Avoiding IAM's Biggest BlunderLeaving orphan accounts enabled due to poor deprovisioning processes leaves organizations open to fraud and makes it impossible to prove chain of custody
Poorly handling user accounts when people leave an organization or are fired is one of the most common and dangerous identity and access management (IAM) mistakes enterprises make today. Business process flaws, departmental silos, and a lack of automation all stand in the way of streamlining this so-called deprovisioning process. And when organizations don't get a handle on the orphan accounts left behind by an ineffective deprovisioning process, they leave themselves open to fraudulent account use and a lack of visibility that will make regulatory auditors howl.
"The departed individual may use these accounts to gain unauthorized access to systems and data with malicious intent in mind," says Denny Goldberg, director of support services for Avatier, "or other people in the organization that are aware of this account can use it to 'pose' as the departed individual for the same type of malicious behavior."
[What other IAM gaffes are you making? See 7 Costly IAM Mistakes.]
A big part of the problem is the lack of accountability around how accounts are enabled or disabled within an organization.
"The core of the problem is with how well a company understands and does provisioning within their systems and limits the ability of an employee to embed their identity in places that are not part of the corporate provisioning process," says Phil Lieberman, president of Lieberman Software.
In most cases, disabling a user's access involves a slow paper-based or email-based notification process, as HR lets IT know someone has left the organization, Goldberg says.
"This starts a frenzy of activity as the IT staff scrambles to identify the systems that a user may have an account on, and get the gears turning to disable the access across multiple systems, hoping that they find everything," he says.
Organizations that employ Active Directory or even some more advanced IAM solutions may not necessarily find everything due to a plethora of business process silos that end up scattering account information to the winds.
"Identities are typically spread across many disparate data silos -- including LDAP directories, Active Directory, marketing databases, and applications -- and the same identity often exists in more than one source," says Luiza Aguiar, product marketing manager of identity and access management at RSA. "This makes it difficult to create a comprehensive list with each user represented only once for efficient IAM life cyle management as well as authentication, or to build an attribute-rich profile of each user for fine-grained authorization."
For example, even if IT organizations track and find all of the enterprise application accounts assigned to the users, their deprovisioning processes frequently miss social media resources -- like access to corporate LinkedIn, Facebook, and Twitter accounts that are frequently managed outside the traditional IAM infrastructure, Aguiar says.
"What this means from a risk perspective is that after a user leaves the organization, they could potentially access and post information which will put an organization's brand, reputation, and potentially sensitive IP at risk," Aguiar says.
Often orphan accounts are left enabled because of messy provisioning processes that leave permissions so tangled with key business processes it would be a nightmare to clean up. For example, Lieberman says he has seen environments where users in IT install line-of-business applications using their personal account as the service account so that the application runs all users of that application under that user account.
"If the employee who installed the application leaves, and the HR or IT department shuts down their account, then the line-of-business application goes offline," he says, explaining that similarly when users share resources through their accounts, the fear of business interruptions handcuff organizations into keeping accounts open. "Companies are loathe to kill off these created resources fearful of causing disruptions to the business process."
But the risk of insider attacks and compliance problems should prod organizations into action. One of the first steps to getting on the deprovisioning straight-and-narrow is to start by finding existing orphan accounts, says Nishant Kaushik, chief architect for Identropy.
"The most important tool in the organizations arsenal is the reconciliation processes they can set up to track and link all their accounts," he says.
Aguiar agrees, advocating for means to map all user accounts to make it easier to reconcile active accounts against orphaned accounts and to create a list to fuel ongoing deprovisioning processes.
"Seeing a complete, correlated profile on every user enables smarter security decisions," Aguiar says. "Organizations should consider leveraging directory virtualization to externalize user profiles out of disparate and distributed directory."
Ideally, IAM solutions can help automate the deprovisioning process, but at the very least there should be ways to automate notification of account supervisors so they can more quickly handle the accounts that must be manually disabled.
"The IAM solution may not be able to create and delete those accounts in the cloud, but it should be able to notify the person responsible for creating and disabling the access of those accounts, and make them accountable for the completion of those tasks," Goldberg says.
As organizations seek long-term answers to deprovisioning problems, they must create systems that will better integrate silos -- for example, tying together HR and IT notifications, and that will inject ongoing account monitoring, says Chip Tsantes, principal in the financial services office of Ernst & Young.
"They need to eliminate silos in identity and access operations through process integration and automation, close the loop within access request processes with provisioning reconciliation processes, and support it all with detective access review and certification capabilities," Tsantes says.
Activity monitoring tied to orphan account tracking makes it much easier for organizations to tell the difference between rogue accounts and accounts that are only used once in awhile.
"Having some sort of activity monitoring that correlates with the orphan account tracking system allows the organization to get some needed context about that account and accurately identify the risk involved," Kaushik says.
Ideally, an IAM solution will come enabled with the ability to monitor and search for accounts based on the length of time since log-in, password expiration, and behaviors prohibited by specific policies, Goldberg says.
But some organizations may not have the budget for such IAM luxuries. In those cases, they should, at the very least, be focused on frequent internal audits to begin reducing orphan account risks, says Leonid Shtilman, CEO of Viewfinity.
"They should at least employ regular audits of 'power user and privileged accounts' to reduce the amount of damage that can possibly be done through these orphaned accounts," Shtilman says. "Often times these audit tools are available as 'freemium' software and offer a no-cost solution to help get a handle on what can become a problematic situation."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.