January 26, 2021

Deprovisioning is the act of removing user access to applications, systems and data within a network. It’s the diametric opposite of provisioning, which grants, deploys and activates services for users in a system.

Both provisioning and deprovisioning are components of lifecycle management—occurring as users are onboarded, offboarded or as an employee changes roles within an organization.

Deprovisioning is an important security protocol that ensures sensitive data is being protected within the organization.

How does deprovisioning work?

When a user is offboarded or changes roles, deprovisioning removes their access rights and deletes accounts associated with the user. And while it used to be a manual process of HR teams communicating info to the IT department and then system admins to revoke access, this process can now easily be automated. Automated deprovisioning can be done through an identity and access management (IAM) tool.

IAM tools integrate with company directories, so when employees move to another department or leave the organization, the user will be removed (if terminated) and all accounts associated with them will be automatically adjusted or revoked.

Benefits of deprovisioning technology.

Change is the only constant within an enterprise. Employees, contractors, vendors, and partners perpetually join and leave organizations, while gaining access to thousands of different tools and applications in the process. But every time they are moved to a different part of the organization or leave the company, they need to be properly offboarded and deprovisioned.  Deprovisioning offers a number of benefits, with the most notable being security, i.e., preventing unwanted data exposure and breach of information.

1. Prevents data exposure

Former employees pose huge security risks if not properly deprovisioned, which is why it’s important to deprovision access immediately after an employee leaves the company.

Imagine if an employee was given privileged access to critical company data and then terminated due to unfavorable reasons. If their accounts were not properly deprovisioned, they’ll continue to receive access to classified information—posing  danger to the organization. 

2. Removes orphaned accounts

Properly ensuring user accounts are being revoked post employee termination is vital to the security of an enterprise. Failure to offboard and deprovision can lead to orphaned accounts.

Orphaned user accounts are accounts that contain all the previous employees’ information but aren’t currently assigned to anyone. Without a robust identity management solution that can automate the account removal process, these accounts can sit dormant, becoming a hotbed for hackers and cyber criminals to easily gather company data and infiltrate a network—potentially leading to data breach.    

Deprovisioning and provisioning working together.

By now you have a keen sense for how deprovisioning works and its benefits. But how can you ensure its most effective? By coupling it with a strong identity and access management solution, which relies on both provisioning and deprovisioning as part of the overall lifecycle management of an account.

Here are some best practices to follow when considering both provisioning and deprovisioning as key tenants of account management.

Deprovisioning and provisioning best practices. 

Implement the principle of least privilege (PoLP).

The principle of least privilege is the idea that a user should only be granted as much access as needed to do their job. This reduces the number of people gaining access to valuable resources within an organization.

This concept should be applied to both provisioning and deprovisioning. It should be applied to provisioning as users are getting onboarded and gaining access to tools and applications. It can also be used at the deprovisioning phase, when users move teams and no longer need access to valuable data. It can also be applied when employees leave the company and audits are performed of accounts the user had in their possession. If accounts went unused, it helps system administrators pinpoint who should have access to what tools moving forward.

Automate onboarding and offboarding.

Provisioning and deprovisioning are laborious and time intensive processes when done manually. Traditionally, system admins would have to manually assess privileges and permissions and assign user roles accordingly. They’d also have to revoke assess and delete every account associated with a user.

With an automated solution, you’ll save time, money and reduce the margin of error. Automated processes quickly onboard users, assign roles and deprovision accounts upon termination.

Adopt an identity and access management (IAM) solution.

In a large enterprise setting, it would be difficult to manage a user account lifecycle without an IAM solution. The right IAM tool helps automate user onboarding, manages users in your company directory, and helps modify and delete users as part of the offboarding process.

IAM helps speed up user access policies, creates internal audits of account activity, reduces risk, and increases security.  

Wrapping up. 

SailPoint identity security solutions help you achieve productivity and efficiency, reduce human error, increase security, achieve greater audit capabilities, and much more.

Automate user provisioning and deprovisioning, and ultimately increase identity security.

Take control of your cloud platform.

Learn more about SailPoint and Lifecycle Management.

Get Started Today