There’s an unfortunate mistake that’s too often made when the relationship between an employee and their employer ends, and when the offboarding begins: processing the termination steps too quickly and disregarding the importance of the employee’s last few days, which can mean that behind-the-scenes procedures, like those in IT, aren’t carried out so well.
IT teams have what seems like a thick mystery novel of items to check when managing offboarding logistics, which includes cutting access to company resources once terminations are final, among other post-exit responsibilities. Two things to remember about this list: it takes up a tremendous amount of time, and, a lot of it can be automated!
Can you imagine if IT had to make one simple click to change the offboarding process game? It would mean they could let a workflow run the show in the background while they could work on the complex jobs that require a human to complete.
READ MORE: How Financial Institutions Benefit from Automated Employee Offboarding
Like employee onboarding, the many moving pieces of offboarding are beyond a headache for IT – they can actually be impossible to do manually. It’s particularly surprising for people who look at employee offboarding from the surface – there’s more involved than what the common eye might see.
The hand-holding between HR and IT is a reliable way to properly offboard employees, but it’s far from efficient. There’s a lot of unnecessary back-and-forth communication and wait times, and processes that are susceptible to human error, all required to make sure offboarding is done right.
The simplicity of offboarding is a huge misconception, and it can oftentimes be more challenging than onboarding, despite what many people might think. It can be really easy to accidentally leave a former employee’s access to a system on, especially after a tenured employee gains access to multiple systems. When it comes to offboarding, it’s not “the more, the merrier.” It might be hard to believe, but many companies don’t keep track of these collections of access permissions. Simply put, it’s hard to find and identify every single system that needs to be turned off when a proper record was never kept.
The benefits of automation translate to security in a very big way. When it comes time to offboard an employee, IT must be able to account for each system that the person had access to. It also needs to be properly closed off, as when there’s a miss along the way, the now-former employee can potentially create a gap in security.
They have the information that’s “key to the castle” for any potential attackers, by virtue of account, which is created through the initial onboarding process. If missed during the offboarding process, that critical information (regardless of where the system is located) helps an attacker find what they’re looking for: the lateral movement and to escalate privileges. They’ll next try to create certain service accounts that are often overlooked because they’re automated, or perhaps a bot within the organization.
This security issue creates major, unique challenges for IT teams.
What Automation Looks Like for Real-world Offboarding
From the technical side, for IT, employee offboarding is definitely not the same as employee onboarding in reverse.
Regarding the security concerns that inaccurate employee offboarding sets off, IT of course has to prioritize good housekeeping of various systems, controls, and more. They have to prevent lingering accounts from being accessed by a malicious attacker who’s ready to come inside, escalate and potentially compromise important systems.
An automation workflow is exactly what IT needs – complete with pre-built blocks that come from a huge library of integrations.
From active directory, for instance, you can list out any users who pertain to a particular group within the organization. This activity can be ready to run after inputting just a few settings. From here, the data automatically “flows downstream,” so to speak.
Automation offers something like an on-demand health check scan of the organization’s domain. From your ticketing platform, you can send it over as an incident, essentially acknowledging that the health check scan is required. Upon ticket submission, an event is pushed over to Resolve and IT can see the automation running via a play-by-play list of actions being executed by the automation workflow, from start to finish.
When security comes into play, Resolve offers very detailed logging. There’s no mystery or guesswork as to what an automation did, when it did it, to what objects, to what users, and so forth. Back over on the ticket, reports are being built, consisting of various spreadsheets that let you know about things that meet the criteria of the health check scan.
In this example, scanning the domain shows 44 accounts, and out of three categories—active, expired, and disabled—the automation found one account for each. Thirty-three total groups, one of which was empty, four group policy objects, and one that was totally unlinked. What this means, based on our criteria, is that there are at least three user accounts that should no longer be active.
In this case, one of those three accounts is extremely risky because it could have had administrator-level access to the company’s most high-security systems, which poses a major threat.
Once this point is reached, the automatic cleanup process is ready to roll, and the user simply submits a change request ticket for this step to begin. In the same way Resolve responded to the initial ticket and built the report data, it does so for this change request. The ticket is picked up, and it then processes the users, groups, and group policies to clean them out. Every detail of every step is kept track inside the change request, as each task takes place and is completed.
Below this information, the system displays work notes and updates while the automatic cleanup process occurs, and simultaneously, it creates change tasks. In real time, users can see where the work is happening within the process, and exactly what part of the cleanup has been done, as well as what’s up next. Resolve stores this information via ticket records for the future as well, should someone want to audit the process down the road – down to the detail of which accounts were deleted, what groups they belong to, and when the removals were processed.
Interested in learning even more about IT automation for employee offboarding? Watch this brief LinkedIn Live replay and demo on Resolve’s YouTube channel!
Resolve can handle the offboarding process, as well as take on-demand actions to scan a domain, look for things that shouldn’t be there like accounts that have privileges or permissions that fall outside of normal range, and then present this information to administrators, managers, and operators. It gives them the ability to automatically take action to remove accounts and get cleaned out, and maintain a good state of managing lingering accounts going forward.
Request a demo to see how Resolve can streamline offboarding for your organization’s HR and IT teams.
This blog is the third part of our “The 7 IT Automations for Highly Effective Organizations” series, with a new blog dropping every Tuesday this summer. Inspired by Stephen R. Covey’s bestseller, The 7 Habits of Highly Effective People, we believe the seven automations we write about will help transform IT and businesses for the better – sustaining lasting success through upgraded and improved capabilities.
WHAT’S OUT NOW:
