It’s growing quickly—its staff has swelled to hundreds of employees in just a few years—and is showing no signs of stopping.
Supporting ACME’s rapid growth and technological needs is a three-person IT team. This team includes Dave Smith*, IT Specialist, whose primary responsibility is managing information technology deployments for both students and teachers.
For a rapidly scaling organization like ACME, relying on multiple SaaS applications like Slack and Zendesk is a must. “Our general philosophy in our IT department is to avoid on-premises/traditional enterprise solutions where we can,” says Smith.
And in this fast-paced, multi-SaaS environment, BetterCloud enables Smith’s lean IT team to operate efficiently and securely.
Up Against the Offboarding Challenge
Teachers change schools within the ACME network, transition roles, or move to different geographic regions. New teachers join, as do new students. Students change classes. ACME also has a centralized corporate team that it manages within the same system, and in many cases, with the same sensitive access.
All of this translates to multiple moving pieces for IT when it comes to user lifecycle management, as well as on- and offboarding. If teachers shift schools, it alters their student record access, for example. Temporary workers like substitute teachers and extracurricular experts need to be offboarded properly. IT may have 15 accounts (e.g., teachers, substitutes, or extracurricular experts) they need to offboard by 5:00 PM on a certain day.
Smith and his team take great care to ensure offboarding is always done correctly and securely. The sensitive nature of the data—i.e., student data privacy—necessitates it.
“There’s a lot of things you must do after the accounts are closed, like transferring their Drive files and forwarding their email. But the important things—like actually locking them out of all of their accounts—must happen immediately. And doing that stuff through the G Suite Admin console is incredibly time consuming,” says Smith.
Smith estimates that prior to purchasing BetterCloud, it used to take him 30 minutes on average to securely offboard one user.
“If I had to do that for 10 or 15 users all at once, it took me the better part of a day to get it done,” he says.
“Most of that is just because the G Suite Admin console is so clunky. That wait time—just sitting around waiting for some of those interfaces to load—builds up relatively quickly. If I needed to manually remove a user from 15 Google groups, that took a really long time,” he adds.
Why GAM Wasn’t a Feasible Solution
Smith soon discovered that command line tools like GAM weren’t robust enough for ACME’s complex operational needs, such as multi-step offboarding processes that touch different data objects like Drive files, groups, and calendars.
“GAM is certainly much faster than using the Admin console, but it can be difficult to know when or if you are making mistakes. It requires an attention to detail that can make finding your mistakes frustrating. When you are dealing with sensitive access, it’s very important to know that things are closing, moving, and transferring as expected,” he says. “With GAM, it’s very difficult to know if you’ve actually succeeded in the command you’re trying to push through. Often times, it’s clumsy.”
“GAM is okay if you need to do one thing at a time. The moment it’s greater than five things, it becomes terrible,” he adds.
The GAM installation process, as well as the training process for new hires, was painful as well. Smith says he wrote keyboard scripts at one point to carry out repetitive tasks because it was faster and more reliable than using GAM.
BetterCloud Reduced Time Spent Offboarding By 83%
But with BetterCloud’s automated workflows, Smith has reduced the time spent offboarding by an astounding 83%. It takes him less than five minutes to offboard a user today.
How does he do it? To start with, he has a triage group in G Suite to hold users who are leaving the organization. Once he moves a user to this organization, it triggers an automated workflow in BetterCloud, which he’s customized to include:
- Suspending the user’s Google account
- Deactivating two-factor authentication
- Removing phone numbers from the account
- Resetting the user’s G Suite password
- Delegating the user’s email
- Transferring the user’s Drive files to their manager
- Disabling IMAP and POP settings
- Removing the user from Slack channels and user groups
- Creating a Zendesk ticket to keep track of this offboarding event
These steps automatically take place, cutting down the manual, repetitive work often associated with offboarding.
“Assuming that I’ve configured the workflow correctly, it shouldn’t take me more than five minutes per user for the total offboarding process. The overall process is about 1/6th of the time,” says Smith.
Offboarding Users Immediately—Anywhere, Anytime
Smith recently used BetterCloud to offboard users even though he wasn’t at his desk. All he did was move those users to the designated org unit, and it automatically kicked off his offboarding workflow.
“I actually did it from my phone while I was out, which is a huge plus,” he says. “I was able to do it without being at my desk for an hour and a half to go through all these things and create a big checklist, which is really helpful.” He added that this can be particularly beneficial if, for example, someone voluntarily leaves on short notice. He can then trigger an offboarding workflow from virtually anywhere, ensuring that their access is terminated immediately.
BetterCloud Reduced Time Spent Onboarding By 94%
The time savings apply to the onboarding process as well. “We use BetterCloud for large-scale onboarding more often than we do offboarding, especially in our schools. Just the other day, I needed to update all our student Google accounts (passwords, org units, etc.) and add 90 new incoming students as well. This was all done in under 15 minutes using BetterCloud,” says Smith. Making all the required new school year onboarding changes without BetterCloud would have taken him three to four hours, he estimates.
For new employees, his team also uses BetterCloud to pre-load new users’ signatures and make sure all of their employee data (e.g., manager, phone, location) is filled out before their first day, so that they can hit the ground running.
BetterCloud Helped Save $15,000+ in Unused License Fees
Turning off accounts is not only important from a security perspective but from a financial one as well.
He recently experienced this firsthand. Though G Suite is their source of truth, it’s synced to Okta, which provisions accounts for many of their services like Slack and Zendesk. Any accounts provisioned by Okta would also be automatically deprovisioned when the Okta accounts closed.
But he soon discovered that this was not the case for accounts created before their adoption of Okta—i.e., accounts not provisioned by Okta. These accounts did not automatically turn off. When these few Slack accounts failed to deprovision through Okta, they appeared to still be active, which was confusing to employees.
