding. Get started with a 14-day, no-commitment free trial today to experience it for yourself. ->