Your Guide to Offboard Users from Your SaaS Apps

Arye Zacks, Sr. Technical Content Specialist

Former employees retaining SaaS app access happens far more often than businesses care to admit. Nearly a third of all employees retain some degree of access to the SaaS stack.

When employees move on, voluntarily or otherwise, it’s in the organization’s best interests to remove all access to corporate assets. Much of this process is done through automated workflows, where employees are removed from the identity provider (IdP) which triggers their removal from other systems.

However, users must be manually deprovisioned from applications that weren’t integrated into the IdP. Failure to do so could lead to data theft, breaches, or other incidents conducted by either the former employee or someone who steals their credentials.

A newly released guide, “Offboarding Employees from Your SaaS Stack in 7 Steps”,  explains why deprovisioning users isn’t always as straightforward as it seems, and gives step-by-step instructions to fully deprovision users, as well as automate the process. The process is summarized as follows: (For the full details, download the guide here).

Challenges in Deprovisioning Users from SaaS Apps

 Organizations must overcome many challenges to permanently  remove a user from their SaaS applications:

Manually Deprovisioning Employees

Removing access for  former employees requires that they be fully deprovisioned. If you are using a manual process, follow these steps. (For further explanation on all these steps, download the full guide here).

Following this process will remove ex-employee access while ensuring that other users will still have access to the app.

Strong Governance Policy Reduces the Risk

Beyond manual deprovisioning, introducing and enforcing strong governance policies for SaaS applications can go a long way toward reducing the risk. For example, if company policy required all SaaS users to login through an SSO or using MFA, user access would be curtailed the moment their login tools were deprovisioned.

Some users, particularly those with high privileges, are required by the application to have local access. Unfortunately, these users will retain their access even when they are removed from the SSO or MFA. In those circumstances, maintaining a list of users with local access can be used to identify is instrumental to identifying users that must be manually deprovisioned.

Shared passwords are another way users can get around deprovisioning, as they may maintain access through a shared team account. Enforcing an anti-password sharing policy and training users about the dangers of password sharing can go a long way toward reducing risk.

Automate User Deprovisioning

The easiest way to deprovision users from SaaS applications is through a SaaS Security Posture Management (SSPM) platform that is integrated with a SOAR. Using automated workflows, these processes quickly identify and fully deprovision offboarded employees who maintained access to SaaS applications.

By using an SSPM, enterprises can confidently move forward, knowing that access to their applications is under their full control.

Have users you need to deprovision? Download our latest ebook, Offboarding Employees from Your SaaS Stack in 7 Steps!

About the writer

Arye Zacks, Sr. Technical Content Specialist

Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.