This almost got the IT department in hot water, because it made them out to appear negligent or careless—which of course, they weren’t. “We had some employee departures recently, and the Slack accounts stayed active for days at a time because no one had thought of this,” he says.
“Thankfully, nothing came of it. But as a result, we’ve implemented a workflow around Slack which uses the Google accounts to signal that those Slack accounts need to be closed, which has been very helpful.”
Between multiple Slack and Zendesk accounts that weren’t turned off properly, the costs of these unused licenses added up.
“We were going to end up paying $15,000 across several SaaS services over the course of a year that we didn’t need to. There’s obviously ROI around there just in a small department like mine. When you’re operating with a small team, trying to keep track of this stuff is pretty difficult, so automating it out of mind is very helpful,” he says.
Using BetterCloud to Audit & Change Permissions For 800,000 Files
Because ACME is an educational institution, Smith knows that they have highly sensitive data that must be protected. “It’s things like a nine-year-old’s medical records—not something to be taken lightly,” he says. While student records are not stored on Drive, information about students can easily end up in Drive since teachers work heavily in G Suite. But the complexity of this challenge is twofold. In addition to keeping student data safe, his team has large amounts of enterprise data that they need to secure as well.
Before they purchased BetterCloud, Smith’s team was auditing Drive files manually—a Sisyphean task.
“It was very difficult, to the point of impossible,” he says. “We can’t shrug off security, so we ended up using BetterCloud pretty heavily for auditing and reporting.”
“We found that some of BetterCloud’s more useful features were actually around things like document management and security. We knew that a lot of our employees were probably not taking security as seriously as they should be, particularly with regards to Google Drive,” he added.
He was right. Last summer, he discovered that there were 800,000 files shared with everyone in the domain.
Not all of the files were sensitive; in fact, many of them were blank, trashed, or in the Drives of departed employees. Still, he immediately mass changed the permissions on all of those to “Private,” which preserved their intended files shares but reduced their exposure org wide.
“BetterCloud really improved the ability to make that mass change, rather than attempting to audit them all,” he says. “There was certainly a fair deal of things that needed to be reclassified, or things where we had to specifically set aside time with employees to go over their particular practices. In the aftermath, I spent a lot of time giving people permissions back to documents, and I did that through BetterCloud as well.”
The Benefits of One UI: “A Huge Time Saver”
ACME takes advantage of BetterCloud’s integrations into multiple SaaS connectors (integrations with other SaaS applications).
Because BetterCloud provides one central UI for multiple SaaS applications, the training process for new hires became much easier and faster. It’s no longer necessary to train admins on multiple disparate admin consoles.
“I’d love it if everyone was as up to date on all of these different native admin interfaces as I am, but I also need them to be able to do their job very soon after they join the organization,” says Smith.
For example, he says a recently hired technical support specialist was much less familiar with G Suite than he was. However, thanks to BetterCloud’s automated workflows, they were still able to get up and running quickly.
“Rather than having to walk them through the offboarding process four or five times before they’re able to do it on their own, the offboarding process using BetterCloud is really just: ‘Step one: Move users to this org unit. Step two: You’re done.’” While new hires usually have a higher risk of making errors, Smith can rest easier delegating responsibilities to them, knowing that offboarding will be done correctly with BetterCloud’s automated workflows.
“Having the one UI to point people to immediately is a huge time saver,” says Smith. “When you run into the weird one-off issues, then that’s the time to slowly train people on how to use those other native console tools. But 90% of your work is pretty predictable, so being able to do it in one place is super helpful.”
Cleaning Up a Graveyard of Empty Slack Channels
A side effect of having a “particularly Slack-happy company” according to Smith is that empty or redundant channels accumulate over time. Unfortunately for new hires, this creates a jarring onboarding experience.
“When new employees join, they have this extremely daunting list of empty Slack channels—many of which may appear useful based on the name but actually have no users in them,” he says.
For example, some departments create temporary, need-based channels, which then become unused. These empty ad-hoc channels result in a channel graveyard.
With BetterCloud, Smith is able to easily remove all empty public Slack channels with one click, and do this on an ongoing basis through an automated policy. This basic housekeeping task creates a smoother onboarding experience and de-clutters the application for everyone.
Having a Dedicated G Suite Administrator is “An Entirely Unnecessary Expenditure” If You Use BetterCloud
According to Smith, many IT teams run into the same universal problems, regardless of their size. They are faced with two options: either look the other way and pretend that these problems aren’t happening, or hire additional personnel to handle them, which is costly.
Many school districts opt for the latter. They find themselves hiring a G Suite administrator because of the sheer volume of G Suite accounts they have to manage, but this isn’t necessarily the best solution.
“If you want to be able to do all the things that most IT departments wish they could do, the solution is to get a tool that makes it easier, rather than hiring someone to do a specific thing,” says Smith. “Having a dedicated G Suite administrator who does nothing else except deal with all of your G Suite needs seems like a very bad way to spend your money.”
“A dedicated Google admin who does nothing else is an entirely unnecessary expenditure if you use tools like BetterCloud,” he says.
Using BetterCloud to audit documents, on- and offboard users, and fix email signatures in bulk has brought huge benefits to ACME, like the ability to operate lean.
“There are just all these things that enable you to have a smaller IT department,” says Smith. “As a lean educational institution, we’re investing all we can in our schools, but we can’t afford to cut corners. BetterCloud enables us to run a small and effective IT department, while still maintaining high standards for privacy and security around our students.
“Overall, BetterCloud has helped us improve security, speed up our on- and offboarding processes, and achieve a greater degree of simplified control over other SaaS products.”
*Names have been changed to preserve anonymity and protect the customer’s privacy.