You can hardly find a company that doesn’t treat provisioning procedures seriously. Usually there are lots of steps and protocols to get a new employee going. For Office 365 that includes creating account in AD, adding new accounts to all connected systems, putting all the personal data in, assigning licenses, etc.
Despite the fact that most (if not all) companies do treat these actions very seriously, at the same time almost no attention can be paid to deprovisioning, i.e. procedures executed when employees leave. This can be a very big mistake, as making sure that no longer active accounts are treated properly is equally (or sometimes even more) important as setting them up in the first place.
How Does It Work?
Basically, deprovisioning is just provisioning in reverse. An employee starts with no account, no access rights, no credentials, no licenses assigned, etc. Once he/she gets a job all that is gained. So when they leave, everything has to go to the initial state — no access, no licenses, no credentials.
This can’t be achieved by just deleting accounts (however sometimes it is an option). Usually companies have got policies to keep deprovisioned accounts for at least some fixed time. This helps to e.g. easily restore information if it’s required.
Deprovisioning has to cover all systems that the user had access to, including Office 365. So all the procedures have to be documented as detailed as possible, which means that automating this process might be a very good idea. And if at any point of time a new system is added to the everyday workflow, it should also be added to the deprovisioning procedures list.
Why Is It Important?
If you are still wondering, why deprovisioning is so important and why should you even bother, there is a very good answer for that. It is a major security risk.
Terminated employees do quit for a reason. It means that any access they used to have to any system has to be terminated as soon as they leave. You can’t know their intentions, so any information from the environment that isn’t available for the public shouldn’t be available for those who are no longer working for the company.
Real Life Examples
Remember a massive Sony Entertainment hack back in 2014? The one when a huge amount of personal and company-related data (documents, passwords, home addresses, salary, social security numbers, etc) was leaked to the web and caused losses of millions and millions of dollars. The media has linked it to the North Korea hackers because of ‘The Interview’ movie that was in production at that time. However, the story turned out to be much less poetic.
As cybersecurity experts say, most probably the hack was caused by a dissatisfied employee who has left Sony but wasn’t deprovisioned properly. That meant that he had access to the data that he no longer shouldn’t be able to reach. And we all know the consequences.
What Should You Do?
Unfortunately, thinks like that happen every day. They might be less serious than in Sony’s case, but can be still very much unpleasant for any company of any size. So next time when an employee leaves your company, make sure that deprovisioning procedures are done properly. This can save you a lot of time, a lot of effort and, possibly, your job.
If you haven’t done it yet, carefully document the steps, create a checklist and make sure that everybody who does deprovisioning knows about it and follows it. Automate as much as you can. This will allow you eliminate human errors and save precious time of the IT staff.
If you do everything correctly, your environment will be safe and clean and you will have one point less to worry about.