I'm really interested in how different IT teams handle the cleanup of external vendor access. When do you typically review or revoke access for these external parties? Is it initiated by someone on the team, on a regular schedule, or is it more of an afterthought? If you don't have a proactive process in place, what are the obstacles? I'm looking to gather insights from others on this topic. Thanks!
3 Answers
We usually clean up vendor access when we lose trust in them. That’s when we know it’s time to review their access and take action.
We grant access for a limited time only. For instance, when a vendor requires access, we provide them with a VPN account that has an expiry date. This way, even if we forget, the account will eventually expire automatically.
That sounds like a smart method! Does this expiration system work well across all your platforms, or is it mainly for core systems like VPN and Active Directory? What about tools like Jira?
The approach really depends on the vendor, the purpose of their access, and the level of trust we have. Some vendors can only access certain areas under supervision, while others might have full access without oversight. For example, our network and firewall support partners have admin access to critical devices because they need it.

I understand that! But does it make finding and removing access easy, or is it often a manual process to track down users that need to be cut off?