When a company takes on a new employee, managers may need to give that individual access to certain systems, features, apps or accounts. This is known as provisioning, and deprovisioning removes that access when the employee leaves the organization or changes roles. What do you need to know about deprovisioning?

Definition and Importance of Deprovisioning in IT

Deprovisioning isn’t just about disabling a login; it encompasses the thorough purge and retraction of all access privileges spanning the breadth of an enterprise’s digital landscape. Its importance in IT cannot be overstated, especially in an era where data breaches are not just common but highly detrimental to both finances and reputations.

The Role of Deprovisioning in Organizational Security

The efficacy of an organization’s security hinges on how well it can control who has access to what data and when. That’s where deprovisioning proves indispensable. Beyond the obvious security imperatives, it underpins regulatory compliance, ensuring that firms adhere to strict privacy and data protection laws that abound in today’s global market.

How Provisioning Works

Provisioning can take place at one of four different levels:

  1. Network provisioning establishes a network that can be connected to devices and servers and accessed by the users. This is the approach phone companies use when they offer wireless solutions to their customers.
  2. It is also possible to set up a server within the network (such as physical hardware in a data centre) that can then be used to connect networks and storage.
  3. With application provisioning, an admin can manage various infrastructure items to optimize performance across different environments.
  4. User provisioning gives certain rights and permissions to individual people so that they can access systems, resources, files, networks or apps.

Occasionally, the company will need to remove access in the deprovisioning process, more often at the user level. Every company needs to get this right, as any errors can have significant security implications.

How Deprovisioning Works

As the organization becomes more complex, provisioning grows and becomes more involved. So, with greater complexity, one individual may have access to a large number of devices and extensive access rights. Until recently, deprovisioning would involve a great deal of money and work as the HR team went back and forth with the IT department to ensure that they revoked all access.

However, it is possible to automate deprovisioning today through identity and access management tools (IAM). These integrate with the company directory, so these tools can be pressed into action once an employee moves department or leaves the organization.

What Are the Key Benefits of Deprovisioning?

These are some key benefits associated with user deprovisioning:

  • It will be a lot easier to offboard employees. The system can quickly identify their usernames, roles and profiles and view any assigned access permissions and user accounts. All such permissions and access can then be terminated, no matter how complex the various entitlement rules may be.
  • The systems can use HR-driven identity management (IM) tools that will automatically prevent former employees from having any further online access. These tools can completely eliminate the chance of any “zombie” accounts within the system. Otherwise, there would always be a risk that those accounts sit idle, presenting a growing security risk and unnecessary threat.

The Deprovisioning Process Explained

For any organization that takes security seriously, deprovisioning is a multi-layered process requiring meticulous attention to detail. It goes beyond simply deactivating a user account; it’s an orchestration of steps that, when performed collectively and correctly, seal any entry points that could potentially lead to security issues.

Steps Involved in Effective Deprovisioning

Effective deprovisioning walks through several stages, starting with the identification of accounts that need deactivation. This involves real-time communication with the HR department to receive prompt updates on employee status changes. Following identification, the user’s access to email, intranet, and various systems must be revoked. Company assets like keycards, laptops, or phones should be retrieved, and any proprietary or sensitive information in their possession must be either returned or securely destroyed.

To effectively deprovision access in an organization, follow these steps:

1. Identify Access Points

  • Description: Begin by identifying all access points that an employee may have. This includes all systems, applications, databases, network resources, and physical access.
  • Key Actions: Create a comprehensive list of all access points, detailing what each one entails and which employees currently have access.

2. Inventory User Accounts and Access Rights

  • Description: Compile an inventory of all user accounts and their corresponding access rights.
  • Key Actions: Use tools to audit current user permissions and roles. Ensure this inventory is updated regularly to reflect any changes.

3. Develop a Deprovisioning Policy

  • Description: Establish a clear, documented deprovisioning policy that outlines the process and responsibilities.
  • Key Actions: Define the steps for deprovisioning, assign responsibilities, and ensure all stakeholders are aware of their roles.

4. Implement Access Recertification

  • Description: Regularly review and certify access rights to ensure they are still necessary and compliant with policies.
  • Key Actions: Schedule periodic audits to recertify access rights. Use governance tools to streamline the process.

