惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Troy Hunt's Blog
F
Fortinet All Blogs
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
Y
Y Combinator Blog
The Register - Security
The Register - Security
T
Tailwind CSS Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
月光博客
月光博客
V
Vulnerabilities – Threatpost
S
Securelist
S
SegmentFault 最新的问题
T
Threat Research - Cisco Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy International News Feed
S
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LangChain Blog
GbyAI
GbyAI
Apple Machine Learning Research
Apple Machine Learning Research
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
美团技术团队
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google Online Security Blog
Google Online Security Blog
M
MIT News - Artificial intelligence
U
Unit 42
V
V2EX
C
CERT Recently Published Vulnerability Notes
云风的 BLOG
云风的 BLOG
B
Blog
博客园 - 叶小钗
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
博客园 - Franky
Engineering at Meta
Engineering at Meta
Schneier on Security
Schneier on Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
IT之家
IT之家
W
WeLiveSecurity
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
Martin Fowler
Martin Fowler
SecWiki News
SecWiki News

Blog on 1Password Blog

Why secure-by-design is an incentives problem, with Bob Lord | 1Password NIST and AI agents: 1Password’s approach to agent identity | 1Password Go beyond device health with External Checks in 1Password Device Trust | 1Password Natoma and 1Password help enterprises scale AI securely with governed agent access | 1Password New integrations between 1Password SaaS Manager and EPM | 1Password A first step toward post-quantum security | 1Password RSA 2026: Leading the way to secure agentic AI | 1Password How 1Password is Building a Culture of AI Fluency Through AI Champions | 1Password 1Password vs. Keeper Security: A comparison | 1Password 1Password vs. LastPass: Which is right for you? | 1Password Secure MCP credentials with 1Password and Runlayer | 1Password The next layer of AI security | 1Password Building the next chapter of Go-to-Market in EMEA | 1Password Automating SOC workflows with 1Password Enterprise Password Manager | 1Password Automated Provisioning hosted by 1Password: A Simpler, Smarter Way to Manage Access | 1Password Introducing 1Password® Unified Access: Identity Security for Humans and Their AI Agents | 1Password Next-generation automated provisioning, without compromising zero-knowledge security | 1Password Bitwarden vs. 1Password: Which password manager is right for you? | 1Password Password Manager for Families, Enterprise & Business | 1Password | 1Password How to wrangle SaaS contract renewals | 1Password Stop trusting consumer browsers with work credentials | 1Password IAM stops at sign-in. Your credentials do not. | 1Password Your digital pit crew: a 10-minute pre-race security checklist | 1Password 1Password Device Trust is coming to EMEA | 1Password The identity transformation: Analyst and CIO insights | 1Password Why now is the moment to join 1Password Go-To-Market | 1Password Identity and Accountability in the Age of AI Agents | 1Password How 1Password secures agent architectures | 1Password 1Password becomes the first global partner to transact through Express Private Offers in AWS Marketplace | 1Password Start Learning on 1Password Academy | 1Password Expanding Programmatic Access to 1Password | 1Password Zero knowledge vs. a malicious server: A look at ETH Zurich’s research | 1Password Agents are making filesystems cool again | 1Password Black History Month employee spotlight: Joseph Ojelade | 1Password 1Password's new benchmark teaches AI agents how not to get scammed | 1Password Streamlining SaaS onboarding and offboarding | 1Password 3 common SaaS Management challenges and how to avoid them | 1Password How 1Password Is Evolving Its Partner Ecosystem | 1Password How to build secure agent swarms that power production-grade autonomous systems | 1Password From magic to malware: How OpenClaw's agent skills become an attack surface | 1Password Solving the unsanctioned SaaS problem | 1Password 1Password and 60 Day Hustle: cybersecurity for small businesses | 1Password Security advisory for AI-assisted browsing interactions with the 1Password browser extension | 1Password It’s incredible. It’s terrifying. It’s OpenClaw. | 1Password Managing the risks of social logins | 1Password What’s the first security tool your small business should buy? | 1Password As AI Supercharges Phishing Scams, 1Password Introduces Built-In Protection | 1Password How to interview with confidence at 1Password | 1Password Five tips for successful SaaS Management | 1Password SaaS Manager | 1Password Why SaaS License Waste Is a Cost and Security Problem | 1Password AI is changing the IDE. With 1Password, security keeps up | 1Password How IT teams can get a handle on shadow IT | 1Password Bringing secure, just-in-time secrets to Cursor with 1Password | 1Password The Chasing Entropy Podcast Season One is in the Books | 1Password Now available via QBS Software: 1Password Enterprise Password Manager – MSP Edition | 1Password The role of credentials in the AI espionage campaign reported by Anthropic | 1Password AWS and 1Password: Innovation in AI and beyond | 1Password Simplifying credential security on OpenAI Atlas | 1Password From Social Work to Social Impact: Growing at 1Password | 1Password Improving in-page notifications in the 1Password browser extension | 1Password Password Manager for Families, Enterprise & Business | 1Password | 1Password Now available via Renaissance: 1Password Enterprise Password Manager – MSP Edition | 1Password Behind the wheel at Oracle Red Bull Racing | 1Password Securing MCP servers with 1Password: Stop credential exposure in your agent configurations | 1Password What’s new in 1Password Enterprise Password Manager - Q4, 2025 | 1Password Belonging as a catalyst for high performance | 1Password Password habits are worsening, but leaders see a path to passwordless | 1Password A simpler, faster way to unlock 1Password | 1Password Oracle Red Bull Racing Episode 4, CIO Matt Cadieux | 1Password 70% of IT and security pros say SSO is falling short | 1Password 1Password's Phishing Survey: Avoid Holiday Phishing Scams | 1Password Securing the Win | 1Password SaaS optimization: How to maximize value and reduce costs | 1Password The enterprise AI crisis: Unsanctioned tools and unenforced policies | 1Password An Identity Security taxonomy for Agentic AI | 1Password Introducing new .env file support in 1Password environments | 1Password Speed and security: Mark Hazelton on protecting Oracle Red Bull Racing’s most valuable asset – its data | 1Password 1Password for Good: Giving back during cybersecurity awareness month | 1Password Utah Mammoth and Utah Jazz score with identity security | 1Password Oracle Red Bull Racing CEO and Team Principal | 1Password Three signs you need a SaaS Management Platform | 1Password Closing the credential risk gap for AI agents using a browser | 1Password Microsoft and Dropbox password managers are sunsetting: What it means and what to do next | 1Password From hackathon nerves to internship wins: Kavya’s journey at 1Password | 1Password 1Password now available in Comet, the AI-powered browser by Perplexity | 1Password 1Password announces new integration with Zscaler | 1Password Breaking the mold: Why more women should consider a career in sales | 1Password What security leaders need to know about mergers and acquisitions | 1Password Clickjacking: What it means for 1Password users | 1Password AI and security at Black Hat: 5 key takeaways from a security expert panel | 1Password Blog | 1Password Do any CISOs feel lucky? | 1Password How to lead with confidence in the AI era: a conversation with Nancy Wang, VP, Engineering | 1Password New Device Trust Check makes browser extension enforcement easier | 1Password Purpose, performance, and trust: Inside the culture powering 1Password’s next chapter | 1Password Now available on Pax8 Marketplace: 1Password Enterprise Password Manager - MSP Edition | 1Password The security principles guiding 1Password’s approach to AI | 1Password Choosing the right SaaS management platform for your business | 1Password Simplify access reviews with 1Password SaaS Manager | 1Password How great usability tripled Duke University's password manager adoption | 1Password
The hidden offboarding step draining your budget | 1Password
info@1password.com (Jenn Marshall) · 2025-12-04 · via Blog on 1Password Blog

