Your Guide to Offboard Users from Your SaaS Apps

Your Guide to Offboard Users from Your SaaS Apps
Arye Zacks
December 5, 2023
share:

Former employees retaining SaaS app access happens far more often than businesses care to admit. Nearly a third of all employees retain some degree of access to the SaaS stack. 

When employees move on, voluntarily or otherwise, it’s in the organization’s best interests to remove all access to corporate assets. Much of this process is done through automated workflows, where employees are removed from the identity provider (IdP) which triggers their removal from other systems. 

However, users must be manually deprovisioned from applications that weren’t integrated into the IdP. Failure to do so could lead to data theft, breaches, or other incidents conducted by either the former employee or someone who steals their credentials. 

A newly released guide, “Offboarding Employees from Your SaaS Stack in 7 Steps”,  explains why deprovisioning users isn’t always as straightforward as it seems, and gives step-by-step instructions to fully deprovision users, as well as automate the process. The process is summarized as follows: (For the full details, download the guide here). 

Challenges in Deprovisioning Users from SaaS Apps

 Organizations must overcome many challenges to permanently  remove a user from their SaaS applications:

  • Applications that are not integrated with the IdP aren’t aware that the employee is no longer part of the company. Applications that are not integrated with their IdPs or that do not enforce SSO can often be accessed using local credentials.
  • Teams share passwords to simplify administration or reduce license fees.
  • Individuals may have received passwords from coworkers over the course of their employment and can use them to access applications.

Manually Deprovisioning Employees

Removing access for  former employees requires that they be fully deprovisioned. If you are using a manual process, follow these steps. (For further explanation on all these steps, download the full guide here).

  • Step 1 – Begin by revoking access to their email by resetting their password and disabling account recovery methods.
  • Step 2 – Transfer admin rights of SaaS applications from the deprovisioned employee to another user to prevent the app from becoming inaccessible.
  • Step 3 – Disable SSO access for the user.
  • Step 4 – Manage publicly available resources that were shared with external users.
  • Step 5 – Review third-party applications that were connected to the core stack.
  • Step 6 – Reset passwords for user accounts not managed by an SSO.
  • Step 7 – Remove access to accounts and deactivate or delete their email account.

Following this process will remove ex-employee access while ensuring that other users will still have access to the app.

Strong Governance Policy Reduces the Risk

Beyond manual deprovisioning, introducing and enforcing strong governance policies for SaaS applications can go a long way toward reducing the risk. For example, if company policy required all SaaS users to login through an SSO or using MFA, user access would be curtailed the moment their login tools were deprovisioned. 

Some users, particularly those with high privileges, are required by the application to have local access. Unfortunately, these users will retain their access even when they are removed from the SSO or MFA. In those circumstances, maintaining a list of users with local access can be used to identify is instrumental to identifying users that must be manually deprovisioned.   

Shared passwords are another way users can get around deprovisioning, as they may maintain access through a shared team account. Enforcing an anti-password sharing policy and training users about the dangers of password sharing can go a long way toward reducing risk.  

Automate User Deprovisioning

The easiest way to deprovision users from SaaS applications is through a SaaS Security Posture Management (SSPM) platform that is integrated with a SOAR. Using automated workflows, these processes quickly identify and fully deprovision offboarded employees who maintained access to SaaS applications.

By using an SSPM, enterprises can confidently move forward, knowing that access to their applications is under their full control. 

Have users you need to deprovision? Download our latest ebook, Offboarding Employees from Your SaaS Stack in 7 Steps!

About the writer

Arye Zacks
Sr. Technical Content Specialist
Your Guide to Offboard Users from Your SaaS Apps
Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.

Measuring SaaS Security by Business Unit, Subsidiary or Team

In our latest update, we add a new dimension to improve accountability and reporting – the ability to measure SaaS Security posture by business unit, subsidiary, team, or any other bucket of choice 
Read more
Hananel Livneh
July 22, 2021

Detangling a Confusing Threat Detection for SaaS Landscape

Detection and response sit at the heart of any well-thought-out cybersecurity program. However, for all the benefits of detection and response, there is still some confusion in the marketplace about these tools. This article aims to detangle the confusing threat detection SaaS landscape.
Read more
Arye Zacks
December 28, 2022

How to Protect Patients and Their Privacy in Your SaaS Apps

The healthcare industry is under a constant barrage of cyberattacks and has traditionally been one of the most frequently targeted industries. While the adoption of SaaS apps has led to better collaboration among medical professionals and improved patient outcomes, medical facilities must adhere to strict industry standards to ensure the highest level of security and compliance for healthcare data.
Read more
Arye Zacks
December 28, 2022
request a demo
Solution
By Use CaseWhat is SSPMGet in touch
Platform
Sign inFeatures  & FunctionalitiesIntegrations
Resources
LibraryBlog
Partners
Business PartnersTech Partners
Company
AboutNewsEventsCareers
2024 Adaptive Shield All rights reserved
Trust Center ›Privacy Policy ›Terms ›
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX