The name says it all when it comes to orphan accounts, meaning these are user accounts that have been abandoned. But to understand why it’s critical for your team to tackle orphaned accounts and how they can create a security risk, let’s look at a classic children’s story.
In Charles Dickens’ famed novel Oliver Twist, Oliver is a young orphan who spends a good chunk of the story as a petty criminal who spends his days picking unknowing pedestrians’ pockets. Of course, there’s much to the story, but Oliver’s descent starts by the fact that he has nobody looking out for him and his best interests from a very young age. Without parental guidance, he quickly became a risk to himself and others around him, which translates well into what identity security teams face if they leave orphaned accounts unchecked.
What is an orphan account?
Orphaned accounts, in this context, describe accounts without an associated active user, and the ‘active’ adjective is critical. Active identities are those that have current responsibilities within an organization, be it as a full- or part-time employee, third-party contractor, machine identity, or otherwise. Many identities require a variety of accounts to access different applications or data sets, as their tasks may vary based on their job function at that moment. However, when employees (or machine identities) are no longer working in a particular role, or at the organization altogether, those accounts (and their associated permissions) still may exist in the active directory. This is one example of an ‘orphaned account’ that can plague organizations, causing security, efficiency, and compliance risks. Orphaned accounts present easy, and sought-after targets for attackers because these accounts are some combination of unowned, over-provisioned, and under-monitored. As such, their existence is often a key component of many security audits. Harkening back to 1837, there are several key lessons to be learned from young Oliver Twist that organizations can apply to their identity governance practices to improve security and meet compliance and audit mandates.
1. Continually Identify Orphaned Accounts
After his father’s disappearance and his mother’s untimely death, Oliver Twist had nobody who truly had his best interest at heart. Had this been the case, he might have led a happier and more productive childhood. The same goes for security and IAM teams with orphaned accounts. They need to be hyper-vigilant in identifying accounts that are unused, or otherwise unassociated with a current, or active user. Identity Governance and Administration (IGA) tools can help in this respect through robust identity lifecycle management capabilities that automatically provision and deprovision access whenever someone joins, moves, or leaves a role in the organization. A basic tip here would be to set this up for accounts associated with an AD (or Azure AD) user so that if someone leaves the organization, the accounts associated with that person are automatically decommissioned before they depart. The same goes for entire orphaned teams, like a department that was disbanded or a network of contractors that were removed from the company.
2. Determine the Desired State and Outcomes
The happily ever after, where *spoiler alert* Oliver Twist inherits a large fortune and spends his days living in the countryside is a clear desired outcome for the young protagonist. While there are many twists and turns to get there, Oliver perseveres. For IAM teams, mapping out what their fairytale ending looks like regarding orphan accounts is critical. For some that may mean eliminating them altogether, for some it can be re-assigning them. Then, setting up controls to continuously merge the ‘actual state’ of an orphaned account with the ‘desired state’ can help ensure success. This is how the Danish municipality of Varde was able to eliminate and avoid orphan accounts.
3. Certify, and Recertify Access
A misunderstanding occurs when Oliver runs away from Mr. Brownlow, a friendly elderly gentleman, who takes this fleeing behavior as being an admission of guilt and ends up in Oliver’s arrest. However, after certifying Oliver’s true heart, Mr. Brownlow eventually takes him in and helps him achieve his true desired outcome (see #2). Within IGA solutions, security and IAM leaders can easily set up access certification campaigns to quickly identify if access is still being used and/or if it is still required. This process can help identify anomalous orphaned accounts that are still operating with privileges, but that may fall out of the purview of security teams. These surveys can (and should) be run regularly, with an increased cadence when trying to identify orphaned accounts with excessive privileges, or ones that have administrator rights.
4. Assign Ownership
While not the central theme of the novel, much can be said about taking ownership of your own destiny and surrounding yourself with positive role models to achieve your goals. For orphaned accounts, the same can be said. Whether using attestation surveys and campaigns to assign ownership, identifying orphaned accounts to be deleted, or more, the most important thing to do is to start, and start quickly. An orphaned account that lingers can be a tremendous danger, with organizations in every industry facing fines, breaches, and more if they are not cleaned up so there should be some urgency here.
By re-examining perhaps the most famous orphan in literature, there is a lot to be learned about how to approach orphaned accounts through a modern approach to Identity Governance and Administration. Learn more about how to get started by reading about the Omada Accelerator, a program to help organizations deploy IGA within 12 weeks and take control over the orphaned accounts across your heterogenous environment today.
