Employee offboarding is a task that HR, IT, and Security teams handle today more often than ever before. As worker mobility continues to increase–both in the form of voluntary job changes and what NIST gently terms “unfriendly” terminations–the ability to seamlessly and securely offboard employees is critical, and failing to do so has serious security implications.
As the use of file sharing platforms like Google Drive has grown and the volume of sensitive data stored within has increased along with it, businesses need to consider a range of compliance and policy-related issues when files are shared outside of the organization–and these issues often become even more pressing when an employees is offboarding and their shared files are transferred.
Don’t Let Shared Files Get Lost in the Shuffle
There are a range of best practices as part of a securing cloud data during the offboarding process, from monitoring file downloading and data exfiltration to preventing external email forwarding. But one task that’s often underestimated in its complexity is understanding and securing the access to departing users’ shared files.
Even relatively short-tenured employees can build up substantial libraries of shared documents shared with partners, customers, and other external users. The most common procedure for handling an offboarded user’s shared files is to simply transfer ownership of those files to their manager as-is. That manager is then responsible for ensuring the security of those files–most critically any external permissions.
Even if a manager is only inheriting a handful of shared files, this can be a tricky task–and if the departing user shared large volumes of files the lift gets even heavier. Does the manager know what types of files are moving under their control, and their sensitivity? How familiar are they with company policy or compliance requirements on who should have access externally? Are there any files the departing user shared recently that might be particularly risky? These considerations are key to understanding what is and isn’t acceptable sharing–but none of them are core functions of most managers.
Adding to the risk are the cases where a manual review workflow can inadvertently leave unnoticed security gaps. For example, even the most meticulous manager with all the free time in the world likely won’t catch a departed user’s deleted externally-shared files. Deleted files often aren’t migrated upon offboarding, but their sharing permissions can linger, leaving orphaned files unseen by the organization but still visible externally. This leaves you with files within your footprint with external access but no internal stewardship–a recipe for unwanted and potentially unseen visitors into your environment.
With relatively limited visibility into Drive and so many potentially-dangerous edge cases to consider, even the most meticulous manager with all the time in the world on their hands will struggle to ensure the file transfer process is followed exactly. This is where Material can help.
Material Security Simplifies the Offboarding Process
Material’s Data Protection for Google Drive makes the offboarding process simpler and more secure by automatically revoking external sharing permissions of files through our integration with Okta Workflows, Tines, and other vendors.
Upon suspension of the user in Okta - the initiation of offboarding - Material’s automations kick into gear and begin the process of cleaning up the user’s shared files:
- The system gathers information about that user and constructs a query to find all the externally-shared files they own–by default, Material looks for any shares with specific external email addresses, as well as “anyone with link” permissions.
- The Revoke Google Drive File Access API is called for each externally-shared file
- This process loops through all the externally-shared files and revokes those permissions. Whether a few dozen or a few thousand shared files, those permissions will be revoked within minutes of the workflow being triggered.
The end result is that any external access to an offboarded user’s files are automatically revoked, without any manual intervention from the manager, security, or HR teams beyond suspending the user in Okta. The files may then be transferred to the departing user’s manager or follow whatever process your offboarding procedures require, safe in the knowledge that no one outside the organization can access them any longer.
Control Risky Sharing with Data Protection for Google Drive
Understanding what types of files your employees are sharing, the sensitive data they contain, and who those files are shared with–is critical for security and regulatory and policy compliance. And when an employee leaves, sensitive data in their shared files can become an overlooked risk in the offboarding process–but remediating that risk doesn’t have to be difficult.
Material Security’s Data Protection for Google Drive seamlessly finds and fixes risky sharing of your users’ files from their first day to their last.
.png)