Deprovisioning done right: understanding access risks during offboarding

User deprovisioning refers to the tools and processes for removing user accounts and associated access permissions from IT systems, applications, cloud services, and devices. Let’s examine the tasks involved with user account deprovisioning and the IT solutions that you can employ to reduce deprovisioning risk. :contentReference[oaicite:0]{index=0}

What is user deprovisioning and offboarding?

Deprovisioning terminated users can also be referred to as offboarding. Deprovisioning tasks also occur when users change roles, during reorganizations or reductions in force, at project completions, or for voluntary resignations. User account deprovisioning can be a multi-step process performed on multiple platforms using either vendor-provided account management tools or cross-platform identity and access management (IAM) solutions such as Tello IAM.

Banner ad here

Tasks involved in deprovisioning and offboarding

There are several specific and measurable IT tasks traditionally involved in deprovisioning and offboarding user accounts, including:

• Receiving deprovisioning authorization

• Disabling user accounts

• Reassigning and revoking user access permissions

• Documenting deprovisioning activities

IT elements for user deprovisioning

Here’s a quick rundown of the activities, risks, and IT elements for these tasks.

Receiving deprovisioning authorization

Deprovisioning begins with a request. Deprovisioning requests come in many forms, including service desk tickets, emails, or personal conversation. For urgent changes, such as terminations for cause or reductions in force, IT may get a last-minute notice to terminate all access at a specific time. Deprovisioning requests should also specify which current users should retain access to the deprovisioned user’s files, emails, and other documents and processes.

Risks involved with receiving deprovisioning authorization:

• Deprovisioning requests may not be documented

• Deprovisioning may not occur in a timely manner, resulting in ex-employees retaining access to organizational systems or current employees retaining access they no longer need

Disabling user accounts

User access must be disabled for organizationally provided accounts, applications, services, and assigned devices. Disabling accounts generally occurs in a three-step process:

1. Immediately disabling user accounts so they can no longer access the system

2. Assigning a deletion date when the account can be deleted, allowing for transition of object ownership, job scheduler changes, and other items to another user account

3. Retrieving and reassigning organizational-supplied equipment, including cell phones, laptops, tablets, and other devices

Risks associated with disabling user accounts:

• Creating ghost accounts where an IT administrator misses disabling one or more user accounts, providing access after offboarding

• No mechanism for deleting disabled accounts after their deletion date, enabling orphaned accounts that can be reactivated

• Retained access to cloud services unknown to IT, where the deprovisioned user was or still is an administrator

• Inability to retrieve organizationally supplied equipment, possibly leaving users with continued access to data and systems

Reassigning and revoking user access permissions

Inventory the user’s data ownership and access permissions. Route the user’s access permission list to management for review and reassignment to appropriate personnel. Revoke specified user permissions after review and reassignment are complete.

Risks associated with revoking access permissions:

• System processes, including scheduled jobs, may no longer run if no secondary user has the same access as a deprovisioned user

• Orphaned data with no owner

• Shadow IT resources with no administrator

• Users who have changed roles retaining access to restricted data

• Unnecessary software licensing fees when users are not removed from access lists

Documenting deprovisioning activities

For auditing and compliance purposes, documentation should be captured detailing when and by whom deprovisioning activities have occurred.

Risks associated with documenting deprovisioning activities:

• No audit trail or documentation

• Violation of customer service level agreements (SLAs)

• Lack of compliance with industry, regulatory, governmental, insurance, and other requirements

IT solutions for user deprovisioning

Avoiding and mitigating deprovisioning risks requires verified IT solutions for accurately performing user deprovisioning requests. Critical IT solutions include:

• IT service desk systems: For opening, assigning, tracking, and auditing user deprovisioning requests

• Identity and access management (IAM) solutions: Tools such as Tello IAM help track and automate deprovisioning across multiple platforms, automatically disabling and deleting accounts, revoking credentials, disabling cloud access, and logging user activity for auditing and compliance

• Software and hardware asset management platforms (CMDB): For inventorying hardware, devices, software, and subscriptions provisioned to each user, ensuring required retrieval, uninstalling, or resetting actions occur

Review provisioning information and processes at least once a year to keep data current. Update IAM and CMDB entries regularly to ensure accurate user tracking, licensing, and asset management. Many platforms provide software and AI agents to help maintain accurate IT service management information.

Learn more about user account deprovisioning

Contact Seasoft Security for more information on using innovative tools like Tello IAM to reduce user account deprovisioning risks. IAM experts can perform an organization-specific assessment to help modernize your user account deprovisioning environment.