5. Utilize Identity and Access Management (IAM) Tools

  • Description: Leverage IAM tools to automate the deprovisioning process.
  • Key Actions: Implement IAM solutions like Azure Active Directory to manage and automate user access and deprovisioning.

6. Integrate with HR Systems

  • Description: Ensure that your IAM tools are integrated with HR systems to automatically trigger deprovisioning when an employee leaves or changes roles.
  • Key Actions: Set up integrations between HR and IT systems to automatically update access rights based on employment status.

7. Automate the Deprovisioning Process

  • Description: Automate as much of the deprovisioning process as possible to reduce human error and increase efficiency.
  • Key Actions: Configure IAM tools to automatically revoke access when triggered by changes in the HR system.

8. Terminate Access to All Systems and Accounts

  • Description: Revoke access to all identified systems and accounts immediately when an employee leaves.
  • Key Actions: Ensure that all user accounts are disabled or deleted across all systems. Remove access badges and any physical access privileges.

9. Monitor and Verify

  • Description: Monitor the deprovisioning process to ensure it has been completed correctly.
  • Key Actions: Use auditing tools to verify that access has been completely revoked. Conduct follow-up checks to ensure no residual access remains.

10. Update Documentation and Access Inventories

  • Description: Update all relevant documentation and access inventories to reflect the changes made.
  • Key Actions: Maintain accurate records of deprovisioned accounts and access points. Ensure this information is readily available for future audits.

11. Review and Improve the Process

  • Description: Regularly review the deprovisioning process to identify areas for improvement.
  • Key Actions: Gather feedback from stakeholders, analyze any incidents related to deprovisioning, and update the process accordingly.

12. Train Employees on Deprovisioning Procedures

  • Description: Ensure that all employees involved in the deprovisioning process are properly trained.
  • Key Actions: Conduct regular training sessions and provide clear documentation on deprovisioning procedures.

Automation and Manual Efforts in Deprovisioning

While automation stands as the most efficient avenue for deprovisioning in many modern systems, manual intervention can’t be entirely discounted, especially in complex IT ecosystems. Automated systems excel in routine, well-defined deprovisioning tasks, doing what humans do but faster and without fatigue. Conversely, manual efforts are indispensable when situations demand a nuanced approach – for instance, when dealing with legacy systems that don’t interface well with modern IAM solutions.

Fun Fact: The first IAM solutions in history were manual, with an actual person overseeing user rights management. Now, software can do most of the grunt work!

However automated the process may be, it’s crucial to maintain administrative oversight to account for exceptions and to manage unforeseen complexities.

The Functions of Deprovisioning

The axiom ‘With great power comes great responsibility’ rings true when managing user privileges in an organizational context. Deprovisioning isn’t merely a subtractive function; it’s a gatekeeping strategy that ensures that only the right individuals have the right access at the right time.

Access Control and Permissions Management

At the heart of deprovisioning lies the need for robust access control and permissions management. These functions ensure that users can only interact with IT systems in ways that are necessary for their roles. When an employee exits the company, it’s vital to promptly revoke their permissions to stave off the risks of unauthorized access. By tightly managing permissions, organizations can preserve the integrity of their data and systems and reduce the risk of internal threats.

Key Takeaway: Tight permissions tuning is a proactive measure against potential compromise—making it an indispensable part of the deprovisioning process.

Asset Recovery and Account Management

Deprovisioning also entails the retrieval of any physical assets. This administered collection not only inhibits a data breach but also safeguards company property. On the account management side, system administrators must ensure that the accounts of departing users are either rendered inactive or completely deleted from all systems. This task includes revoking email aliases, digital signatures, and access tokens, effectively locking out any potential for misuse.

Note: “In the world of security, there is no such thing as absolute safety. Deprovisioning is one essential step in minimizing risk.”

In addition, certain conditions may necessitate the transfer of responsibilities and access rights from the departing user to their successor or team, a task that demands precision to ensure business continuity.

The Impact of Deprovisioning on IT Security

Security in the IT realm is a dynamic battlefield where threats constantly evolve, and proactive defence strategies such as deprovisioning play a pivotal role. Effective deprovisioning ensures that the end of an employee’s tenure doesn’t morph into a security loophole. Let’s delve into how deprovisioning tangibly impacts IT security.

