Provisioning and the Termination Nightmare

Back in my IT days, I was – among various responsibilities – tasked with managing user access from the time someone was hired to the time they moved on (or were fired). As I will discuss, this was often the most stressful part of my day-to-day. Now with the explosion of mobile users and SaaS applications such as Google Apps, Office 365 and hundreds of other apps, managing access has become even more error-prone and stressful. But it doesn’t have to be.

Back then, the “hair on fire” portion of my day was always really high. Planning was rare. Reacting was often the best I could do. And never was reacting more… well, reactive, than when we’d get a term notice.

Terminations (“or terms”), especially when someone was fired, were a fire that burned brighter and hotter than all others, because terms had the most meaningful deadline of anything that came through IT. If, at the end of that day, the terminated employee still had access to corporate resources the lawyers had to get involved and start asking why, and the CIO would start breathing down our necks. No one wants to be deposed if corporate data is stolen. So terms were always a “drop everything” affair.

What’s this got to do with provisioning?

See it in action for yourself – watch as Corey Williams plays the role of IT, and I play the role of the employee. In it, we show how easy it is to deploy access to Google Apps, manage that access, and revoke it – from web single sign-on (SSO) and mobile devices.

Provisioning applications, while it sounds easy enough, includes onboarding, ongoing management, and the dreaded terminations.

  1. Onboarding a new employee was stress-free but time consuming. I always had at least two weeks to get a new employee set up with their applications, VPN, laptop, etc., because nearly every employee gave two weeks notice to their previous employer. (And just between us, if I forgot something in those two weeks, I could fix it after the employee started. Hopefully just before they noticed.) However the number of manual tasks grew right along with employee count and the chances to make a mistake increased as a result.
  1. Ongoing management was also a low-stress endeavor. When new access was needed, or an employee moved from one team to another, whatever the case was, we had advance notice, and the deadline was “fuzzy” enough to make it work no matter what. Only the number of manual tasks caused any stress or opened the door for mistakes or frustrated users.
  1. Terminations were the kicker. As described above, terms were the most important of the group, carried the most risk if we got it wrong, and — of course — had to happen in the least amount of time.

Now, with more apps than ever, and more devices being used to access those apps, provisioning is even more critical. Employees need access to the apps and devices required to do their jobs on day one, and as they progress during their employment. And when they leave, it’s critical to revoke access to all those same apps and devices – but doing so in today’s cloud world is even more challenging than ever:

  • What apps do they have access to?
  • What login are they using?
  • Does IT control that app, or does Line-of-business?
  • When do devices have access to that app, and what data is stored on those devices?

Identity Service to the rescue

Enter Centrify Identity Service.  Identity Service allows IT to:

  • Push apps to each employee based on their role
  • Manage app access with customized security policies
  • Provide single sign-on to eliminate multiple passwords
  • Manage the devices (including VPN, Corp Wi-Fi, and PKI) used to access those apps
  • Revoke ALL of it, in seconds, when an employee leaves




The nightmare that was provisioning is now a centrally managed, single console dream. No more lawyers checking in. No more CIO phone calls. No more wondering if there was some unknown access risk that wasn’t locked down.

More apps and more devices usually mean more hassles, but with automated provisioning, the “hair on fire” quotient of every day can be greatly diminished.

…And at the rate my hair is falling out, that’s definitely something to be grateful for!