There’s a good chance something important is missing from your IT team’s offboarding checklist, and it may be causing a steady drip of unnecessary, wasted spend. The source of this leak? No, it’s not the unreturned laptops; it’s the licenses for SaaS apps that employees use every day. 

The SaaS landscape is littered with apps outside IT’s direct control, and when there’s employee turnover, it’s often difficult to ensure that every license across every app is accounted for. One symptom of this problem is that former employees often retain access to apps long after they should have been revoked. In fact, 1Password’s research found that 38% of employees have accessed a prior employer’s accounts after leaving the company. That’s not so much a leaky faucet as a burst pipe.

The problem here is that the average IT stack wasn’t built for comprehensive offboarding. The majority of IT teams handle offboarding through a combination of automation and manual processes, but this piecemeal approach is both time-consuming and error-prone. While you can achieve some level of centralized, automated onboarding via IdP/SSO, it can only revoke access to SSO-managed apps, and on average, only about two-thirds of a company’s apps are behind SSO. And, depending on the level of integration between the SSO provider and app vendor, you may only be able to revoke a user’s access, rather than deleting and reclaiming the user’s license.

And what about unsanctioned, shadow IT apps? 52% of employees admit to downloading work apps without IT approval, and these can remain active for years, silently draining budget and putting company data at risk.

If these problems sound familiar, it could be time to rethink your SaaS discovery and offboarding processes. This blog explores the costs associated with incomplete offboarding. It highlights how a SaaS management platform (SMP) can complement your IdP to deliver more comprehensive, cost-effective deprovisioning while reducing IT burden.

The cost of improper SaaS offboarding

How much money could you claw back by identifying and closing orphaned accounts? To estimate how much budget businesses lose on unused subscriptions, let’s start with shadow IT. Our research found that a single employee uses an average of five shadow IT applications, so let’s calculate how those costs can add up at an imaginary organization with 500 employees.

