One of the most common mistakes that IT groups continue to make is not properly managing user accounts when employees leave the organization.
Orphaned user accounts are exploited to gain unauthorized access to sensitive company resources. Finding and disabling inactive, orphaned user accounts seals potential security holes in the network.
Depending on the particular organization, when an employee leaves a company, untangling his or her identity from the network can be anywhere from a simple five second change to a seemingly never-ending process. The core of the problem is with how well an IT group understands provisioning. Another important issue is how quickly they can limit the ability of employees to embed their identities in places that are not part of the corporate provisioning process.
User Account Security Vulnerabilities
For example, I’ve seen line-of-business applications installed using an IT employee’s personal account as the service account. This means that the application runs under the auspices of that user for every other user accessing that program. So if the employee who installed the application leaves the company, and the HR or IT department shuts down his account, that line-of-business application goes off-line. Consequently, it’s not at all unusual to see identities for long-gone employees still being used. Usually with a hushed warning not to mention this to the security auditor.
Here’s another difficult to manage element of de-provisioning user accounts: shared resources (backdoors) created by departed employees. These resources (i.e. shared folders, permission changes, etc.) often exist well after an employee leaves. But they are no longer documented or under the control of the company. Many IT departments are loathe to kill off these resources for fear of disrupting critical business operations.
A third issue involves provisioning systems themselves. In many cases, these systems require extensive manual work to complete the provisioning/de-provisioning process. In other cases, the systems are so complex and so tightly dependent on a bewildering set of technologies, that the process devolves into an inconsistent, unreliable and undocumented mess. This results in occasional silent failures, and orphaned accounts remaining undetected in critical systems.
Generally, auditors are responsible for finding orphan accounts. But the real challenge comes down to the frequency and depth of the audits. And the ability of the organization to mitigate the findings.