Preventing Unauthorized Access

Unauthorized access sits atop the list of threats that deprovisioning thwarts. Former employees, if left with access, can unintentionally become conduits for breaches, be it through negligence or malicious intent. Hence, a prompt deprovisioning process prevents these potential ties, leaving no room for exploitation.

Compliance with Standards and Regulations

Many industries are bound by stringent regulatory standards like GDPR, HIPAA, or PIPEDA that mandate diligent user access management. Non-compliance can lead to significant fines and legal consequences. Through thorough deprovisioning, organizations ensure that they are not only secure but also in compliance with these international standards.

Fun Fact: The GDPR can impose fines of up to 4% of annual global turnover for non-compliance, emphasizing the financial impact of lax deprovisioning practices.

A streamlined deprovisioning process demonstrates to regulators and stakeholders alike that a company prioritizes data protection as part of its operational ethos.

Deprovisioning Best Practices

It’s important to set up these systems correctly at the outset when provisioning and deprovisioning in cloud computing — if they are to work flawlessly going forward. Otherwise, these automated tools could create access rights that go against company policies and could even breach complex regulations. So, each company should consider an IT control process known as access recertification. They will then audit the access privileges for each user to confirm they are correct and still adhere to compliance regulations or internal policies. Such work can be performed manually or automatically using access governance software. Then, auditors and security personnel can verify that the rules and workflows within each provisioning system are correct, based on industry best practices.

Here are the best practices to ensure a smooth, secure process:

1. Automate the Process

  • Why It Matters: Manual deprovisioning is prone to errors and delays, creating security gaps.
  • Best Practice: Use Identity and Access Management (IAM) tools to automate deprovisioning. Automating ensures consistency and minimizes the risk of human error.

2. Integrate with HR Systems

  • Why It Matters: Delays in communication between HR and IT can leave access open longer than necessary.
  • Best Practice: Integrate IAM tools with your HR system. This enables real-time updates when employees leave or change roles, ensuring prompt access removal.

3. Conduct Regular Audits

  • Why It Matters: Over time, access rights can become outdated or redundant, increasing security risks.
  • Best Practice: Schedule regular audits of all user accounts and access permissions. Use these audits to verify that only current employees have the necessary access and that all former employees’ access is fully revoked.

4. Implement Access Recertification

  • Why It Matters: Ongoing access needs change, and what was once necessary may no longer be.
  • Best Practice: Periodically recertify access rights to ensure they are still required and appropriate. This helps maintain up-to-date and relevant access controls.

5. Standardize Policies Across the Organization

  • Why It Matters: Inconsistent deprovisioning practices can lead to security vulnerabilities.
  • Best Practice: Develop and enforce standardized deprovisioning policies across all departments. Ensure everyone follows the same procedures to maintain uniform security standards.

6. Use Role-Based Access Control (RBAC)

  • Why It Matters: Managing individual user permissions can be complex and error-prone.
  • Best Practice: Implement Role-Based Access Control (RBAC) to assign permissions based on roles rather than individuals. This simplifies the process and ensures consistent access management.

7. Monitor for Zombie Accounts

  • Why It Matters: Dormant accounts are prime targets for unauthorized access.
  • Best Practice: Regularly scan for and eliminate inactive or “zombie” accounts. Ensuring that no unused accounts linger in your system reduces potential security threats.

8. Ensure Comprehensive Coverage

  • Why It Matters: Overlooking any access points can leave your organization vulnerable.
  • Best Practice: Make sure deprovisioning covers all possible access points, including network access, application access, cloud services, and physical access. Leave no stone unturned.

9. Maintain Documentation

  • Why It Matters: Proper documentation is essential for accountability and compliance.
  • Best Practice: Keep detailed records of deprovisioning actions, including who performed them and when. This documentation can be crucial for audits and investigations.

10. Provide Training and Awareness

  • Why It Matters: Everyone involved needs to understand the importance and procedures of deprovisioning.
  • Best Practice: Regularly train employees on deprovisioning processes and the importance of maintaining security. Awareness and understanding can significantly improve compliance and effectiveness.

11. Use Multi-Factor Authentication (MFA)

  • Why It Matters: Extra layers of security help prevent unauthorized access.
  • Best Practice: Implement Multi-Factor Authentication (MFA) to ensure that even if credentials are compromised, unauthorized access is still prevented.

