Home

The Hidden Security Risk in Your Fortinet Devices: How to Properly Delete Cloud Accounts

.

For organizations using Fortinet's extensive cybersecurity ecosystem, managing cloud accounts is a critical but often overlooked aspect of digital security. While official documentation provides straightforward procedures for account deletion across various Fortinet products like FortiCASB and FortiCWP, real-world experiences from IT administrators reveal significant challenges when attempting to remove accounts, particularly when transitioning between service providers or dealing with legacy configurations. These challenges pose genuine security risks, including potential unauthorized access by former vendors or employees. This investigation examines the official procedures, documents the practical complications, and provides guidance on navigating Fortinet's account deletion processes while addressing data privacy considerations under regulations like GDPR and CCPA.

Official Fortinet Account Deletion Procedures

FortiCASB Cloud Account Removal

According to Fortinet's documentation for FortiCASB (Cloud Access Security Broker), deleting a cloud account follows a relatively straightforward process. Administrators have two primary methods to initiate deletion: either through the Overview > Dashboard section by clicking the configuration button and selecting "Delete Account," or via the cloud app dropdown menu (e.g., Salesforce) using the same configuration button and delete option.

The documentation notes an important implementation detail: "It will take a couple hours to delete the cloud account, and during this time you will not be able to add another account." This indicates that while the process is straightforward from a user interface perspective, backend processing requires time to complete fully.

FortiCWP Account Deletion Process

For FortiCWP (Cloud Workload Protection), the deletion process involves more specific steps aimed at freeing up Workload Guardian License seats. Administrators must navigate to Admin > Account in the FortiCWP navigation pane, scroll to the Cloud Account section, select the account for deletion, click the Action button, choose "Delete," check all options in the confirmation dialog box, and finally click "Delete Cloud Account" to complete the process.

This more detailed procedure suggests increased caution for workload protection accounts, potentially due to their closer integration with protected resources and licensing implications. The requirement to "check all options in the pop-up delete cloud account check box" indicates multiple confirmations are needed, possibly including acknowledgments of security implications.

Real-World Challenges and Security Implications

The Orphaned Account Problem

Despite seemingly straightforward official procedures, actual implementation faces significant hurdles, particularly with FortiGate devices. A Reddit user working as an IT specialist at junior schools documented a troubling scenario: after changing network service providers, their FortiGate devices retained the previous company's FortiCloud accounts even after device resets. This created a persistent security vulnerability where the former vendor could potentially maintain remote management capabilities.

The user explained: "We want that to be removed, otherwise they still can manage the FortiGate remotely. They said they contacted Fortinet, and that Fortinet have to remove that. It's been 1 month. Every time we ask them, they tell us something different." This experience highlights a critical gap between documentation and reality—while interfaces suggest administrators can delete accounts, some configurations effectively lock accounts in place without the original credentials.

Technical Limitations and Workarounds

Accompanying screenshots from the Reddit discussion show that administrators attempting to remove accounts encounter interface limitations requiring the "password from that company account, which we don't have." This creates a security limbo where devices remain partially under external control despite organizational ownership changes.

This scenario isn't merely hypothetical inconvenience—it represents tangible security risks for organizations. Former vendors with retained access could potentially monitor traffic, modify configurations, or even lock legitimate administrators out of their own security infrastructure. The extended timeline (one month without resolution) further complicates security planning during provider transitions.

Privacy Regulations and Account Deletion Rights

Formal Data Deletion Requests

Beyond interface-based deletions, Fortinet acknowledges formal data rights through privacy regulation compliance. YourDigitalRights.org documents Fortinet's participation in data access and deletion request processes, providing users with mechanisms to exercise rights under GDPR, CCPA, and other privacy frameworks.

The service allows individuals to send Fortinet formal requests for account deletion or data access by providing identifying information such as usernames, customer IDs, or account numbers. This formal channel serves as an important alternative when standard administrative interfaces prove inadequate, particularly for complete account eradication rather than just access removal from specific devices.

Corporate Background and Data Handling

Fortinet, founded in 2000 and headquartered in Sunnyvale, CA, describes its mission as "to secure people, devices, and data everywhere." As a public company in the computer and network security industry, it maintains extensive privacy policies governing data handling. The availability of formal deletion mechanisms aligns with its enterprise focus and regulatory obligations, though the complexity of its product ecosystem can make complete account eradication challenging.

Best Practices for Secure Account Management

Proactive Account Governance

Based on documented procedures and user experiences, organizations should implement several key practices:

  1. Maintain credential ownership during vendor engagements, ensuring administrative accounts are created with organizational credentials rather than vendor credentials
  2. Document all cloud account registrations across the Fortinet ecosystem, including which devices are associated with each account
  3. Establish formal offboarding procedures that include specific Fortinet account removal steps when transitioning between service providers
  4. Regularly audit FortiCloud associations as part of standard security reviews, particularly after personnel or vendor changes

Escalation Pathways for Problem Resolution

When standard deletion procedures fail, administrators should:

  1. Engage Fortinet support directly rather than relying on intermediate vendors, providing device serial numbers and ownership documentation
  2. Utilize formal privacy request channels for comprehensive account deletion when necessary
  3. Consider factory resets with documentation of the configuration before attempting to disassociate problematic accounts
  4. Maintain pressure on former vendors to properly release accounts, potentially involving legal considerations for contract compliance

Frequently Asked Questions

How long does it take to delete a Fortinet cloud account?

According to FortiCASB documentation, account deletion typically requires "a couple hours" during which you cannot add another account. However, real-world experiences suggest complex cases, especially with FortiGate devices, may require significantly longer—potentially weeks—especially when former vendors control the associated accounts.

What should I do if I cannot remove a previous vendor's account from my FortiGate device?

First, document the issue with screenshots showing the account cannot be removed. Contact Fortinet support directly with device serial numbers and proof of ownership. Simultaneously, formally request the former vendor to disassociate the account. As a last resort, consider initiating a formal data deletion request through privacy channels if the account contains your organizational data.

Are there different deletion procedures for different Fortinet products?

Yes. While core concepts are similar, specific navigation varies. FortiCASB uses Overview > Dashboard or cloud app dropdowns, while FortiCWP uses Admin > Account. Other Fortinet products likely have their own specific navigation paths, so consult the relevant product documentation.

Can I delete my entire Fortinet.com account through the administrative interface?

Standard product interfaces typically only manage product-specific accounts. For complete Fortinet.com account deletion, you likely need to use formal data deletion requests through privacy channels, especially if your account spans multiple Fortinet services or contains billing information.

What happens to my devices if I delete their associated cloud account?

Documentation doesn't explicitly detail device impacts, but logically, devices would lose cloud management capabilities, remote monitoring, and potentially cloud-based security updates. It's advisable to ensure you have local management access configured before deleting cloud accounts and understand which functionalities depend on cloud connectivity.

How can I prevent account removal problems when working with vendors?

Establish clear contractual terms about account ownership from the beginning. Insist that administrative accounts use your organizational credentials. Maintain your own FortiCloud account to register devices rather than allowing vendors to use their accounts. Document all account associations during the engagement.

Note on Community Forum Content: Some referenced Fortinet Community Forum pages require JavaScript to access their full content. Readers experiencing similar issues may need to enable JavaScript or contact Fortinet support directly for assistance with specific account deletion challenges not covered in available documentation.