Most teams invest heavily in credential onboarding—setting up accounts, issuing certificates, and configuring access. But offboarding? That's where things fall apart. Orphaned accounts, lingering SSH keys, and unrevoked certificates become security debt that grows silently until an audit or breach forces action. This guide is for IAM engineers, security architects, and compliance officers who want to fix the offboarding stage of credential lifecycle governance. We'll walk through the workflow, common mistakes, and practical steps to close the gap.
Who Needs This and What Goes Wrong Without It
If your organization manages digital credentials—whether they're user passwords, SSH keys, API tokens, TLS certificates, or federated identities—you have a lifecycle that begins with issuance and ends with revocation or rotation. Most teams get the first part right: they have onboarding checklists, approval workflows, and initial provisioning automation. But the offboarding stage is often an afterthought, handled manually or not at all.
What goes wrong? Without a structured offboarding process, you accumulate zombie credentials: accounts for former employees that still have active sessions, certificates that are still trusted by relying parties, and service accounts with unchanged secrets long after the original owner left. Attackers exploit these gaps. In a typical scenario, a contractor's VPN certificate remains valid for months after their contract ends, giving them—or anyone who compromises their device—ongoing network access. Compliance frameworks like SOC 2, ISO 27001, and PCI DSS require timely revocation, and failing to do so can lead to audit findings, fines, or loss of certification.
Who needs to care? Everyone involved in identity and access management, but especially teams that manage non-human credentials (service accounts, machine certificates, API keys). These are often overlooked because they don't have a person to deactivate. For example, a CI/CD pipeline token that was rotated manually after a developer left might still be stored in a shared script, granting access to production systems. The stakes are high: credential mismanagement is a leading cause of data breaches, according to multiple industry surveys.
The core problem is that offboarding is not a single event—it's a process that spans multiple systems, each with its own revocation mechanism. A user's Active Directory account might be disabled, but their SSH key on a Linux server remains, their cloud IAM role still has a trust policy referencing their user ARN, and their personal access token in a code repository is still active. Without a coordinated offboarding workflow, you're leaving doors open.
Why Offboarding Fails in Practice
One reason is that offboarding is often delegated to a single person or team without clear procedures. When someone leaves, the manager submits a ticket, IT disables the account, and everyone moves on. But that ticket rarely covers all credential types. Another reason is the lack of visibility—you can't revoke what you don't know exists. Many organizations don't have a complete inventory of credentials, especially machine-to-machine secrets. Finally, there's the fear of breaking things: revoking a certificate or rotating a key might disrupt a critical service, so teams delay or skip it.
Prerequisites and Context Readers Should Settle First
Before you can build an offboarding workflow, you need a solid foundation. Start with a credential inventory: every type of credential your organization uses, where it's stored, who or what uses it, and its expiration or rotation policy. This includes user passwords, SSH keys, TLS certificates, API tokens, OAuth client secrets, service account keys, database credentials, and any other secret that grants access. You can't manage what you don't track.
Next, map your identity sources. Most organizations have multiple directories: Active Directory, Azure AD, Okta, LDAP, and perhaps a few cloud IAM systems. Each source may have its own offboarding process. You need to understand which identities are authoritative for which systems, and how revocation propagates. For example, disabling a user in Active Directory might not automatically revoke their AWS IAM access if federation is not configured correctly.
Policy is another prerequisite. Define what offboarding means for each credential type: immediate revocation for terminated employees, scheduled rotation for service accounts, or archival for compliance purposes. Document the exceptions—for instance, a service account used by a batch job that runs monthly might need a grace period. Without clear policies, teams will default to inaction.
Technical Prerequisites
You'll need tooling to automate revocation where possible. This could be a commercial IGA platform, a homegrown script, or a combination of cloud-native tools (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager). At minimum, you need the ability to revoke credentials programmatically and log the action. You also need a monitoring system to detect orphaned credentials—something that scans for active credentials tied to disabled accounts or expired certificates.
Finally, establish a communication channel. Offboarding often requires coordination between HR, IT, security, and the credential owner's manager. Define who initiates the process, who approves revocation, and who verifies it's complete. A simple workflow in a ticketing system can work, but it must cover all credential types, not just user accounts.
Core Workflow: Sequential Steps for Offboarding Credentials
Here's a step-by-step offboarding workflow that covers the full credential lifecycle. Adapt it to your environment, but keep the sequence and completeness.
- Trigger event: The offboarding process starts when an identity is deprovisioned—employee termination, contract end, role change, or service account decommissioning. This trigger should come from HR or the identity source (e.g., account disabled in AD).
- Inventory check: Query your credential inventory for all credentials associated with that identity. Include direct credentials (user's password, SSH key) and indirect ones (service accounts where the user was a member, certificates issued to their device).
- Revoke user credentials: Disable the user account, reset the password, and revoke any active sessions. Invalidate any API tokens or personal access tokens. For certificates, add them to the CRL or use OCSP stapling to mark them revoked.
- Rotate shared secrets: If the user had access to shared secrets (e.g., a database password stored in a password manager), rotate those secrets immediately. Do not assume that disabling the account is enough—the user may have copied the secret.
- Update service dependencies: For service accounts or machine identities that the user managed, update their credentials. This might mean rotating the service account's password or re-issuing its certificate. Ensure that any automation (CI/CD pipelines, scheduled jobs) that used the old credential is updated.
- Audit and verify: After revocation, run a verification step. Attempt to use the revoked credential to confirm it no longer works. Check logs for any failed authentication attempts from the revoked identity. Document the actions taken for audit trails.
- Archive or clean up: For compliance, some credentials need to be retained (e.g., audit logs of certificate issuance). Archive them securely. For others, delete them entirely. Ensure that archived credentials are encrypted and access is restricted.
