A secure-by-design culture is needed to develop a comprehensive offboarding and identity management strategy that limits potential for broader compromise in case of unauthorized access.

6 Min Read
people in office working on laptops
Source: Kseniia Zatevakhina via Alamy Stock Photo

Increased turnover is putting a strain on existing offboarding processes — especially manual ones — for departing employees and contractors. Recent high-profile layoffs at major tech companies have put the spotlight on this issue.

Meanwhile, efforts to limit access to sensitive company information are growing more complex as data access points multiply.

The rise of distributed workforces, cloud computing, work from home, and shadow IT suggest a comprehensive offboarding policy is required, aided by automation.

A recent survey from Oomnitza found, however, that nearly half of IT leaders have doubts about their company's onboarding and offboarding automation capabilities.

The study found a third of enterprises lose more than 10% of their technology assets when offboarding workers, and more than four in 10 (42%) said they experienced unauthorized access to SaaS applications and cloud resources.

Deploying ETM to Fortify Endpoints and Applications

Ramin Ettehad, co-founder of Oomnitza, explains that enterprise technology management (ETM) solutions, with built-in integrations, rich analytics, and simplified workflows, allow organizations to define and continuously improve onboarding and offboarding processes.

"They can fortify onboarding user experience by ensuring the right endpoints, accessories, applications, and cloud resources are available at the start so that the new hire can be productive on day one," he says.

These solutions can also enable secure offboarding by ensuring endpoints and their data are secured, software licenses are reclaimed, and access to systems, SaaS, and cloud resources are deprovisioned.

Furthermore, departing workers' email, applications, and workplaces can be reassigned automatically to ensure business continuity.

"All of this is done with true process automation across teams and systems, and is not driven by tickets and requests, which rely on manual workloads and are prone to delays and errors," Ettehad adds.

Cyberhaven CEO Howard Ting explains that most organizations today have a single sign-on product that can turn off an employee's access to all apps with one click and device software that can lock and remotely wipe a laptop.

"While many companies today turn off access as soon as, or even before, they notify employees they're being let go, people can sense what's coming and they preemptively collect customer lists, design files, and source code in anticipation of losing access," he adds.

When an employee voluntarily quits, companies have even fewer tools to prevent data exfiltration because the employee knows they're going to depart before their employer.

While many organizations more closely monitor employees from when they give notice to quit until their last day, a Cyberhaven survey found employees are 83% more likely to take sensitive data in the two weeks before they give notice when they're under less scrutiny.

Coordinating Offboarding Programs

Ting says the best employee offboarding programs are coordinated across HR, IT, IT security, and physical security teams working together to protect company data and assets.

The HR team finalizes departures and notifies employees, IT ensures access to apps and company laptops is shut off in a timely manner, the physical security team disables access to company facilities, and the IT security team monitors for unusual behavior.

"These teams perform specific tasks in sequence the day an employee or group of employees is let go," he says.

Ting adds he's also seeing more companies monitor for employees putting company data on personal devices or applications. When offboarding, they make the employee's severance agreement contingent on returning or destroying that company data.

Ettehad adds managing and enabling a remote workforce today requires executives to break down silos and automate key technology business processes.

"They must connect their key systems and orchestrate rules, policies, and workflows across the technology and employee lifecycle with conditional rule-based automation of all tasks across teams and systems," he says.

The Need for 'Controlled Urgency'

Tom McAndrew, CEO at Coalfire, calls for "controlled urgency" to tackle the secure offboarding challenge.

"When we look at identity management more broadly, it can often be a complex problem, spanning many applications, internal, external, SaaS, on-prem, and so on," he says. "The identity strategy is the central point. The fewer sources of identity and access control there are to manage, the more automation can support these operations at scale."

He argues that when HR and information security are not operating as a team, it's easy to see platforms spinning to solve point solutions rather than looking at the "what-if" scenarios.

"Every system that is not integrated with a core identity platform becomes one more manual task or another tool that needs to be invested in to solve a problem that could have been avoided with sensible planning," he says.

McAndrew adds that a rogue employee with authorized access to critical, sensitive information is a significant threat.

"When you look at the potential risk from a disgruntled staff member, combined with an HR team struggling to manage a substantial scale of departures, it's easy for mistakes to be made and for frustrated or disaffected staff to take matters into their own hands," he says.

He warns that this can also trigger legal complications, often requiring further professional forensic support, making a poor business decision even more costly.

Unauthorized Access to SaaS, Cloud Apps a Major Challenge

Corey O'Connor, director of products at DoControl, a provider of automated SaaS security, points out that unauthorized access to SaaS applications and cloud resources is an identity security problem for both human and machine identities.

"However, preventative controls and detective mechanisms could help mitigate the risk of unauthorized access," he explains.

This means having full visibility and a complete inventory (i.e., users, assets, applications, groups, and domains) will enable security and IT teams to put in place the appropriate preventative controls.

"From there, implementing detective mechanisms that identify high-risk or anomalous activity" is the next step, he says.

Application-to-application connectivity, including machine identity, needs to be secure as well; otherwise the organization increases the risk of supply chain based attacks.

"Machine identities can be over privileged, unsanctioned, and not within the security team's visibility," he says. "When they become compromised, they can provide unauthorized access to sensitive data within the application that it's connected to."

That means both human user and machine identities need preventative controls and detective mechanisms to reduce risk.

Detecting Exfiltration, Managing Applications

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, says that post-pandemic, many organizations increased their utilization of various cloud and SaaS platforms.

"Because different departments use different applications, and some individuals integrate with interim solutions, IT departments found themselves drowning in the white noise of XaaS, with no standard way of managing it," he says.

While IT admins generally lock down the corporate email account during offboarding, ex-employees may still have access to unknown services that contain sensitive data.

"Putting the idea of an insider threat aside, if one of those unknown services is hacked and needs the password changed, no one may know to take action," he warns.

McCarthy says network defenders need to determine where sensitive data is stored and develop ways to detect exfiltration.

"Deploying an egress filtering solution limits how a threat can exfiltrate data, while also providing the needed visibility to verify it has not occurred," he says. "The impact of stolen data varies from industry to industry, but most data breaches result in monetary fines and loss of customer confidence."

He adds that if IT security teams are bogged down with managing all the SaaS applications an organization uses, having too many of their own tools is also a burden.

"Deploying scalable, multi-cloud management tools that consolidate visibility and policy enforcement reduces their operational overhead," McCarthy says.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights