<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

PAM Was Dead. StrongDM Just Brought it Back to Life. ✨  An important message from StrongDM's CEO!

Search
Close icon
Search bar icon

All Offboard! The 2024 Tech Staff Offboarding Checklist

Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.

That’s why we’ve pulled together the 2022 Tech Staff Offboarding Checklist. It outlines the steps you should take to make sure offboarding is done successfully.

BONUS: Below, we also breakdown how companies like MakeSpace, Hearst, and Fair use this process to improve security, protect sensitive data, and ensure a clean break with outgoing staff.

Why Do I Need an IT Offboarding Checklist?

“We are besieged by simple problems. ... Checklists can provide protection.”

― Atul Gawande,
The Checklist Manifesto: How to Get Things Right

Offboarding technical employees typically requires working with IT and HR to revoke access to multiple systems, recover equipment, and help former employees exit on good terms. A well-structured checklist will help you:

  • Protect your data.
  • Mitigate legal and security threats. 
  • Uphold compliance standards. 
  • Ease the transition for remaining staff. 
  • Part on good terms.

Most of all, a checklist will give you assurance that you have dealt with every requirement of employee offboarding. If you don’t deal with them all, the risk for problems down the line can increase.

⚠️ Traditional PAM deployments have gaps. Learn how to protect your databases, the cloud, Kubernetes, and more with our legacy PAM augmentation guide.

Zombie Credentials and Bad Actor Threats

If your offboarding process doesn’t give you confidence that former staff no longer have access to your organization’s infrastructure, then chances are your environment is sprinkled with security gaps. That means former employees may still be able to delete files, misconfigure servers, alter data, or steal intellectual property. Not to mention that bad actors may discover forgotten keys, certificates, and “zombie credentials.” 

Removing access is especially important for IT and security staff. These users often have far-reaching rights to shared folders, user email accounts, and other critical information. Users with network-wide access can even make significant changes in the environment.

To act quickly, you must maintain an accurate IT inventory, including knowledge of who has access to what and where—keys, credentials, certificates, etc.—and take care to revoke access from all sensitive systems. That’s why you can’t rely on severed SSO or VPN access alone. To prevent security breaches, you need a systematic way to revoke employee access across the board and an audit trail to ensure that your process is thorough and effective.

Offboarding Checklist

Simplifying the Offboarding Process

Failure to follow a plan can lead to more than just mistakes, it can create a lot of administrative busywork. This can cause HR and IT to struggle to coordinate the who-what-where of technical staff termination. Effective offboarding of technical staff is a dance between HR, IT, and management.

In organizations with a well-coordinated offboarding strategy:

  • Teams establish a clearly defined process in advance.
  • HR supports DevOps by suspending SSO access. 
  • Engineers and technical staff delete sensitive infrastructure credentials.
  • Automation reduces workload while maintaining security.
  • A final audit ensures that infrastructure is secure.

This is where the checklist comes in.

Technical Staff Offboarding Steps

Use this checklist whenever a technical employee leaves the organization:

  1. Inform HR as soon as termination occurs.
  2. Revoke Identity provider (IdP) and single sign-on (SSO) access.
  3. Remove access to databases, servers, and Kubernetes.
  4. Suspend access to SaaS accounts.
  5. Terminate VPN and employee remote access.
  6. Reset shared passwords.
  7. Forward employee email.
  8. Update system ownership.
  9. Recover company devices and physical assets.
  10. Back up local files and delete suspended accounts, per company policy.
  11. Reassign employee vendor licenses based on role.
  12. Regularly review access logs to ensure nothing slips through.
  13. Conduct an exit interview. 
  14. Express thanks for the employee’s contributions, and part on good terms!

Make Offboarding Even Easier: Automate Offboarding with StrongDM

StrongDM can automate and consolidate your checklist into a simpler offboarding process. That means fewer errors, safer data, and happier employees in HR and DevOps. With StrongDM, you can:

  • Extend your SSO to centrally manage infrastructure access.

