topic Re: Best Practices for Securing User Ghost Accounts After Ending Employment in Peer-Peer Topics

Best Practices for Securing User Ghost Accounts After Ending Employment

jpark — Mon, 01 Jul 2024 16:33:59 GMT

Hi all,

In my protocols for securing employee user accounts after their employment ends, there is a gap for a best practice on securing any ghost accounts users have created. By that, I mean any accounts for third party services they have used their Google Workspace account to create in which they have no record of, nor have they disclosed to me.

We have all our App Access Control setup so users can create accounts using oAuth ONLY for services we have approved, so that's a great start. We also have 2FA enforced. But I'm concerned about any other accounts they have used the "Sign up with Email" option and use a password to login.

Are there any tools in the Admin Console to track or checkup on logins such as these?

Re: Best Practices for Securing User Ghost Accounts After Ending Employment

Bill_Gibson — Wed, 03 Jul 2024 19:01:59 GMT

I believe you're referencing unmanaged accounts.

If so, this should help you get started
https://support.google.com/a/answer/11112794?hl=en

Re: Best Practices for Securing User Ghost Accounts After Ending Employment

Justin_W — Fri, 05 Jul 2024 14:05:30 GMT

> But I'm concerned about any other accounts they have used the "Sign up with Email" option and use a password to login.

There isn't going to be anything you can do about 3rd-party, un-manged accounts a user may have created.

I agree that I wish there was another step/switch for what are essentially deprecated accounts. I suspect one could take the time to go after each account and turn off all unneeded services, revoke all permissions, transfer all ownership of files,sites, etc. But I don't like the the account still sits there and can be used. If nothing else, it stinks that it adds a "users" to our account and may cost us money for services that we use that charge "per user" for our Workspace. And for us, these accounts almost always just exist for the sake of email delegation. In the old days, it was a lot easier to manage that because you'd just export their mailbox, and put it in a shared location for those that needed it. But since we're not using an email client anymore (and the process would still be time consuming and impractical even if we were) that's not an option. I wish Google would just allow a way to host a mailbox strictly for delegation purposes. Like a Shared Drive.

Anyhow, it sounds like you've done the primary steps.

Dealing with random accounts users may or may not have signed up for using their work email isn't something tech is really going to solve.

There are some services that attempt to track/monitor such things, but it's still not stopping it.

Re: Best Practices for Securing User Ghost Accounts After Ending Employment

Kim_Nilsson — Fri, 05 Jul 2024 17:24:17 GMT

"App Access Control setup so users can create accounts using oAuth ONLY for services we have approved"

That is actually the most important step anyone can take.

Sign up/in with email - is completely out of your control, since most organisations don't block incoming email for staff, which is usually necessary to verify the email and activate the third-party account.

On the part of accounts costing someone something, as soon as you are made aware, it is possible to do a password reset of the third-party account, sign in and cancel it. Since it's just an email address, you don't even have to create an account. You can just add it as an alias or group, and receive the emailed reset-link to your own inbox.

The prevent action is to, of course, educate your users before they make such mistakes, and also very clearly state in the offboarding instructions that such accounts must be cancelled by the user themselves, preferable well in advance of their last day at work.

Re: Best Practices for Securing User Ghost Accounts After Ending Employment

jpark — Mon, 08 Jul 2024 15:02:51 GMT

Thanks, all. That is very sound advice on all fronts. This job would be so much easier without users, right?!?!