By Megan Anderson Posted December 7, 2019
Failing to deprovision users fully when they leave your organization is like letting a tenant keep a key when they move out of an apartment. No one wants to come home to a stranger watching TV on their couch.
Similarly, you’d never want to log in to critical IT resources and find that a former employee has stolen documents or restricted access to important data. Errors and oversights in employee offboarding contribute to one of the most significant security risks an IT organization can face, so it’s important to standardize the process and make sure each resource gets deprovisioned automatically.
Deprovisioning Through Active Directory
Through Microsoft® Active Directory®, IT admins can automate user provisioning and deprovisioning for Windows® resources, making onboarding/offboarding for Windows systems and users a manageable task. However, non-Windows resources need to be managed manually, which include cloud-hosted applications such as G Suite™, AWS®, Office 365®, and many others. The same goes for users on Mac® or Linux® machines, which AD struggles to manage in general.
In order to keep track of the non-Windows resources a user has access to, admins might keep a spreadsheet or other checklist. Some organizations have the IT department cooperate with the HR department to keep track of everything, as some of the resources include payroll and benefits platforms.
Notes can easily become lost, however, and spreadsheets might not be maintained or organized clearly. Tasking two different groups with keeping separate records necessary for a user’s offboarding process introduces a host of variables that can lead to mistakes. Plus, if the organization employs contractors, the frequency of user provisioning and deprovisioning can make information difficult to track.
As a result, admins might look elsewhere to make information storage and deprovisioning more efficient. One tool that can help to automate this process lies within a cloud directory service, which manages user access not only to Windows resources but also to non-Windows systems and cloud-based applications and services.
Automating Deprovisioning with a Cloud Directory
The full process of deprovisioning users involves four critical steps that must be done immediately after a user leaves the organization:
- Remove them from the directory service
- Terminate their access across the infrastructure
- Terminate their access to applications and IT resources
- Deprovision their devices
Using a domainless cloud directory service collapses all of these steps into one: Remove them from the directory service. With everything centrally managed, automating user deprovisioning is streamlined, simplistic, and swift.
Admins store user information for both Windows and non-Windows users and applications, as well as control Mac and Linux devices. Along with the automation features, a cloud directory service helps enforce zero trust security models through policies such as multi-factor authentication (MFA) and full disk encryption (FDE), so even physical access risks are accounted for.
A cloud directory service would not only allow admins to automate deprovisioning for users, but also boost their infrastructure security, providing them with tools to manage cloud applications more efficiently by extending directory management to all major platforms. Additionally, it can integrate with Active Directory, so admins who cannot migrate off their on-prem directory service can still have the benefits of a cloud directory and automated deprovisioning across virtually all IT resources.