12. Set Up Alerts and Notifications

  • Why It Matters: Immediate response to deprovisioning failures or anomalies is critical.
  • Best Practice: Configure your IAM system to send alerts and notifications for any deprovisioning errors or unusual activity. Promptly addressing these issues can prevent potential breaches.

13. Review and Improve Regularly

  • Why It Matters: The threat landscape is constantly evolving, and so should your deprovisioning process.
  • Best Practice: Continuously review and refine your deprovisioning practices. Stay informed about new threats and technologies, and adapt your processes accordingly.

How Can Deprovisioning Make a Company More Secure?

If a company does not have an adequate user provisioning and deprovisioning system, they face significant risks. After all, the average cost of a data breach today is $148 per record or up to $7.91 million per breach. Needless to say, this could significantly impact a company’s performance for years ahead, and 60% of small businesses fail within six months of a major breach like this.

Deprovisioning Challenges: The Good, The Bad, and The Ugly

Navigating the world of deprovisioning isn’t always smooth sailing. Here are some of the most common challenges you might face, and how to tackle them head-on:

1. Human Error Hiccups

We’re all human, and humans make mistakes. Manual deprovisioning is a hotbed for oversight and errors.

  • Challenge: Missing accounts, forgetting to revoke access, or incorrectly disabling permissions.
  • Solution: Automate the process with IAM tools. Let the machines do the heavy lifting—they don’t forget!

2. Complex IT Environments

The more complex your IT environment, the trickier deprovisioning becomes.

  • Challenge: Multiple systems, apps, and platforms mean more places to revoke access. It’s like playing whack-a-mole.
  • Solution: Centralize your access management. Use a comprehensive IAM solution to keep everything in one place.

3. Delayed Updates

Timing is everything. Delays in updating access rights can leave you vulnerable.

  • Challenge: Slow communication between HR and IT can result in lingering access after an employee leaves.
  • Solution: Integrate your HR systems with IAM tools for real-time updates. Speed is your friend here.

4. Zombie Accounts

Accounts that should be dead but are still lurking around. Creepy, right?

  • Challenge: These forgotten accounts are prime targets for unauthorized access and data breaches.
  • Solution: Regular audits and recertification. Sweep your system for these digital zombies and eliminate them.

5. Inconsistent Policies

Not all departments are on the same page, leading to a patchwork of deprovisioning practices.

  • Challenge: Inconsistent application of policies can create security gaps and compliance issues.
  • Solution: Standardize your deprovisioning policies across the organization. Clear, consistent guidelines for everyone.

6. Regulatory Compliance

Keeping up with ever-changing regulations is a full-time job.

  • Challenge: Failure to comply can result in hefty fines and damage to your reputation.
  • Solution: Implement access governance software to ensure your deprovisioning process meets all regulatory requirements. Stay ahead of the curve.

7. User Resistance

Not everyone likes change. Employees might resist new deprovisioning protocols.

  • Challenge: Pushback can slow down implementation and create loopholes.
  • Solution: Educate and train your team on the importance of deprovisioning. Make it easy for them to follow procedures. A little pizza party might help, too.

8. Technical Glitches

Technology is great, but it’s not infallible. Bugs and glitches can disrupt the deprovisioning process.

  • Challenge: Software failures can lead to incomplete or incorrect deprovisioning.
  • Solution: Regularly update and maintain your IAM tools. Have a robust IT support system in place to troubleshoot issues quickly.

9. Lack of Visibility

You can’t manage what you can’t see. Lack of visibility into who has access to what is a big problem.

  • Challenge: Without clear insight, you risk missing unauthorized access points.
  • Solution: Use analytics and reporting tools within your IAM solution to maintain full visibility. Knowledge is power.

10. Coordination Between Departments

Deprovisioning often requires coordination between multiple departments—HR, IT, security, and more.

  • Challenge: Miscommunication can result in incomplete deprovisioning.
  • Solution: Foster cross-departmental collaboration. Regular meetings and a clear communication plan can help keep everyone on the same page.

Tools and Technologies for Deprovisioning

Tools and technologies specifically designed for deprovisioning are critical assets for organizations aiming to enhance their security posture and streamline the offboarding process.

