Skip to content

Bridging the Digital Divide, Part 4: Deprovisioning—The Back Door Hackers Depend on You to Leave Open

April 30, 2019

In the previous blog post of our Bridging the Digital Divide series, we discussed how automated provisioning can provide near-immediate account creation and resource access that manual workflows simply can’t match. When it comes time for a user to change roles or leave your district altogether, automated deprovisioning is equally as important—arguably more so from security standpoint.  

Not only can automated deprovisioning tightly control access to your users’ personally identifiable information (PII), but it can also be used to reclaim unutilized software licenses.  Failing to automate your district’s deprovisioning processes can leave your information systems open to numerous threats.  

As users transition to new roles, administrators may forget to revoke the resource permissions they no longer need, resulting in accumulation of unnecessary access over the course of their lifecycle within your district. When they exit the organization, it may be difficult for your IT team to track down and remove resource permissions unrelated to their current position, leaving old accounts open well after the individual has left. These unused orphan accounts can be compromised and exploited without anyone noticing until it’s too late. 

Automated deprovisioning is the most effective way to enforce your policies around offloading both student and staff accounts. Manual deprovisioning often requires the cooperation of several departments and can consequently take several weeks to complete; when automated, however, one person can initiate the cascade of changes necessary to withdraw resource permissions associated with a previous role or terminate access entirely. 

Sometimes deprovisioning is short-lived, such as when a student is suspended, or a teacher takes a leave of absence. For these temporary status changes, automated deprovisioning can dictate a time period where the account is inactivated and placed in holding by the district to ensure complete deletion doesn’t occur. 

Well-designed automated deprovisioning policies can trigger all the suspensions, deactivations, deletions, and archiving necessary to keep your user data safe with just simple status changes in your authoritative data source. Enboard can help you create custom deprovisioning workflows tailored to your districts’ needs, with full reports of all processes performed during provisioning runs. For further insight into the benefits of automated deprovisioning, click here to check out our conversation on the topic with Enboard President and CTO Michael Knight.