Risk
1/24/2013
10:15 PM
50%
50%

Avoiding IAM's Biggest Blunder

Leaving orphan accounts enabled due to poor deprovisioning processes leaves organizations open to fraud and makes it impossible to prove chain of custody

Poorly handling user accounts when people leave an organization or are fired is one of the most common and dangerous identity and access management (IAM) mistakes enterprises make today. Business process flaws, departmental silos, and a lack of automation all stand in the way of streamlining this so-called deprovisioning process. And when organizations don't get a handle on the orphan accounts left behind by an ineffective deprovisioning process, they leave themselves open to fraudulent account use and a lack of visibility that will make regulatory auditors howl.

"The departed individual may use these accounts to gain unauthorized access to systems and data with malicious intent in mind," says Denny Goldberg, director of support services for Avatier, "or other people in the organization that are aware of this account can use it to 'pose' as the departed individual for the same type of malicious behavior."

[What other IAM gaffes are you making? See 7 Costly IAM Mistakes.]

A big part of the problem is the lack of accountability around how accounts are enabled or disabled within an organization.

"The core of the problem is with how well a company understands and does provisioning within their systems and limits the ability of an employee to embed their identity in places that are not part of the corporate provisioning process," says Phil Lieberman, president of Lieberman Software.

In most cases, disabling a user's access involves a slow paper-based or email-based notification process, as HR lets IT know someone has left the organization, Goldberg says.

"This starts a frenzy of activity as the IT staff scrambles to identify the systems that a user may have an account on, and get the gears turning to disable the access across multiple systems, hoping that they find everything," he says.

Organizations that employ Active Directory or even some more advanced IAM solutions may not necessarily find everything due to a plethora of business process silos that end up scattering account information to the winds.

"Identities are typically spread across many disparate data silos -- including LDAP directories, Active Directory, marketing databases, and applications -- and the same identity often exists in more than one source," says Luiza Aguiar, product marketing manager of identity and access management at RSA. "This makes it difficult to create a comprehensive list with each user represented only once for efficient IAM life cyle management as well as authentication, or to build an attribute-rich profile of each user for fine-grained authorization."

For example, even if IT organizations track and find all of the enterprise application accounts assigned to the users, their deprovisioning processes frequently miss social media resources -- like access to corporate LinkedIn, Facebook, and Twitter accounts that are frequently managed outside the traditional IAM infrastructure, Aguiar says.

"What this means from a risk perspective is that after a user leaves the organization, they could potentially access and post information which will put an organization's brand, reputation, and potentially sensitive IP at risk," Aguiar says.

Often orphan accounts are left enabled because of messy provisioning processes that leave permissions so tangled with key business processes it would be a nightmare to clean up. For example, Lieberman says he has seen environments where users in IT install line-of-business applications using their personal account as the service account so that the application runs all users of that application under that user account.

"If the employee who installed the application leaves, and the HR or IT department shuts down their account, then the line-of-business application goes offline," he says, explaining that similarly when users share resources through their accounts, the fear of business interruptions handcuff organizations into keeping accounts open. "Companies are loathe to kill off these created resources fearful of causing disruptions to the business process."

But the risk of insider attacks and compliance problems should prod organizations into action. One of the first steps to getting on the deprovisioning straight-and-narrow is to start by finding existing orphan accounts, says Nishant Kaushik, chief architect for Identropy.

"The most important tool in the organizations arsenal is the reconciliation processes they can set up to track and link all their accounts," he says.

Aguiar agrees, advocating for means to map all user accounts to make it easier to reconcile active accounts against orphaned accounts and to create a list to fuel ongoing deprovisioning processes.

"Seeing a complete, correlated profile on every user enables smarter security decisions," Aguiar says. "Organizations should consider leveraging directory virtualization to externalize user profiles out of disparate and distributed directory."

Ideally, IAM solutions can help automate the deprovisioning process, but at the very least there should be ways to automate notification of account supervisors so they can more quickly handle the accounts that must be manually disabled.

"The IAM solution may not be able to create and delete those accounts in the cloud, but it should be able to notify the person responsible for creating and disabling the access of those accounts, and make them accountable for the completion of those tasks," Goldberg says.

As organizations seek long-term answers to deprovisioning problems, they must create systems that will better integrate silos -- for example, tying together HR and IT notifications, and that will inject ongoing account monitoring, says Chip Tsantes, principal in the financial services office of Ernst & Young.

"They need to eliminate silos in identity and access operations through process integration and automation, close the loop within access request processes with provisioning reconciliation processes, and support it all with detective access review and certification capabilities," Tsantes says.

Activity monitoring tied to orphan account tracking makes it much easier for organizations to tell the difference between rogue accounts and accounts that are only used once in awhile.

"Having some sort of activity monitoring that correlates with the orphan account tracking system allows the organization to get some needed context about that account and accurately identify the risk involved," Kaushik says.

Ideally, an IAM solution will come enabled with the ability to monitor and search for accounts based on the length of time since log-in, password expiration, and behaviors prohibited by specific policies, Goldberg says.

But some organizations may not have the budget for such IAM luxuries. In those cases, they should, at the very least, be focused on frequent internal audits to begin reducing orphan account risks, says Leonid Shtilman, CEO of Viewfinity.

"They should at least employ regular audits of 'power user and privileged accounts' to reduce the amount of damage that can possibly be done through these orphaned accounts," Shtilman says. "Often times these audit tools are available as 'freemium' software and offer a no-cost solution to help get a handle on what can become a problematic situation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dunkirk
50%
50%
Dunkirk,
User Rank: Apprentice
1/30/2013 | 5:25:05 PM
re: Avoiding IAM's Biggest Blunder
I think part of the problem is the fact that not all accounts are even managed by the typical IAM solution. Take for example something like a Cisco router. How do you change the password on that router when I leave my company? Sure my AD account is disabled along with access to the company's CRM system but what about all those other "systems" that a typical IAM product doesn't handle?

It's really time for privileged accounts and non-traditional accounts to be managed by IAM systems. Oh, let's not even go to the cloud and ask if your IAM solution is managing your SFDC, Office365, Google docs accounts appropriately either...

Jackson Shaw
Dell Software - http://www.quest.com/IAM
IdentityManuel
50%
50%
IdentityManuel,
User Rank: Apprentice
1/29/2013 | 4:52:00 PM
re: Avoiding IAM's Biggest Blunder
A lot of great points mentioned and I think the key is to have more than one-áprocess in place (almost like a safety net in case one fails). You automate as much as you can to avoid human error (or forgetfulness) and then as Tsantes from Ernst & Young mentioned, you need the access review and certification process to verify that your system is performing.-áIt needs to be those two methods done in-áparallel and most importantly, it's the business-ámanagers who should be the ones doing the access review as they will know who should no longer have access.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.