Offboarding Employees in the time of Covid

By Keith Lubell, CTO, Berkery, Noyes & Co., LLC.

When the Covid pandemic hit, IT teams had to enable employees work from home on a dime. This created many challenges for companies not already with limited remote capabilities. Security had to be reconsidered, as the attack surface of a company’s IT assets increased. Key to that was ensuring that Identity Management was secure and robust. Once these initial challenges were met, IT teams had to deal with a new challenge.

The pandemic was time of rethinking for many people. As companies and their employees learned to work remotely, they began to experience new ways of working and handling life/work balance. Commuting to work became more of a mental transition than a physical transition. Morning routines no longer including driving in traffic or running to catch a commuter train. Employees may take quick breaks to do laundry or take care of other personal business during the day, when before they could not. Meanwhile productivity went up for many teams. At the same time, many company leaders wanted to get back to the old in office routines. I heard many of the older employees lament the new tools and ways they had to manage their teams and longed for the return to the office. Meanwhile younger more junior employees liked their new routines and did not want to return.

This past spring, Prudential in their Pulse of the American Worker Survey, found that 87% of American workers wanted to continue to work from home at least one day a week, and that 68% would like a permanent hybrid work model post pandemic. 42% of workers said they would look for new jobs if remote work is not continued long term. 20% of workers in the survey already have changed jobs and another 26% are considering new jobs post pandemic.

What does this mean for IT teams managing security, and specifically Identity management systems? It means a lot of offboarding and onboarding of employees. For my team, it showed a lot of holes in our systems. We have more than a dozen different systems where identity needs to be managed. Usually our main systems of email, document storage and network access were relatively easy to manage. Implementing Single sign-on helped immensely in making Access Management easy to manage, but the challenge was managing the lesser used systems outside of our single sign-on. The main culprit were subscriptions to specialized Software as a Service Systems were often forgotten. If the application used OAUTH and integrated with our main identity management system we did not have a problem, but not all these offerings provided OAUTH integration. The key here was to audit all our subscriptions and work with both our accounting groups to track down these lesser-known systems.

When managing OAUTH integration (which enables single sign on), it also good to know the details on how OAUTH works. Often in a system that does not use OAUTH, the processes of Authenticating and Authorizing are integrated, and IT teams really do not have to know the difference between the two. But with use of OAUTH, these processes are handled by different systems. The OAUTH provider oversees Authenticating the user. That means it manages the passwords/keys and Multi-factor Authentication policies to ensure that the user is who they say they are. These systems should be hardened against credential attacks as that is a key point of security compromise. Meanwhile the OAUTH consumer oversees Authorization which is the managing of the permissions on resources and making sure that authenticated users only can access what they should have access to.

Understanding OAUTH helped with the challenge of transitioning high level employees who interacted with clients. The business groups needed to manage the client relationship, but IT needed to make provide the security support for the business groups. Who needed to see the former employees email communications? If there was an auto reply on the former employee’s email what would it say and how would it help manage new or existing client relationships? We used Office 365 and would convert former employee mailboxes into Shared Mailboxes which helped greatly. The key here was working closely with the business groups and understanding their needs.

The last challenge was the transitioning of employees off our systems. Sometimes, employees will still need access to company resources as they close projects and transition their work to others. At this point, we all know they are leaving, but still need to work together in a limited way. This is where understanding how authorization is key. These users still need to Authenticate but are being authorized to only the resources they need for the transition. This is particularly tricky, and we would prefer a clean break, but sometimes that is not possible. In this case, it is key to being able to audit all the permissions across the systems that you have for that user. Without an audit there is no way to know what they have access to. With a permissions audit you can they narrow down their access on a need-to-know basis.

The Covid pandemic has been very challenging for everyone in many ways. It is a time of change of flux. For IT teams managing Identity and Security, it is key they understand their systems at a deep level and understand and communicate clearly the business units they are working with to keep company resources secure in a challenging environment. Onboarding those new employees is also a challenge, but I leave that as a future topic to explore.

Hot Topics

Related Articles