What is Deprovisioning?

When a new employee joins your organisation, you provide them with their office credentials and access as part of the onboarding process. This is known as provisioning. 

Deprovisioned means taking away access to official documents and accounts once that employee leaves the company. Both manual and automated provisioning and deprovisioning are essential for the proper functioning of an organisation.

In this article, we will learn about deprovisioning – its core functions, benefits and challenges. 

What is Deprovisioning?

Deprovisioning is the systematic process of taking away granted access rights from users after they no longer require them. This includes –

• Taking away company credentials from an employee after they leave the organisation,
• Removing access to company resources from contractors after they finish their projects,
• Changing or removing permission for users changing roles

This is done to prevent any data leaks and maintain organisational security. The process of provisioning and deprovisioning are both carried out to improve the security and operational efficiency of an organisation. 

Why is the User Provisioning and Deprovisioning Process Important?

• Easily Onboard and Offboard Employees: Create and maintain user data such as usernames, roles and profiles. This helps seamlessly carry out the onboarding and offboarding process. 
• Streamline User Management Across Applications: Provisioning and Deprovisioning allow you to properly manage and propagate user profiles to make sure your system always has the latest updates recorded. 
• Increase Security and Reduce Cost: Use HR-Driven Identity Management (IM) to prevent ex-employees from accessing your company's resources and data after they have left the organisation.

Functions of Deprovisioning

• Access Control and Permission Management: At the heart of deprovisioning is to control access to your organisation’s data by granting and monitoring who will have access to your system. 

Through deprovisioning, you rebuke the access of former employees who have left your organisation, thereby controlling access. This prevents unauthorised people from accessing your data and reduces the risk of internal threats, thereby maintaining the integrity of your data. 

• Asset Recovery and Account Management: Deprovisioning also helps you in recovering all physical assets. This not only prevents data breaches but also helps you recover any physical asset that belongs to the organisation. 

It is the responsibility of the administration to carry out the process of deprovisioning by calling back all physical assets and deactivating or deleting any email addresses, digital signatures and access tokens. This way they can prevent any potential threat of misuse. 

Risk of Not Deprovisioning

• Security Vulnerabilities: Inactive accounts that haven’t been deleted or deactivated can be targeted by hackers to gain access to sensitive information from your organisation. 
• Compliance Violation: Not deprovisioning obsolete accounts is also a violation of industrial norms and can lead to legal and financial penalties. 
• Resource Wastage: Unused accounts that haven’t been deprovisioned continue to eat up space, licences and other IT resources, which can lead to unnecessary costs for the organisation. 

How Does Deprovsioning Work?

There are two ways you can carry out deprovisioning: 

• Manual Deprovisioning: This is the traditional form of deprovisioning in which the employees' credentials and details are manually revoked from the system. This approach typically involves IT administrators reviewing access privileges, disabling accounts and removing authorisation from the system. 
• Automated Deprovisioning: Automated Deprovisioning mostly depends on Identity and Access Management (IAM) tools or software to carry out the process automatically once the deboarding process has been completed. 

They conduct their work based on pre-defined workflows and policies to facilitate the process and the timely removal of accounts and permissions. 

Benefits of Deprovisioning

• Prevents Data From Being Misused: Deprovisioning prevents the data from being misused by past employees of a company if they still have access to their old accounts. 
• Removes Zombie Accounts: The very purpose of deprovisioning is to remove orphan or zombie accounts which possess the threat of becoming a breeding ground for cybercriminals to hack into your system. 
• Easily Update or Offboard Employees: Maintain, update and delete employee data such as usernames, passwords and roles based on changes in their designation or their removal from the system. 
• Eliminate Human Error: With the existence of automated provisioning and deprovisioning systems, the scope for human error has been reduced significantly. 

Deprovisioning Challenges: The Good, The Bad, and The Ugly

• Human Error Hiccups: Human errors such as forgetting to revoke access and missing accounts are a common occurrence in case of manual deprovisioning. Automating the deprovisioning process can prevent this but this too will need regular oversight to prevent any systemic errors.  
• Complex IT environments: If you have a complicated IT environment composed of multiple systems, applications and platforms, then deprovisioning can become a tricky affair. Centralising your access management and getting an IAM tool can solve this complexity for you. 
• Delayed Updates: Communication gaps between the HR and the IT team handling deprovisioning can increase the probability of data breaches. Integrate your HR systems with your IAM tools to get a more seamless experience. 
• Zombie Accounts: Accounts that are inactive or dead shouldn’t still exist. Not only are they taking up storage, but they also act as an opening for external sources to access your organisation’s data. 
• Inconsistent Policies: Inconsistent application of policies can result in a lot of security gaps and compliance issues. 
• Regulatory Compliance: Failure to comply with the set industry regulations can result in financial and legal penalties. Getting identity governance software can ensure your company remains compliant with industry regulations and best practices.

Best Practices of Deprovisioning

• Automate the Process by implementing IAM tools to ensure consistency and minimise the risk of human error. 
• Integrate HR Systems with IAM tools to show real-time updates when employees change roles or resign for quick access removal.
• Conduct Regular Audits of all user accounts to remove outdated and redundant accounts. 
• Implement Access Recertification periodically to ensure that they are still required and up-to-date with access controls. 
• Standardise Policies Across the Organisation to develop and enforce standardised deprovisioning to ensure everyone follows the same procedure to maintain uniform security standards. 
• Use Role-Based Access Control or RBAC to assign permissions based on roles rather than individuals. 

Manual Vs Automated Deprovisioning 

Manual deprovisioning involves reviewing and removing access manually. While flexible, it is prone to human errors and consumes a lot of time, especially when dealing with large user bases. 

Automated Deprovisioning uses IAM tools to handle deprovisioning. This increases consistency, accuracy reduces errors and saves time, making it preferable for modern organisations. It also revokes accounts automatically in sync with current industry regulations to help you avoid any legal or financial penalties. 

Conclusion

Deprovisioning is critical for identifying and revoking access once an individual is no longer associated with an organisation. By adopting best practices and leveraging automation, organisations can enhance security, streamline operations and maintain compliance. 

At Instasafe, we provide automated deprovisioning with our IAM solutions. This ensures your company’s user accounts are kept in check, and only the right users are granted access.

Our Secure Identity Cloud solution also ensures seamless and secure remote access, making it an all-around comprehensive identity and access management solution.

Frequently Asked Questions (FAQs)

1. What is an example of deprovisioning?

An example of deprovisioning is disabling the credentials and accounts of an employee after they have left the organisation to prevent access to company resources. 

2. What is deprovisioning in IAM?

In IAM, deprovisioning refers to removing a user’s access to organisational resources, systems, and applications when they leave or change roles. 

3. How long should the deprovisioning process take?

To minimise risks, deprovisioning must be conducted within 24 hours of the employee’s departure. However, it varies based on the complexities of the IT environment and the tools being used.

4. Can deprovisioning be reversed if it was done in error?

Yes, errors can occur while deprovisioning, in which case you will have to reinstate the user account and associated permissions to rectify said errors.