min read

Deleting Users Through An Identity Provider Isn’t Enough

Today’s fast-paced business world sees companies shifting strategies quickly – expanding into new markets, merging with other companies, spinning off subdivisions and adjusting headcounts as needed. In turn, employees pivot from one employer to another, mindful of their own career paths and opportunities to advance. 

But be aware: Those departing employees represent potential security landmines. They may have left your company’s data vulnerable to access from unwanted parties through the many SaaS applications the employees used in their work. The potential for harm is large and not easily managed. Here’s why:

The limitations of traditional methods

You might assume that once the employee leaves, all you need to do is delete them from an identity provider (IDP) such as Okta. While that’s a good starting point, it still leaves exposed all the assets the employee may have shared up until that point. Anything shared externally and publicly – as well as to personal accounts – remains available to outsiders.

There’s also the problem of what happens before the profiles are deleted through the IDP. Some employees may plan on scurrying away with corporate information that they think might be of value to their future employer.

For example:

  • Sales people copy account or prospecting lists
  • Marketers download messaging and positioning details to pass along to competitors
  • Software developers pack up code they have worked on during their tenure

The huge amount of unmanageable data many employees leave behind

More often than not, employees who are leaving don’t take any actions to plug up the access points they’ve created during their time with your company. This leaves your data exposed as it has been shared with:

  • Other employees
  • External vendors or partners
  • Public links
  • Private accounts

All that data remains shared even when the user has been deleted through the IDP. Unbeknownst to you, the employees could have used their private accounts to access your data and continue to access or exfiltrate it long after they are gone. If strongly motivated, they can also pass that access to other interested parties. 

Addressing the threats systematically and holistically

In short, your company is left with a huge amount of unmanageable data access that poses a significant risk and potential for a breach. Security vendors and SaaS applications don’t provide an easy way to remove external and public sharing with bulk actions guided by business context (departing employees, terminated vendors, etc.) Security teams are then left with an unwieldy amount of manual work to carefully review each action before they decide who should be denied access for each SaaS app.

What’s more, there are no effective ways to monitor data security access control in the apps and remediate as needed. Those soon-to-be-ex-employees who are stealing all your trade secrets or customer databases can go about their merry way without anyone getting an alert that something is amiss.

That’s why you need a centralized method of SaaS data-access management, as offered by DoControl. Data-usage patterns with employees can compare how someone has historically interacted with various SaaS apps in the past against current practices. Consequently, employees trying to download all your Salesforce data onto a thumb drive are stopped before they exceed their normal usage. You get full asset management to perform security investigations into employees that are leaving to be alerted to any suspicious activity and take countermeasures as needed.

Once an employee has left, you can go well beyond just shutting off that person’s access. You can remove all access to assets that have been shared by that employee -- using context-based action options --  through our pre-configured workflows.  

Employee turnover is likely to be an ongoing issue for most companies, and it’s one of many issues that we designed DoControl to tackle. To learn more about how we can help your organization stay secure from SaaS data losses, get in touch with us.

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news