How to manage the NHIs exposed to an offboarded employee?

When an employee leaves a company or changes their role (due to events such as a reorganization or M&A), the impact extends far beyond just clearing their desk. Much has been written about the mover and leaver processes from the HR perspective (exit interviews, knowledge transfer, and farewell gatherings) and Service Desk tasks (revoking access, deleting accounts, and device management). Tools like SuccessFactors and ServiceNow can be customized to help with these processes. But what about those service accounts and secrets the employee had access to? What happens to the non-human identities (NHIs) that the moving or departing employee had been exposed to? (Hint: Overlooking these can leave your company exposed to serious security risks). 

Consider this scenario: an employee departs and they've had access to a critical AWS account. This account is in the cloud, making it accessible from anywhere with an internet connection. The former employee could simply sign in to the AWS portal as the service account and access cloud resources from home. Preventing this isn't as straightforward as deactivating the account — a method we would use with human accounts —since doing so could disrupt vital services or lead to an outage. Reassigning permissions is also not a valid option because NHIs, such as the AWS account in this case, do not belong to an employee. These accounts are used for running services, applications, and automation, so exposure to or management by the employee is not enough to shut them down.

‍

The leaver / mover process for offboarding employees

Offboarding is the process of transitioning former employees out of the company. Offboarding should occur regardless of the employee's voluntary or involuntary departure, but the steps you should take may differ depending on whether the employee is resigning, retiring, or being terminated.

Additionally, while a mover process is not an actual offboarding since the employee remains in the company, when an employee moves to another role or department, similar actions may have to be performed as it is necessary to review their roles and permissions to ensure they do not retain unnecessary access to avoid creating over-permissive accounts.

Each company has its own checklist, but the common trigger is the employee's departure date or employee moving date. Typical actions that are usually performed to complete the leaver/mover processes are:

• Transfer ownership: Before de-provisioning or deactivating the accounts related to the departing employee, transfer the ownership of the assets, licenses, and sometimes specific roles assigned within an application to the successor or a designated employee.
• Revoke access to applications: This includes SaaS applications and it is usually done by blocking the user in the identity provider or the SSO provider. 
• Revoke or restrict privileged account access.
• Block remote access: Terminate the VPN and review any remote access methods.
• Change all passwords on shared accounts.
• Remove roles and privileges within the different applications. 
• Recover all IT assets: Ensure all IT assets that were provided to the employee are recovered.
• Perform real-time network monitoring
• Schedule account deletion for suspended accounts.

However, what we routinely see in most organizations is that NHIs and secrets the employee was exposed to are often left behind and not decommissioned. This happens first and foremost because IAM programs use tools that are not NHI-aware and cannot discover them. For instance, if you offboard a developer from your HR system, the tasks in the list below do not cut access to the non-human identities that the person created, was visibly exposed to, or shared with their colleagues.

‍

Safe decommissioning and rotation of exposed secrets must become a key component of any leaver/mover process

Failing to properly manage the exposure of these secrets can lead to significant security breaches, as exposed credentials can be exploited by malicious actors to gain unauthorized access to critical systems and then move laterally within the organitzation. 

The decommissioning stage of the human identity lifecycle must be extended to consider the activities related to the non-human identity. Consider the following activities:

1. Identify All NHIs: Start by creating a comprehensive inventory of all non-human identities that the departing employee had access. This includes service accounts, API keys, automated scripts, and any other credentials. This step involves managing exposure since NHIs are tied to systems and processes, not to specific employees, examining only the human identity entitlements is not enough.
2. Reassign or Deactivate: Evaluate which NHIs can be reassigned to another employee and which should be deactivated. Ensure that reassignment does not inadvertently grant excessive privileges to any one individual.
3. Automate Rotation: Implement automated processes to regularly rotate credentials and keys associated with NHIs. This reduces the window of opportunity for unauthorized access.
4. Audit and Monitor: Conduct regular audits of NHIs to ensure they are being appropriately managed and monitored for unusual activity. Real-time network monitoring can help detect and respond to potential threats swiftly.

‍

Oasis eliminates the security risk of exposed NHIs and secrets 

Oasis provides best-in-class capabilities to eliminate the security risk of NHIs and secrets exposed by offboarded employees. In prior blogs, we discussed our industry-leading features for secret rotation and stale account decommissioning. The employee offboarding module of the Oasis platform builds on these, further enhancing them to provide a streamlined and optimized user experience that makes the offboarding process simple and effective. 

For instance, when offboarding a human identity, Oasis ensures that any exposed sensitive information is promptly flagged and managed. The platform provides a comprehensive view of dependencies linked to the offboarded identity, including privileged roles and access to sensitive data. This is achieved through integrations such as Cyera. This visibility allows for efficient prioritization and remediation of violations, grouping them into actionable tasks. 

1. Oasis automatically detects when a human account is decommissioned, ensuring that no critical details are overlooked during the offboarding process.
2. Oasis conducts thorough discovery to identiy all associated secrets, roles, and permissions that an employee had access to, ensuring nothing is missed.
3. Oasis context engine creates a correlation between human identities and exposed non-human identities (NHIs). This enables a deeper understanding of potential exposures and allows for more precise remediation efforts.
4. Oasis allows for easy prioritization of secret rotation by narrowing down the process to just the exposed secrets associated with the offboarded employee. This focused approach ensures that remediation is quick and effective, reducing the risk window.
5. For those secrets already managed with Oasis, the tool triggers the automatic safe secret rotation. This continuous rotation reduces the risk of unauthorized access by ensuring that secrets are periodically changed, thereby maintaining high security standards.

By integrating these unique capabilities, Oasis not only simplifies management of NHIs during the offboarding process of a human identity but also significantly enhances the security posture of your organization. Our platform ensures that all potential exposures are addressed promptly, keeping your critical secrets safe and secure.

‍

Ready to improve your mover / leaver process for managing both human and non-human identities? Contact us today to learn more about our offboarding capabilities and how they can benefit your organization.