Mastering the identity lifecycle: the crucial importance of effective offboarding

In the realm of security and IT, the identity lifecycle is a critical focus for organizations. Managing the various stages - onboarding, role changes, and offboarding - ensures that employees have appropriate access throughout their tenure and, crucially, no access once they leave. While much attention is placed on onboarding and role management, offboarding is often overlooked and under-optimized. In today’s distributed work environments, this can lead to significant risks and inefficiencies.

In this blog post, we’ll explore the challenges of modern offboarding and why businesses need to focus on improving their processes for greater security, compliance, and cost efficiency.

The risks of poor offboarding

When the offboarding process isn’t handled properly, several risks arise:

• Orphaned accounts: Without effective offboarding, ex-employees may retain access to systems long after they’ve left. This risk is especially high for systems using email and password authentication, as shutting down their Microsoft or Google accounts doesn’t necessarily remove access to these tools.
  
• Insider threats: Former employees, especially disgruntled ones, can pose security threats if they maintain access to sensitive systems. Retaining access means they could potentially leak data, delete critical information, or interfere with operations.
  
• Compliance failures: Many organizations must adhere to strict compliance standards, such as SOC II and ISO 27001. Failing to properly offboard employees can lead to non-compliance if access reviews reveal active accounts of former employees, leading to costly fines or audit failures.
  

The complexity of modern offboarding

In the past, IT had centralized control over the tools used by employees, making offboarding a more straightforward process. But in today’s work environment, the reality is far more complex:

• Distributed ownership of tools: IT teams no longer own every system or tool employees use. Teams from HR to marketing and engineering often manage their own systems. This distributed ownership makes it harder to ensure that employees are fully offboarded from all tools when they leave.
  
• Central IdP only covers a fraction of accounts: While a central identity provider (IdP) like Okta, Entra, or Google can handle about 20% of core systems, the remaining 80% of tools—many of which are tied to specific teams—often go unmanaged by the IdP. This results in orphaned accounts that may only be caught during infrequent access reviews.

The role of automation and orchestration

Given the complexity of modern offboarding, automation and orchestration are critical components of any effective offboarding strategy:

• Automation: Wherever possible, automation should be used to deprovision accounts from systems. For tools that support SSO (Single Sign-On) and SCIM (System for Cross-domain Identity Management), offboarding can be automated as part of the employee exit process. This reduces the risk of human error and speeds up the process.
  
• Orchestration across tool owners: For systems that don’t support SCIM or even SSO, it’s crucial to orchestrate the offboarding process across different tool owners. Businesses need centralized visibility into what accounts exist, who is responsible for them, and whether or not offboarding has been completed. By tracking these steps, organizations can ensure no accounts fall through the cracks.
  
• Auditability for compliance: For businesses aiming for SOC II or ISO 27001 compliance, auditability is essential. A well-orchestrated offboarding process not only improves security but also makes it easy to demonstrate during audits that access to all systems has been revoked for leavers.

Key metrics for measuring offboarding success

Success in offboarding should be measured to ensure continual improvement. Key metrics include:

• Time to complete offboarding: The time it takes to fully offboard an employee from all systems should be minimized. Ideally, this would happen within 24 hours of an employee’s departure.
  
• Percentage of accounts automatically deprovisioned: Measure the percentage of tools that support automatic offboarding through SCIM and SSO. Increasing this percentage over time reduces the reliance on manual processes.
  
• Number of orphaned accounts: Tracking the number of orphaned accounts left behind after offboarding is a key metric. The goal should be to reduce this number with every review cycle.
  
• Compliance audit pass rate: As offboarding processes improve, compliance audits for standards like SOC II and ISO 27001 should become easier to pass. A high audit pass rate is a sign of an effective offboarding process.
  

Conclusion

In today’s dynamic work environments, offboarding is more complex than ever. Yet, it remains a critical part of the identity lifecycle. Without a robust offboarding process, companies expose themselves to significant security, compliance, and financial risks. By focusing on automation, orchestration, and auditability, businesses can create a streamlined offboarding process that not only protects the organization but also drives operational efficiency. It’s time for IT and security professionals to give offboarding the attention it deserves.