Jørgen Andreassen has run IT at Elkonor since 2008. He does not like mess, and it shows in the way he works. Inactive users do not get to sit around gathering dust on his watch. He clears them out regularly, roughly once a month.

The driver is security.

Cost and licensing are not that important. It is mostly about security.

The thinking is simple. An account that is no longer in use is still a valid login. It is a key into the environment, and the password does not care that the person left a year ago. An attacker does not need to break in. They can simply log in with an account that was never closed.

And the numbers confirm that this happens. Nearly 70% of all security incidents start with an identity, such as a stolen password or a brute force attempt. An inactive account is exactly that kind of opening, and it is the one Jørgen closes every month.

Before Bsure he did not have the overview he needed. With many users spread across several companies in the same environment, it quickly became unclear who was actually active. He is honest about how things stood:

We did not really solve it.

A fixed routine

When Bsure shows which users and guests are inactive, it goes quickly. Jørgen pulls the list, runs it through his own PowerShell scripts and deactivates. Last time around 40 users were handled in a single run.

He does not wait for answers from dozens of companies.

I would rather deal with it if someone gets in touch afterwards.

And they rarely do. The error rate stays under 1%.

Savings are a nice bonus

The first cleanup took around four hours, because there was a backlog waiting. Now the monthly review is done in half an hour. Along the way it also frees up some licences at renewal, and with that some money. A nice bonus on top of a safer environment.

Jørgen's advice

Jørgen's advice is clear.

The first is to set aside some time at the start. You get the overview handed to you, but you need to get familiar with it and decide what should actually happen to what you find.

The second is to dare to act. Jørgen does not wait for every company to confirm that an account can be removed. He clears it out and handles the few queries that come up afterwards. For him security weighs heavier: an account left standing because no one spoke up is a bigger risk than the occasional phone call.

And then there is the order of things. Many start with the licences, because that is where the money is. Jørgen flips it around:

Start with the user, and the licence follows naturally. Not the other way around.

For Jørgen it comes down to starting in the right place. Tackle the identities, and you tackle security where it actually begins.