All organisations need to protect their critical infrastructure and applications. Quite a challenge when IT assets are often outside control of IT.
Orphan Accounts. What are they and what to do about them?
Orphan accounts are accounts that do provide access to corporate systems, services and applications but do not have a valid owner.
It is inevitable that people change jobs – whether or not they stay in the same company – all the time. It’s also inevitable that this entails quite some extra work – mainly administrative tasks – on the employer’s side. One of those tasks is to delete all passwords and close all accounts the former employee was using. This seems like a logical and important step and yet it is often overlooked. This leads to the existence of so-called ‘orphan accounts’, which could be hazardous for your company.
What are orphan accounts exactly?
An orphan account is an account that has no valid owner, but can provide access to an organization’s system nevertheless. Orphan accounts arise when people stop working at a company. As mentioned, when people change jobs, they often leave behind a lot of accounts that they no longer need, and they don’t bother with cleaning this up. However, switching jobs is not the only reason that leads to the existence of orphan accounts. Accounts can also be abandoned if a user’s mail address is changed, if the user gets a new role in the company or because a new platform is installed.
Threats under the radar
Even though an orphan account does not have a valid owner, it still provides access to corporate systems, services and applications, which might include sensitive data and intellectual property. Orphan accounts are therefore associated with high security risks. A single account that falls into the wrong hands could lead to your entire system being at risk. Because orphan accounts are considered part of the organization, people with access to one of these accounts could cause a lot of harm without triggering any suspicion.
It’s pretty clear that these accounts should be taken care of as soon as they lose their valid owner. The problem with orphan accounts however, is that they tend to disappear out of sight and quietly slumber somewhere below radar. This could be due to the IT department being busy with other things and forgetting about it. The orphan accounts could also be created without IT being notified and thus they can’t be managed afterwards. People tend to think that the risks will eventually fade away over the years, but unfortunately, the opposite is true. This is because orphan accounts will no longer be up to date with security best practices and will therefore become more vulnerable over time.
Because the orphan accounts operate under the radar, they can spread like weeds and the security risk can easily spiral out of control. Companies could end up with thousands of these accounts without even being aware of it. And it happens more than you think. According to a study by Thycotic, 55% of organizations fail to remove privileged accounts after an employee is terminated. This number only covers privileged accounts, the total number of orphaned accounts is probably a lot higher.
The importance of de-provisioning
The issue of orphan accounts is situated within the joiner-mover-leaver process. Every part of an employee’s “lifecycle” at a certain company needs to be properly managed. Whether it is someone joining an organization or someone leaving: specific actions need to be taken. This is done through provisioning and de-provisioning, which are two identity and access management (IAM) processes to grant or remove access, respectively. The first one usually gets the most attention, as people who join a company need to be given access to certain systems or resources to properly execute their job. However, de-provisioning is equally important. When a staff member leaves the company, all relevant accounts need to be properly and completely deactivated. It is common sense that departing employees need to hand over the keys of their company car, so it should be just as obvious to terminate their keys to the organization’s network.
The identity and access management of a company should always contain an efficient approach to de-provisioning. It is paramount that a company possesses the right tools to easily terminate orphan accounts. It is arguably even more important to be able to find orphan accounts in the first place. Therefore, your IAM architecture should also include a smart access governance solution that can easily find and keep track of existing orphan accounts.
Where Elimity comes in
Elimity Insights is a complete SaaS identity governance 2.0 solution which – amongst many other things – enables you to scan the access rights of all current and former employees on the fly, allowing you to easily take care of orphan accounts.