top of page

How Layoffs and Improper Offboarding Increase the Company’s SaaS Security Risks

This guest article was provided by Adaptive Shield

Headlines over the past few months have been filled with large and small companies laying off large numbers of employees. As you might expect, there are a lot of former employees out there, and if the organization is not on top of their offboarding processes, these employees can contribute to the organization’s attack surface.


Many do not realize that these former employees are targets for bad actors if their access to the company’s SaaS apps are not disabled immediately following their termination of employment. Threat actors have been known to use various methods of social engineering to acquire logins and passwords, or even the more direct route of offering payment in exchange for valid login credentials. Those experiencing the layoffs are usually unhappy or even frustrated by the situation, so it is important to disable access for these employees right away.

Often, the organization will immediately remove the offboarded employees from the Active Directory, which cuts them off from corporate SSO logins and other corporate-owned assets, however, this is not enough. SaaS apps frequently have their own local user credentials, and removing an employee from the active directory won’t remove that access. Highly mature IT departments may use SCIM or JIT mapping to remove nearly all employee access automatically. However, most companies lack the technology and staff to implement that type of process.

For organizations that aren’t using SCIM or JIT, many former employees still have access to SaaS applications, which leaves organizations vulnerable to unauthorized data access. Here are some best practices in deprovisioning to keep in mind as you remove user access.

Best Practices for Deprovisioning Capabilities

Maintain a User Inventory: It’s vital that IT teams maintain an up-to-date list of all users with access to each system. Security teams should maintain a communication channel, such as a slack channel, to track changes in the employee roster, especially terminations. To be effective, the inventory must also include external users, as the vendor landscape frequently changes.

Track All User Accounts: While the inventory includes user accounts, there are typically a number of accounts that are not associated with a specific user. These include admin accounts, accounts where multiple team members share a password, and accounts that were used during system setup. IT teams need to track these accounts, looking for behavioral anomalies that might indicate a former employee has accessed the application through these accounts.

Rigorous Access Control: IT teams need to develop protocols for onboarding, onboarding, and tracking employee access — in general, implement strong identity and access governance. If an employee has access to a dozen internal systems and 30 SaaS applications, removing access only to on-premise solutions will leave a company vulnerable to attack.

Automating the Deprovisioning Process

Mapping employees to applications and tracking their access across applications that are owned by business units outside of IT is a monumental task for the security team. A SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, can streamline the process through an automated user inventory that tracks every active and dormant account with the SaaS stack. A simple query into the user inventory can reveal the user’s access across the entire stack.

Deprovisioning these accounts through orchestration tools allow security teams to integrate the SSPM's capabilities into an automated deprovisioning workflow. This simplifies the process, removes all access for former employees, and reduces the amount of time that security team members need to dedicate to deprovisioning services.

Adaptive Shield
Figure 1. Torq dashboard of Adaptive Shield integration with potential workflow for offboarding.

Using an integration between Adaptive Shield and Torq shows a potential workflow where:

  1. The initial IAM deprovisioning is used as a hook to notify Adaptive Shield that a deprovisioning event has taken place.

  2. Adaptive Shield reviews its user inventory for records of the user.

  3. When the deprovisioned employee is detected, a workflow is automatically triggered that identifies the account and deactivates it.

    1. In circumstances where the account can’t be directly deactivated, it sends a Slack message to an administrator asking them to finalize the deprovisioning.

  4. The automation tool reruns the security check, verifying the account is deactivated.

This workflow is one example of SSPM integrations with orchestration tools to streamline deprovisioning through automation. This helps ensure continuous visibility and control, and increases the company’s SaaS security posture.

This article was sponsored by Adaptive Shield.



bottom of page