According to recent research on employee offboarding, 70% of IT professionals say they’ve experienced the negative effects of incomplete IT offboarding, whether in the form of a security incident tied to an account that wasn’t deprovisioned, a surprise bill for resources that aren’t in use anymore, or a missed handoff of a critical resource or account. This is despite an average of five hours spent per departing employee on activities like finding and deprovisioning SaaS accounts. As the SaaS footprint within most organizations continues to expand, it is becoming exponentially more difficult (and time-consuming) to ensure all access is deprovisioned or transferred when an employee leaves the organization.
Nudge Security is a SaaS management platform for modern IT governance and security. It discovers every cloud and SaaS account ever created by anyone in your organization, including generative AI apps, giving you a single source of truth for departing users’ accounts and OAuth grants that need to be deprovisioned, revoked, or transferred.
And, a built-in playbook walks you through a comprehensive checklist for IT offboarding in alignment with Google and Microsoft best practices. The playbook can help you save up to 90 percent of the time and effort involved in SaaS offboarding by automating time-consuming, easy-to-miss tasks like revoking OAuth grants and resetting passwords for accounts outside of single sign-on (SSO).
Let’s take a look at how Nudge Security helps you with each step so you can ensure complete offboarding of SaaS accounts.
Once you’ve selected the employee you need to offboard, the first step is to verify the status of their Google or Microsoft account.
Initially, you’ll want the employee’s Google or Microsoft account to remain active while you complete other offboarding tasks. However, you’ll want to make sure the user can no longer access the account by resetting their password and disabling any recovery methods they may have set up. Nudge Security helps you verify the status of each of these steps so you can ensure that access has been revoked.
Before you begin deprovisioning your departing employee’s accounts, you’ll want to identify and transition ownership of essential resources like AWS root user accounts, corporate domains, social media accounts and more.
Nudge Security automatically identifies critical resources owned by your departing employee and guides you through how to transfer ownership to other team members. For each resource, Nudge Security provides detailed instructions with helpful links and a summary of other app users who could take over responsibility for each resource. As you go through the list, you can confirm that you have transferred ownership or log your decision to ignore a particular resource that doesn’t need to be transferred.
OAuth grants are often used to enable app-to-app integrations and automation so if a departing employee’s OAuth grants are revoked without review, this could disrupt day-to-day operations.
Nudge Security shows you all app-to-app OAuth grants and scopes for the departing employee so you can assess the potential business impact of each integration and determine if it should be recreated with another account. You’ll also see who the other users of that application are so you can engage them as needed. This step of the offboarding process will help ensure that automated business processes continue to work as expected after the employee leaves the organization.
This step is easy. With the click of a button (and without leaving the Nudge Security dashboard), you can revoke access to all of the accounts managed by your single sign-on (SSO) provider, like Azure AD or Okta. Later on, the playbook will also walk you through cleaning up the contents of those accounts.
OAuth grants make it easy for employees to create new accounts simply by choosing the option to authenticate with Google Workspace or Microsoft 365. Nudge Security makes it just as easy for security and IT teams to identify and revoke departing users’ OAuth grants directly from Nudge Security. Now that you’ve already reviewed and recreated any scopes related to app-to-app integrations, you can revoke the remaining app access granted via OAuth.
OAuth grants and SSO-managed accounts only provide a partial view of your departing employee’s access. Lingering SaaS sprawl can leave doors open for illegitimate access to sensitive resources and data after an employee leaves your organization. Luckily, Nudge Security also inventories unmanaged accounts that your employee may have created with their work email outside of standard IT or procurement processes.
Not only will Nudge Security show you the list of unmanaged apps, but you can trigger automated password resets from within the platform to prevent further access by the departing employee. Without this automation, it could take hours to do this manually, if you even know the accounts exist in the first place.
Once the user’s access has been revoked, it’s important to clean up their accounts to avoid orphaning corporate data or continuing to pay for unused licenses.
Nudge Security enables you to send an automated “nudge” to the technical or business owner for each SaaS application with instructions to delete or move sensitive data, reallocate licenses, and reassign ownership of resources to another user.
Nudge Security records all of the offboarding steps you’ve taken, so you can always go back and check what was completed for each employee. Once you’ve finished offboarding a departing employee’s SaaS and cloud accounts, you can generate a .pdf report of the activities you completed and share it with internal users or auditors.
Nudge Security helps you offboard departing users efficiently and completely, enabling you to protect corporate resources and avoid business disruptions without wasting precious time on tedious, repetitive tasks.
Start your free 14-day trial now.