Identity and Access Management (IAM) Systems

Identity and Access Management systems are pivotal in providing an automated and centralized approach to managing user identities and permissions. Organizations rely on IAM systems to control access rights across their IT environments, significantly reducing the effort and potential for error inherent in manual processes.

  • Insights: Implementing IAM systems translates to a fortified security landscape where access is granted based on verified identities and predefined policies.

IAM systems play a leading role, helping to simplify and enforce consistent deprovisioning practices across the enterprise.

IAM systems Compared

Feature/Aspect Staff Pick:
Microsoft Azure Active Directory (Azure AD)
Okta Identity Cloud Ping Identity IBM Security IGI SailPoint IdentityIQ ForgeRock Identity Platform
Overview Cloud-based IAM, integrated with Microsoft Cloud-first IAM, user-friendly Enterprise-focused IAM Comprehensive IAM with governance Leader in identity governance Open-source, unified IAM
Single Sign-On (SSO) Yes Yes Yes Yes Yes Yes
Multi-Factor Authentication (MFA) Yes Yes Yes Yes Yes Yes
Conditional Access Yes Yes Yes Yes Yes Yes
Lifecycle Management Yes Yes Yes Yes Yes Yes
API Access Management Yes Yes Yes Yes Yes Yes
Adaptive Authentication Yes Yes Yes Yes Yes Yes
Identity Governance Moderate Moderate High High High High
Access Certifications Moderate Moderate High High High High
Policy Management Yes Yes Yes Yes Yes Yes
Risk Management Yes Yes Yes Yes Yes Yes
Integration Extensive, especially with Microsoft Extensive Extensive Good, especially IBM tools Extensive Good, requires expertise
Customization Moderate Moderate High High High Very High
Ease of Use Moderate High Moderate Moderate Moderate Moderate
Cost High Moderate to High High High High Moderate
Scalability High High High High High High
Community Support Strong Strong Strong Moderate Strong Strong
Deployment Options Cloud, hybrid Cloud Cloud, on-premises, hybrid On-premises, hybrid Cloud, on-premises, hybrid Cloud, on-premises, hybrid
Compliance Features High High High High High High
Best For Organizations using Microsoft ecosystems Versatile, easy to implement Large enterprises needing customization Large organizations with complex governance needs Organizations with stringent compliance requirements Organizations needing high flexibility and customization
Pros Deep integration with Microsoft products, strong security features, scalable User-friendly interface, wide integrations, strong support High customizability, strong security and compliance Strong governance, good integration with IBM security tools Comprehensive analytics and reporting, scalable Highly customizable, strong community support
Cons Complexity and higher cost Can be expensive for smaller organizations, limited features in basic plan Higher cost, steep learning curve Complexity and cost, requires significant resources Higher cost, resource-intensive implementation Requires in-house expertise, higher initial setup complexity

Automating Deprovisioning with Software Solutions

Software solutions specifically designed for deprovisioning can play a significant role in enhancing the efficiency and reliability of the process. These solutions integrate with various systems to ensure a quick and coordinated removal of user access while minimizing manual intervention.

Did You Know? Advanced deprovisioning solutions can track and report deprovisioning activities, providing invaluable documentation for audits and compliance checks.

By automating routine tasks, such software can free up IT staff to focus on more complex challenges, further enhancing security and operational efficiency.

Deprovisioning in Different Environments

Modern enterprises operate across diverse IT environments, and an effective deprovisioning strategy must account for their nuances. The differences between cloud and on-premise infrastructure, for example, necessitate tailored approaches to ensure that deprovisioning is thorough and effective in all contexts.

Deprovisioning in the Cloud

Cloud services add layers of complexity to the deprovisioning process due to their distributed nature and the shared responsibility model. Administrators must collaborate with service providers to ensure deprovisioning actions take effect across all cloud-based platforms and applications.

  • Key Insight: Efficient cloud deprovisioning hinges on integration and communication between internal IT and cloud service providers.

Precise coordination is required to confirm that all instances of user access within the cloud environment are identified and addressed.

