At a time when companies are rapidly expanding and downsizing their workforces, IT teams must provision and deprovision technology at scale. Dealing with software alone can be particularly daunting, since the average company uses at least 125 applications, according to Gartner. New hires, especially those working remotely, need to have access to the right applications on their first day. When an employee leaves the company, it’s critical to revoke access to all the systems they used immediately. For many companies, this can make hiring or terminating a single employee time-consuming and prone to errors.
These challenges underscore the need for thorough software provisioning and deprovisioning processes. IT teams need policies, procedures, and tools to streamline technology onboarding and offboarding. Without formal processes in place, and the technology to support them, companies can jeopardize cybersecurity and encounter pitfalls like unnecessary spending, wasted time, and employee dissatisfaction.
Here’s what can happen when software provisioning and deprovisioning tasks slip through the cracks and what you can do to minimize these risks.
Understanding the risks of software provisioning and deprovisioning
SaaS applications offer undeniable benefits for companies that want to keep up with the demands of modern business processes. However, they also involve inherent risks, many of which revolve around proper provisioning and deprovisioning.
Compromised security
The most costly and concerning risk, particularly with deprovisioning, is cybersecurity threats. In a recent survey, nearly half of all respondents said they still use passwords from their former jobs to access software, email, and even sensitive company data. Although most of them said they didn’t have bad intentions, as unauthorized users, they still put your security at risk. They may be using unsecured networks and devices, which hackers can exploit.
Overspending
Failing to properly deprovision software can lead to uncontrolled SaaS spend if you pay for subscriptions by the user. When accounts remain active after an employee leaves, the company is paying for licenses that aren’t being used. In contrast to this, is shadow IT, all the technology purchased by a company without IT’s approval. Monitoring these licenses can be particularly difficult since many SaaS subscriptions are purchased at the manager or individual contributor level.
IT inefficiencies
Inefficient provisioning and deprovisioning processes can lead to interruptions and wasted time for the IT department. If a new employee can’t access their assigned applications on their first day, someone in IT has to take the time to fix the issue. Also, cracks in the deprovisioning process cause IT teams to spend more time tracking down and closing unused accounts and licenses during software audits.
Employee frustration
The first day on the job is hard enough. If a new employee has to deal with software hiccups, it can put a damper on their experience, especially if they work remotely. Half of employees said they felt disoriented during onboarding, and 60% of remote workers said they felt the same way. Smooth provisioning can help employees feel more prepared when they start.
Non-compliance
Improper provisioning also puts you at risk of non-compliance. Data privacy regulations, like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), require that you tightly control access to sensitive data. Preventing unauthorized access is a critical step. If gaps exist in your deprovisioning process, then you increase risk.
In many cases these risks aren’t apparent right away. That means uncontrolled costs, security vulnerabilities, lapses in compliance, and employee disengagement fester before being addressed. It’s hard to put the genie back in the bottle once those challenges arise.
How to fine-tune your provisioning and deprovisioning processes
There are steps you can take to reinforce your software provisioning and deprovisioning processes. Consider incorporating these practices into your processes to reduce risk and streamline your workflows.
1. Review your practices yearly
More than likely, the onboarding and offboarding process involves multiple platforms, such as identity providers (IdP) and identity access management (IAM) tools. You also likely perform some tasks directly on each device. With so many intertwined moving parts, a lot can go wrong or change. It’s important to review your provisioning and deprovisioning practices at least annually. Some of the things you should check for include:
- Make sure you’re up-to-date on the provisioning and deprovisioning processes for all of the systems you use.
- Review your IdP and IAM strategies to ensure they’re up to date with industry best practices, regulatory requirements, and company policies.
- Determine if you have the right access controls in place. Provisioning capabilities should be limited to only those who need it, and should be reviewed regularly.
- Ensure procedures are standardized across the enterprise, especially after a merger, acquisition, or period of rapid growth.
These regular reviews allow you to keep up with the pace of change, particularly as IAM and IdP platforms evolve.
2. Set the right foundation for automation
With so many systems to manage, automation is necessary for efficient provisioning and deprovisioning. For it to work, it’s important to set the right foundation.
Start by choosing one source of truth for identity management. This can be an IAM like Okta or JumpCloud, or an IdP like Azure or Google Workspace. When you need to know who your users are, you shouldn’t have to look in multiple places.
3. Keep data clean
Dirty data is a major contributor to the security, compliance, and overspending risks of provisioning and deprovisioning. Once you have your single source of truth established, follow stringent protocols for collecting user data during the provisioning process. This will set you up for success in the deprovisioning stage.
Relying on out-of-the-box automations also leads to dirty data. You may need to customize the workflows between your various platforms. For example, your IAM may show all users who have ever had accounts with an application, even after they’ve been deactivated. In that case, you’ll have to set up a custom script that shows only active users.
4. Verify deprovisioning processes
No matter how solid your processes are, there’s nothing wrong with checking your work. It’s possible for automations to break, or for tasks to slip through the cracks due to employee turnover. These errors are typically revealed during IT audits. At that point, they’ve been in the system, putting your data and network at risk, for a while.
You can prevent these errors by verifying each step of the deprovisioning process was completed:
- Verify application ownership and admin rights have been properly transferred from the outgoing employee to a new owner.
- Ensure all accounts have been deactivated, including those with SSO and OAuth access, as well as those the employee created directly with their email and password.
- Document that tasks have been completed. Automation can help, since you can generate logs to verify which tasks have been completed.
5. Perform regular access reviews
You may have a good handle on enterprise-wide or high-license applications like your CRM or employee time-tracking tools. If you have the enterprise version of these systems, then they come with all the bells and whistles that make provisioning and deprovisioning easy.
But subscriptions with a small number of users may need to be fixed. Because it’s easy for employees to adopt SaaS applications without involving IT, it’s important to perform quarterly access reviews to identify who the users are for all of your applications and confirm the accuracy of that information with the software owner.
6. Fill gaps with a SaaS management platform
Using a SaaS management platform can fill gaps in your provisioning and deprovisioning processes. You can see all of your company’s active subscriptions and their users in one place. This allows you to consolidate the user listings for enterprise-wide applications, like Slack, as well as more niche systems, like design collaboration software.
SaaS management platforms work by constantly looking out for active licenses. They scan existing applications, like expense management software and email, to find out which SaaS subscriptions your company has. When an employee leaves, you can see all of their user accounts so you can effectively deprovision them.
On the provisioning side, they provide a menu of applications that managers can choose from before a new hire starts. The hiring manager can see all of the systems your company has active contracts with, as well as applications used by the previous person in the role. They can then choose which ones should be provided to the new hire.
SaaS management platforms can also be a useful tool to support access reviews and audits. They can be used to generate reports on applications and user activity and demonstrate to regulators you’re taking steps to prevent unauthorized use.
Reduce risk with better IT onboarding and offboarding processes
The demands of software provisioning and deprovisioning are changing quickly. The fast rise of remote work, SaaS adoption, and security incidents are increasing the pressure on IT teams already challenged by understaffing and inefficiencies.
By filling gaps in your technology onboarding and offboarding processes with a SaaS management platform, and providing IT teams with the right tools, you can significantly reduce risk.
