With a typical company having a staff attrition rate in the region of 15% of its overall headcount, how leavers and joiners are managed can have a significant impact on a company, and especially one that has migrated its technology services to the Cloud.
One of the core concepts of a migration to the Cloud is that you are buying a managed service on a subscription basis. This presents a challenge as each license that you consume costs money regardless of whether it is actively being used or not. This places an increased emphasis on the management of movers and leavers, and releasing any associated licenses.
User accounts are something that people take for granted. The business always puts pressure on a technology team to on-board and provision a new member of staff as quickly as possible, and usually at ridiculously short notice. Conversely, when that member of staff then leaves their team, moving elsewhere within the company, or the business totally, there is not the same urgency to notify the technology team and allow them to recover any associated licenses.
Viewed individually, a Cloud user license itself is, typically, not that expensive per year, in comparison to the overhead of managing an on-premise environment. However, the accumulation of costs for licenses that are not recovered from leavers can be quite substantial. Both Microsoft Office 365 and Google Suite are both typical Cloud subscriptions services that can present these challenges.
For a company of 1,000 staff, using a subscription Cloud service costing £100 per user per year, they will be spending £100,000 on the managed service. If there is 15% staff turnover, and these licenses are not recovered, the company will have to spend an additional £15,000 for accounts that are no longer required.
Unfortunately, processing a leaver or joiner isn’t usually as simple as just marking the account as inactive, and this assumes there has been notification of the change in their employment. Apart from the fact that most vendor products dictate that an inactive or suspended account still requires a license, there is equally an additional concern about what happens to any associated data.
There are a number of important considerations that need to be addressed by policy and process when deciding how to process a leavers account:
- What is going to happen to the leavers account?
- Thought needs to be put into whether an account name is going to be reused or retired. The main implication is if the leaver returns, which may be the case if freelancers and contractors are provided with accounts.
- Whatever happens, don’t forget to change any passwords and secure tokens so that the leaver will no longer have access.
- If the account is email enabled, what is going to happen to the emails?
- If the account is just removed all the emails will probably be lost. There may be legal policies that mean data must be retained for a certain period of time.
- There needs to be consideration as to how incoming messages are dealt with, are they bounced, received by the existing mailbox or forwarded somewhere else.
- Is the sender notified that the account is no longer in use, do they get no notification or do they just get an undeliverable message.
- What happens to the mail store. Is there the ability to archive it, and if so how is that archive accessed, or are the mails transferred to someone else, and if so who, and do they want them.
- Where documents are stored in Cloud storage, whether this is Google Drive, One Drive or DropBox, what is going to happen to the documents?
- Depending on the Cloud storage solution used, it is often the case that documents will be lost if the associated account is removed. Sometimes there is the ability to recover them for up to 30 days, but this is not something that should be relied on.
- Like emails, there may be legal requirements to ensure that data is retained for a certain period of time.
- Sometimes documents are orphaned without an owner, and it requires an admin to transfer ownership.
- Typically, to ensure that critical documents aren’t lost, ownership is transferred to someone else. If this is the case it is essential that the person that they are to be transferred to understands this and any associated implications.
- What happens to any Cloud services that the account was the owner of?
- If the leaver owns shared services, such as distribution groups, shared folders and calendars, it is important to understand what will happen to these if the account is deleted. Will they remain or will they disappear.
- If the leaver was the owner or administrator of a Cloud service, removing an account can restrict access to the service. It is important to have a process that deals with this scenario.
It’s very easy for a business to incur unnecessary costs by not managing user accounts properly. Keeping on top of any leavers or joiners is very important, especially as there are probably other assets associated with that leaver that need to be tracked as well.
However, it is also important to understand the implications of removing an account, as this can potentially cause even further damage to the business. Having a clearly defined policy for leavers and joiners, which the business is fully educated in, associated with the appropriate processes and procedures for the technology teams to follow, is essential.
An effectively implemented IT Service Management team, following the sorts of best practices defined in the ITIL framework, is essential for the management of a company’s leavers and joiners. The key is ensuring that you have a rigorous Request Management process, supported by effective Software Asset Management (SAM), Financial Management and Capacity Management, implemented in an agile way and continuously reviewed to ensure that it is always appropriate for the business.
If you would like to find out how iCore can help you with your ITSM requirements for the Cloud then contact us on 0207 868 2405.