Think of an orphan and you’ll probably picture a helpless child. But when it comes to orphaned accounts, there’s nothing harmless about them. While the term doesn’t sound too menacing, they can represent a serious threat to your IT security.
If your organization is typical, your IT team probably assigns an account to each user to differentiate their identity and their supporting data. Different types of accounts might have different information associated with them, from customers and employees to staff administrators who need to access data, services, or applications.
A few examples of accounts include:
- Corporate Active Directory accounts. The information here might include a username, first name, last name, password, phone number and email address. Employee accounts would likely include the other internal groups they belong to so they can access files and applications.
- A website account. Users that access a site or subscribe to a service would have accounts that probably contain a username, password and subscription information.
- Service accounts. Instead of being assigned to individuals, these accounts are used only by a service or application to access other services or applications. Their information typically consists of permissions and restrictions. These need to be monitored and managed just as user accounts would be to ensure they function correctly and are used for right resources.
While the range of accounts in your organization may differ in purpose, any of them can turn into an orphaned account. So let’s talk about how to spot these accounts, how they happen and how they can open a gap in your security program.
Birth of an orphaned account
Most of the accounts in your organization are going to be in active use. Depending on their function, their users might be in and out of the account all day or log in a few times a month.
But eventually those users might leave the company, change their email address, transition into a new role or adopt a new platform. In other words, they’ll no longer need that account. Even service accounts can become obsolete when applications are upgraded, changed, or removed.
Now here’s what should happen; the company or provider preserves these accounts for a brief and pre-determined period, in case the service or application is reactivated or the original user decides they need the account again. After that grace period ends, the company deletes the accounts and removes all information – what we call “de-provisioning” in identity governance.
Of course, IT teams being as busy as they are, this process isn’t always completed as it should be. When it isn’t, these accounts become orphaned accounts, unused but continuing to exist in their original systems.
That might sound harmless, but your orphaned accounts can pose security risks for three reasons.
1. They open a door to unauthorized users.
If they’re not disposed of correctly, unused accounts can still offer access to email mailboxes, application logins, sensitive data or intellectual property. Potentially, that means the former user could regain access to private information and valuable resources, even though the user no longer has a legitimate purpose for that access. Another possibility: an application could continue to operate and consume bandwidth long after it was supposed to be de-commissioned.
Imagine a bank employee quits their job but retains access to their employee ID login and internal applications – including the ability to manipulate customer checking accounts. That’s just one example of how former employees and other unauthorized users can slip past security controls.
2. Orphaned accounts can invite attacks.
In reality, most former employees will forget about their old workplace accounts. Even so, the orphaned account still represents a vulnerability. Because no one’s using it, the account won’t evolve along with password updates and modifications to meet new security policies. Your security team may implement requirements for password complexity or change cycles but the orphaned account is frozen in time, often with a simple or weak password that can be easily guessed.
Make no mistake, attackers know how exploitable these accounts can be. Many will deliberately target ignored or inactive accounts to gain a toehold in your system.
3. Shared credentials can provide illegitimate access.
Credential sharing may be against policy, but it happens all the time. If the original account user shared their password or login information with someone else, that other person will have access to services and data they were never authorized for in the first place. Worse yet, because the password was never registered to them, you may have a difficult time identifying who these users are.
This problem is especially frequent with service accounts. Often other applications will continue to use the account due to error or mis-configuration, which means a needless consumption of resources.
Eliminating orphaned accounts from your organization
By now, you can see how orphaned accounts can spring up like weeds in your organization – and if you’re not careful, they can grow into even bigger problems.
The best way to identify your orphaned accounts and cut off inappropriate access? Conduct an audit of your user accounts. You’ll want to determine four factors:
- The resources your legitimate accounts need to access
- The business purpose of that access
- Any accounts that aren’t being used regularly
- Any accounts that don’t follow company and security protocols
In this way, your authorized users will continue to experience smooth access to required resources while your team methodically closes down any unmanned accounts.
In IT, smart account management goes hand in hand with strong security. Attackers are relentless and looking for any vulnerability they can use. But by deleting your orphaned accounts before they can be exploited, your defense against attacks will be that much stronger.
To learn more about identity governance and administration, download our Doing Identity Access Right white paper.