  • 500 employees, with a 15% annual turnover rate = 75 leavers per year

  • 75 leavers x 5 shadow IT apps = 375 orphaned licenses

  • Assume an average license cost of $17/per user (the cost of a Jira Premium subscription)

  • 375 x $17 = $6,375 in wasted spend annually

And remember, shadow IT only accounts for a fraction of improperly offboarded accounts. The actual costs are much higher when you factor in approved apps that aren’t behind SSO, or for which the SSO integration doesn’t reclaim licenses during offboarding.

The labor cost of manual deprovisioning

Offboarding is an expensive process, both in terms of wasted budget and wasted time. According to a Ponemon Institute report, deprovisioning an exiting employee – including identifying unsanctioned apps – requires approximately eight hours of work. Automating these processes with an SMP frees up IT to focus on more strategic projects that deliver greater business impact. 

For example, Moonpig, an online retailer, used SaaS Manager to improve efficiency and compliance in their offboarding process. According to Bill Penberthy, their head of IT: “SaaS Manager replaced up to three hours of manual work per leaver with just 25 minutes of auditable, repeatable processes, allowing us to focus on value-added projects and supporting our end users in the best way possible.”

Cybersecurity and non-compliance costs 

When sensitive customer, employee, and internal data are left exposed in unsanctioned applications and orphaned accounts, they become targets for cybercriminals. Fixing the damage from a data breach can be a significant undertaking. The Ponemon Institute estimated that the average annual cost to U.S. companies for investigating and remediating cybersecurity incidents related to unsanctioned SaaS apps exceeds a quarter of a million dollars.

In terms of compliance, incomplete offboarding, including leaving orphaned SaaS accounts, can lead to privacy, legal, and regulatory compliance issues, as well as fines related to data protection laws such as GDPR and HIPAA. Conducting regular access reviews (not just revoking access during offboarding) is a crucial step to ensure least privilege and minimize data exposure. SaaS Manager’s automated access reviews simplify compliance by providing a detailed, exportable audit trail of every access decision for auditors. 

Offboarding also has a direct impact on business continuity. Moonpig, for example, used SaaS Manager to shut down unsanctioned SaaS accounts, redirect emails, and transfer departing employees’ Google Workspace files to designated colleagues, ensuring that no vital data was lost. 

How IdPs and SaaS Management Platforms work together for secure offboarding

No matter how robust your SSO strategy is, it’s inevitable that some SaaS apps will live outside it. These are often legitimate applications, but they’re not integrated with SSO for reasons such as: 

  • The SaaS vendor doesn’t support the integration

  • It’s too time-consuming or complicated to integrate

  • The organization hasn’t paid for the enterprise license tier 

Even for integrated apps, an IdP often can’t automate critical offboarding steps like transferring data, delegating inboxes, or handling license repurposing.

Okta was covering some of our employee offboarding needs for a subset of apps, but often by removing access only and not actual accounts & licenses - this left significant cost and compliance gaps. SaaS Manager workflows operate seamlessly with Okta and our ITSM (Zendesk) to reclaim leavers’ software licenses, allocate them to other employees as needed, or drop them to reduce our overall licensing costs.” -Bill Penberthy, Head of IT, Moonpig

SMPs like SaaS Manager fill these gaps by managing the entire app lifecycle: discovering shadow IT, provisioning access, conducting regular access reviews, and providing comprehensive offboarding. However, not all SaaS management platforms are the same. When looking for an SMP, ensure it can: 

  • Combine SaaS usage data with information about SaaS contracts

  • Continuously discover all the work-related apps employees use, including managed apps, Shadow IT, OAuth (“sign in with Google”), and integrations with business systems

  • Revoke access to every app (including apps outside SSO) during offboarding

  • Remove licenses when employees leave

  • Offer a wide breadth of native integrations, connecting with hundreds of apps that employees use

  • Build a unified inventory of all apps, users, licenses, and contracts for a single source of truth

Why SaaS Manager is IT’s offboarding friend

SaaS Manager complements your IdP by extending governance to sanctioned and unsanctioned SaaS apps, allowing IT teams to delete and reclaim licenses – not just revoke access. Other offboarding benefits include: 

  • Business continuity: Automatically prompts managers to save and transfer assets, like files and email inboxes, when employees leave.

  • License management: Automatically identifies which licenses are actually in use and whether licenses should be revoked or reassigned. This includes automatic communication with employees and managers via Slack and Microsoft Teams to ask if they still require a specific app license. 

  • Redundant applications & spend optimization: Helps IT and finance teams identify redundant apps and streamline upcoming renewals. This enables companies to cut waste and make smarter SaaS investments.

  • Clear audit trails: Documented proof that orphaned accounts have been closed and data deleted for compliance.

Want to learn more about how SaaS management platforms can help IT provide more comprehensive and cost-effective offboarding? Download The IT manager’s guide to streamlining onboarding and offboarding and explore best practices.