Secure Offboarding Best Practices

The remote work conditions set up in response to the COVID-19 pandemic resulted in a host of new challenges for IT departments – one that’s often overlooked is securely offboarding employees.

It’s an especially tricky task to locate the multiple undocumented points of entry into the organization’s network, especially in situations where such entry points can be both network access to a company’s infrastructure, and serve as data access to an outsourced SaaS application holding vital internal information.

Generally, there are three main areas of focus to securely offboard an employee: understanding the scope of access, terminating that access and eliminating zombie accounts.

The first step is understanding the complete scope of the user’s access, which requires an inventory all of the applications, networks, infrastructure and devices that the user had access to.

The second step is to terminate the user’s access. Ideally, this means using a centralized system – or systems – to make sure the user’s access is removed in a timely fashion.

The third and final step is ensuring no zombie accounts are left behind. Often, companies will take shortcuts like forcing a password reset, or removing access but not the identity itself. This can leave behind zombie accounts, which are potential ripe targets for hackers..

As Kevin Dunne, president at integrated risk management solutions provider Greenlight Technologies, explained, IT security staff should be notified as early as possible when an employee is leaving to prepare for an upcoming employee offboarding.

“Organizations should monitor these employees closely for unusual activities such as mass data exports, master data changes and other actions; these are common risky behaviors employees make during their final days of employment,” he said.

One of the largest hurdles in offboarding an employee, now, is recovering the physical equipment – from computers to mobile devices – that the employee may have been using to complete their job responsibilities, Dunne pointed out.

“Especially in the case of involuntary turnover, the employee often has time to offload sensitive data, stored locally, from the device itself before returning it to the employer’s IT department,” he said.

However, making the move towards centralized data storage in cloud applications could reduce the employee’s access to sensitive data after they have been offboarded.

The emergence of shadow IT also means a great deal of an employee’s access maybe be unknown to IT, and could be publicly hosted. This could mean a continuing risk of data loss via offboarded employees.

“Understanding the complete extent of an employee’s access is becoming a critical requirement for safely offboarding an employee without risk,” Dunne said.

In general, new trends in cloud data storage and cloud applications should help to support easier offboarding, with fewer steps than were previously required.

“When employers invest in a centralized identity and access management solution, much of the known access can be removed via a single platform,” he said. Deployment of robust IAM teams and processes are another crucial element to ensuring secure offboarding, Dunne added.

This includes putting automated processes in place that, after adequate approvals, can quickly and cleanly deactivate all accounts associated with a particular employee.

“Largely, it is on the IAM team’s shoulders to create the automated processes and up to the HR department to enact those processes when appropriate,” explained Jon Gulley, senior application security penetration tester at nVisium.

Gulley said a strong endpoint security program can largely mitigate the risk of data loss by having full disk encryption and remote wipe capabilities for all company devices.

On the administrative side, a new personal account for access to HR and benefits functionality may need to be created if one is not already in place, while email and other communication channels should be forwarded to a manager who can handle the transition of responsibilities.

Any company hardware in the employee’s possession must be repossessed or backed up and wiped remotely, especially if endpoint encryption is not in place, Gulley added.

“IT security staff should have ready-made processes that can be enacted quickly and easily by the HR department with appropriate confirmations, such as that from managers along the way,” Gulley said. “Any remaining access should trigger the creation of a high priority ticket to have the access removed manually.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 250 posts and counting.See all posts by nathan-eddy