By extending your SSO to manage infrastructure access, you can consolidate the many steps involved in revoking access to servers, Kubernetes, and databases across all platforms. When offboarding technical employees with far-reaching access, this is a huge timesaver.

Fair.com, an automotive fintech company, uses StrongDM to simplify the offboarding process for technical staff that need access to databases, servers, and Kubernetes clusters. The company no longer distributes underlying keys or credentials to staff but relies on their SSO to authenticate to any database, server, or K8s cluster.

  • Revoke access to all infrastructure in one click.

MediaOS, which manages content for Hearst’s 21 magazines, including Elle, Cosmopolitan, and Esquire, uses StrongDM to replace a labor-intensive staff termination process. In fact, with StrongDM, MediaOS offboards IT staff in just 60 seconds.

  • Eliminate administrative busywork.

StrongDM reduces administrative overhead by replacing disparate actions, scripts, and stitched-together systems with a unified, automated tool.

MakeSpace used StrongDM to replace a dozen scripts with a single command when offboarding technical staff. Now, MakeSpace can enforce the principle of least privilege (PoLP) without burdening the engineering team with administrative busywork.

  • Minimize the risk of data exposure by enforcing PoLP.

Successful offboarding begins with thoughtful onboarding, which can be simplified by using role-based access control and the principle of least privilege.

MediaOS at Hearst, simplified both onboarding and offboarding using StrongDM. The DevOps team simply invites a new hire to the StrongDM platform and assigns a role. From there, the hire inherits all appropriate database permissions, and revoking these permissions is also just as easy.

  • Maintain an audit trail of who did what, when, and where.

A final step in the offboarding process is regular auditing. You need to know if you are missing or forgetting something that leaves your infrastructure vulnerable.

StrongDM provides an audit trail to everything employees, vendors, and service accounts access. That means you can offboard with confidence.

Get the Checklist. Then Start Automating.

Bad actors and disgruntled employees will always pose a threat to data security. However, simplifying and auditing your termination process will help you mitigate risk and ease administrative burdens, making IT offboarding easy, fast, and painless.

Getting started is as easy as downloading the technical staff offboarding checklist.

How about an onboarding checklist? We have that as well! Find the onboarding checklist here.

Want to simplify offboarding even more? Book a demo of StrongDM.

To learn more about how StrongDM helps companies with offboarding, make sure to check out our Offboarding Use Case.


About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

PAM Was Dead. StrongDM Just Brought it Back to Life.
PAM Was Dead. StrongDM Just Brought it Back to Life.
In essence, legacy PAM solutions over-index on access. StrongDM uses the principles of Zero Trust to evaluate and govern every action, no matter how minor - where each command, query, or configuration change is evaluated in real-time against dynamic policies that adapt to the context of the user, the sensitivity of the action, and the prevailing threat landscape.
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
The way that people work continues to evolve, and as a result, so do the ways that they must authenticate into their organization’s resources and systems. Where once you simply had to be hardwired into the local office network, now you must expand your perimeter to include remote and hybrid workforces, on-prem and cloud environments, and take into account a growing list of factors that impact how and where people access critical company resources.
9 Privileged Access Management Best Practices
9 Privileged Access Management Best Practices
Understanding the pillars of access control and following best practices for PAM gives you a roadmap to an implementation that is secure and comprehensive with no security gaps. This article contains nine essential privileged access management best practices recommended by our skilled and experienced identity and access management (IAM) experts.
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) is the systematic control and oversight of vendor access to an organization's systems, applications, and data. It involves processes such as onboarding and offboarding vendors, utilizing solutions for Just-in-Time access, ensuring security, and streamlining workflows to minimize operational inefficiencies.
How to Meet NYDFS Section 500.7 Amendment Requirements
How to Meet NYDFS Section 500.7 Amendment Requirements
The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector.