Employee departure is no one’s favorite task, but it is a critical IT process that must be performed diligently and efficiently. This is easier said than done, especially as IT departments have less visibility and control than ever over their employees’ IT usage. Today, employees can easily adopt new cloud and SaaS applications whenever and wherever they want, and the old IT disintegration playbook of “deactivate AD account, forward emails, recover and wipe device , and putting an end to this” is no longer enough.
Here, we’ll discuss five of the most common pitfalls of IT outsourcing in a SaaS-driven world, plus tips on how to navigate it.
Pitfall #1: Suspending or Deleting Email Account Before Performing Other Critical Steps
It may seem logical to suspend or delete employees’ Google Workspace or Microsoft 365 account as the first step in the exit process. However, this will make the account inaccessible to everyone, even administrators, which could interfere with your ability to perform other logout tasks such as transferring files and data.
Instead of suspending or deleting the account, you will want to revoke the former employee’s access to their email account by resetting their passwords and disabling any recovery methods the employee has in place, such as as a secondary personal email address or mobile number.
Determining when to suspend or delete employees’ email account will depend on internal protocol and should only be carefully done after confirming that access to all other critical resources, systems and data has been revoked or transferred to other employees . This will usually be the last step in the IT offshoring process.
Trap #2: Only consider what is in the IdP or SSO
One of the most common pitfalls when it comes to disintegration is to limit the scope to only sanctioned cloud and SaaS applications that are managed within your identity provider (IdP) or single sign-on (SSO) system. business. While it seems logical to design a disintegration process with a single identity kill-switch, the reality we all live with is that not everything is behind SSO, and by limiting your scope you risk overlooking any unauthorized or “ghost” SaaS assets that an employee introduced during their tenure. Such unauthorized SaaS accounts are often created with a username and password, which can easily disappear on a Post-it note or be abandoned and then compromised by a malicious actor. To avoid this pitfall, start by opening up your IT outsourcing to encompass all managed elements. And unmanaged cloud and SaaS access.
So how do you create a list of unmanaged cloud and SaaS accounts for a departing employee? This can turn into the world’s worst scavenger hunt, where you have to cross-reference information from financial systems, your support ticket platform, requests to application owners outside of IT, teammates of the departing employee, and much more.
But don’t start this hunt yet, new solutions for SaaS management are emerging to make this process much easier.
Pitfall #3: Neglecting Business-Critical Cloud and SaaS Resources
It’s easy to forget to transfer ownership of critical resources like corporate social media accounts, root account ownership, and registered domains. This error can cause business interruption or leave accounts orphaned and inaccessible. To prevent this from happening, IT departments must ensure they identify and transfer ownership of any business-critical resources, automations, or integrations early in the outbound process.
Pitfall #4: Not involving the business owners of each SaaS application
The rapid rise of business-oriented computing means that more IT administration is happening outside of central IT. This means more people will be involved in the initial process, including app business owners and business technologists who manage budgets and licensing for their SaaS applications.
There are two key steps to simplifying this process: first, you need to know who the right people to hire are, which requires solid SaaS management platform. Second, you need a way to streamline, or even automate, the engagement of all stakeholders in order to effectively orchestrate the multitude of offshoring tasks that non-IT administrators must perform.
For example, before closing the account of the employee who leaves a particular application, the application business owner may need to transfer ownership of data, integrations, or workflows to avoid disrupting the business. Additionally, the app owner may need to transfer elevated permissions to a new user.
Pitfall #5: Overlooking App-to-App OAuth Integrations
In most organizations today, there is a network of application-to-application OAuth integrations to automate data updates and tasks between applications. When employees leave the organization, revoking grants without careful review can result in business interruption, and failure to revoke grants can result in increased risk.
Therefore, it is important to review OAuth grants, work with application owners to identify which ones need to be reverted through another account, and then revoke grants issued by the departing employee’s accounts. business.
Automate SaaS opt-out with Nudge Security
IT offshoring is tedious, time-consuming and often incomplete. But Nudge Security can make this process much easier.
Nudge Security continuously discovers and inventories all SaaS and cloud applications used by your employees, including shadow IT, giving you a single source of truth for outbound user accounts, OAuth grants, and other critical resources. Plus, the built-in unintegration playbook automates up to 90% of manual tasks like resetting passwords, revoking OAuth permissions, messaging app owners to transfer data and permissions, and more Again.
See how you can automate IT outsourcing with Nudge Security.