Handling Edge Cases
What about emergency offboarding? If a user is terminated for cause, you may not have time for a full inventory check. In that case, disable the account immediately, then follow up with the remaining steps. For service accounts that are critical to operations, schedule a rotation window and communicate with stakeholders. For certificates that are part of a chain, revoke the leaf certificate first, then the intermediate if needed.
Tools, Setup, and Environment Realities
Your offboarding workflow will depend on your tooling. Here are common setups and their trade-offs.
IGA platforms like SailPoint, Okta Identity Governance, or Microsoft Identity Manager offer built-in offboarding workflows that can automate account disabling, group removal, and credential revocation. However, they often require connectors to every target system, and custom connectors may be needed for legacy apps. They handle user identities well but may miss non-human credentials.
Cloud-native tools such as AWS IAM, Azure AD, and GCP IAM each have their own offboarding mechanisms. For example, AWS IAM allows you to delete a user's access keys and attach a policy that denies all actions. But if you have a multi-cloud environment, you need to orchestrate across providers. Tools like Terraform or Pulumi can help by treating credentials as infrastructure-as-code.
Homegrown scripts work for small environments: a script that queries all systems and revokes credentials can be effective. But it's brittle—new systems are added, APIs change, and error handling is complex. This approach is best for organizations with a stable, small set of systems.
Secrets management platforms like HashiCorp Vault, CyberArk, or AWS Secrets Manager centralize credential storage and can automate rotation and revocation. For example, Vault can issue dynamic secrets that expire automatically, reducing the need for manual offboarding. However, not all credentials can be moved into a secrets manager—legacy systems may still use hardcoded passwords.
Environment Considerations
In a hybrid environment, you'll need to bridge on-premises and cloud revocation. For example, an on-premises AD user might have a federated AWS account. Disabling the AD account should trigger a session revocation in AWS via SAML or OIDC. This requires proper federation configuration and a script or tool that listens to AD events and calls AWS APIs. Similarly, for certificates, you may have an internal CA and a public CA. Revocation for internal certs uses CRL or OCSP, while public certs may require API calls to the CA provider.
Variations for Different Constraints
Not every organization has the same resources or risk tolerance. Here are variations of the offboarding workflow for different constraints.
Small Team, Limited Budget
If you're a startup with a handful of employees, you can use manual checklists. Create a spreadsheet of all credential types and assign each offboarding to a person. Use free tools like OpenSSL for certificate revocation and cloud console for IAM. The risk is human error, but for small teams, it's manageable. Automate where you can with simple scripts—for example, a shell script that disables a user in AD and removes their SSH keys from known hosts.
Large Enterprise, Compliance-Driven
In a regulated environment, you need audit trails and segregation of duties. Use an IGA platform with approval workflows. Every revocation must be logged, and you need periodic recertification of credentials. For certificates, use a CA that supports CRL and OCSP with strict validity periods. Implement a policy that all credentials must be revoked within 24 hours of termination, and run automated scans to detect non-compliance.
Cloud-Native, No On-Premises
If you're fully in the cloud, leverage identity providers and secrets managers. For user identities, use SSO with session revocation. For machine identities, use short-lived credentials (e.g., AWS STS temporary credentials) that expire automatically. Implement infrastructure-as-code so that when a user is removed from the identity provider, their cloud resources are deprovisioned. Use tools like AWS Config or Azure Policy to enforce that no credentials are older than a certain age.
Hybrid, Legacy Systems
This is the hardest scenario. You have mainframes, custom apps, and databases with hardcoded credentials. For these, you may need to manually update configuration files or use a privileged access management (PAM) solution that can rotate passwords on a schedule. Prioritize the highest-risk credentials first—those that grant access to sensitive data or critical infrastructure. Accept that some legacy systems will have slower offboarding and document the risk.
Pitfalls, Debugging, and What to Check When It Fails
Even with a good workflow, things go wrong. Here are common pitfalls and how to fix them.
Missing service accounts: The most common failure. A developer creates a service account for their app and never registers it in the inventory. When they leave, the service account remains. Fix: Implement a policy that all service accounts must be created through a central portal that logs them. Run periodic scans to detect unregistered service accounts.
Delayed revocation: You disable the account but don't revoke the certificate. The certificate is still valid until it expires. Fix: Automate certificate revocation as part of the offboarding workflow. Use a CA that supports API-driven revocation.
Incomplete CRL updates: You revoke a certificate, but the CRL is not distributed to relying parties. The certificate is still trusted. Fix: Monitor CRL distribution points and ensure that revocation is reflected in real-time OCSP responses. Test revocation by attempting to validate the certificate after revocation.
Session persistence: You revoke the password, but the user has an active OAuth token that is still valid. Fix: Revoke all tokens and sessions. In Azure AD, you can revoke all refresh tokens. In Okta, you can clear user sessions.
Backup credentials: The user had a backup admin account that wasn't tracked. Fix: Enforce that all privileged accounts are registered and monitored. Use a PAM solution that rotates passwords after each use.
Human error in manual steps: Someone forgets to revoke a credential. Fix: Automate as much as possible. For manual steps, use a checklist with sign-offs and audit trails.
Debugging a Failed Offboarding
Start with logs. Check the revocation logs for the identity—did each step execute? If a certificate revocation failed, verify the CA's CRL generation schedule. If a session token wasn't invalidated, check the token's expiry. Often, the issue is a missing connector or a permission error. Test the workflow with a test account in a non-production environment. Finally, run a full credential scan to see if any credentials tied to the offboarded identity are still active. Fix the gaps and rerun the workflow.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!