On-Premises vs. Hybrid Infrastructure Challenges

In contrast, on-premises environments often involve direct control over all assets, but may lack the agility of cloud services. Comprehending the interconnectedness of these assets is critical for full-spectrum deprovisioning. Hybrid environments combine these challenges, necessitating a balanced approach that can adapt to the fluidity of these mixed infrastructures.

  • Important Note: Mastery of both on-premises and cloud deprovisioning is essential in hybrid environments to ensure no gaps are left in the security perimeter.

Organizations must be proficient in managing the distinct demands of each model to ensure a robust deprovisioning procedure is maintained.

The Future of Deprovisioning

In a constantly evolving digital landscape, the future of deprovisioning is set to include advancements in automation, artificial intelligence (AI), and machine learning to create more efficient and secure IT environments.

AI and Machine Learning in Deprovisioning

The adoption of AI and machine learning in deprovisioning offers a futuristic outlook on how organizations handle offboarding. These technologies are poised to predict and identify potential security loopholes by learning from patterns in data access and user behaviour.

  • Future Forecast: As AI becomes more prevalent, it will anticipate users’ departure and automate many deprovisioning tasks, enhancing accuracy and speed.

Predictive algorithms could automatically generate deprovisioning tasks ahead of an employee’s departure, ensuring a seamless transition and further securing the IT infrastructure.

Enter Microsoft Azure Active Directory

Microsoft operates Azure Active Directory to store information about objects on a network and to make it easy for users to access. It’s a database with critical information about a specific environment, identifying assets and users and determining how individuals can access it. Within Active Directory is Azure Active Directory, a cloud-based identity and access management service.

Azure Active Directory allows the company’s employees to access various external resources, including thousands of SaaS applications. Crucially, it allows these employees to reach internal resources through the corporate network or cloud apps developed by the company.

Azure can automatically provision user identities and rules for applications. It can then maintain these user identities or remove them through deprovisioning when a status or role may change. It can handle these issues on-premises or in a virtual machine without the need for firewalls. It’ll also help synchronize data between systems so that identities are always correct across apps and systems.

Azure has additional benefits, including customization. This allows a company to use certain attribute mappings to define what user data moves between source and target systems. It can seamlessly deploy in any brownfield scenario, matching existing identities and precipitating easy integration, even if the user is already within the target system. Further, Azure will generate critical event alerts if needed, and the user can define custom alerts according to their specific business needs.

Softlanding logo signature

Softlanding Helps Organizations Like Yours Systemize Deprovisioning

To get more information about deprovisioning and how your company can automate the process through Azure Active Directory, get in touch with Softlanding. We are an IT company that provides managed and professional IT services and are a Microsoft Solutions partner.

We deploy and implement Microsoft Solutions from Azure to Microsoft 365 and Microsoft Teams.

  • Contact our team here!

FAQs

What is the difference between deprovisioning and offboarding?
Deprovisioning refers specifically to the process of revoking digital access privileges when an employee leaves a company, whereas offboarding is a broader term that includes deprovisioning as well as other steps of concluding an employee’s tenure, such as exit interviews and final pay processing.

How long should the deprovisioning process take?
Ideally, the deprovisioning process should be completed within 24 hours of an employee’s departure to minimize security risks. However, the complexity of the IT environment and the tools in use could affect this timeframe.

Can deprovisioning be reversed if it was done in error?
Yes, in most systems, deprovisioning actions can be reversed if they were performed in error. This usually involves reinstating the user account and associated permissions.

What are some common pitfalls in setting up a deprovisioning process?
Common pitfalls include a lack of clear policies, failure to promptly execute deprovisioning tasks, insufficient communication between departments, and overlooking the need for regular audits and updates to the process.

Who in an organization should be responsible for deprovisioning?
While specific tasks might be assigned to IT administrators or HR personnel, having a cross-functional team that includes IT, HR, legal, and security stakeholders ensures a comprehensive approach to deprovisioning, addressing all dimensions of access and compliance.

Written By:

softlanding

Softlanding is a long-established IT services provider of transformation, professional services and managed IT services that helps organizations boost innovation and drive business value. We are a multi-award-winning Microsoft Gold Partner with 13 Gold Competencies and we use our experience and expertise to be a trusted advisor to our clients. Headquartered in Vancouver, BC, we have staff and offices in Toronto, Montreal and Calgary to serve clients across Canada.

More By This Author