Orphaned User Accounts Run Wild in Enterprises
The old accounts of ex-employees, partners and contractors may represent a major security hole, but few businesses are doing much about it.
When an employee leaves your company, do you make sure you shut down his or her user accounts at once? And do you check to confirm this has been done?
If not, you're evidently not alone, according to a new study conducted by eMediaUSA for Symark International that found that too often, the accounts of ex-employees, contractors and suppliers are often left open and accessible after they leave.
Orphaned accounts are a "huge, huge issue, because you're facing security breaches, compliance breaches [and] identity fraud, and it can lead to both internal and external data breaches," Sally Hudson, research director at IDC, told InternetNews.com.
About 27 percent of the respondents said that their organizations had more than 20 orphaned accounts, while 30 percent said they had no procedures in place to locate orphaned accounts.
The problem is created by "a lack in the effectiveness of processes for provisioning (define) and deprovisioning access, identity and user accounts," Scott Crawford, research director at Enterprise Management Associates, told InternetNews.com.
While "a lot of organizations" have invested in identity management and identity provisioning, "often, the deprovisioning of access can be neglected," Crawford said.
In one enterprise, Crawford said, auditors found that 43 percent of its accounts should have been retired or had access privileges that were too broad.
Despite the pervasiveness of the problem, solutions have been available for quite some time.
"All the large vendors -- CA, IBM and so on -- implement technology to identify and eliminate orphaned accounts in their provisioning systems," Hudson said.
Such solutions aim to combat one of the major causes for orphaned accounts existing in a system: that they have to be created, managed and deleted manually, according to Bilhar Mann, a senior vice president for security management at CA.
CA's Identity Manager, for example, automatically correlates administrator-defined user privileges, or entitlements, with available users, and orphaned accounts are then either reassigned by the managers or automatically deleted by the system.
"Once you implement a provisioning system, you won't have orphaned accounts at all," Mann told InternetNews.com. "We can suspend accounts when a user goes on leave for a few weeks, or we can automatically delete them when someone leaves the company."