According to the 2019 Verizon Data Breach Investigations Report, 62 percent of all data breaches last year involved the use of stolen credentials, brute force, or phishing. Nearly half of these types of breaches were directly attributed to stolen credentials. Stolen credentials are not only a risk through active user accounts, but can be a significant risk through orphaned accounts. One notable example of this type of credential theft occurred last fall when Avast and NordVPN reported a data breach tied to “forgotten or unknown user accounts,” or the predominance of orphaned accounts lacking proper oversight and governance.
Orphaned accounts within an organization are accounts that are no longer associated with a valid business owner. They represent ideal places for bad actors to gain access into your company because no one is actively looking into them. According to KrebsonSecurity, “forgotten user accounts that provide remote access to internal systems…have been a persistent source of data breaches for years,” as was the case with Avast and NordVPN. But to better understand orphaned accounts and what you can do about them, let’s take a look at where they originate from and then identify several key strategies you can use to combat them in your business.
Where Do Orphaned Accounts Come From?
Orphaned accounts typically arise when someone leaves your company or changes positions within the organization. In the case of separation, this means access to certain applications, data, or systems is not terminated. In the case of a position change, access is not reduced to an appropriate level, which may include complete removal of access. This frequently happens in industries with fairly high turnover, like healthcare or retail, because as people exit the company or transition roles, there may be no formal process for cleaning up these accounts in either internal or external system access. While prominent in these specific industries, orphaned accounts pose a real problem across every industry and across businesses of all sizes.
The problem only magnifies with contingent workers, temporary employees, non-employees, contractors, and consultants. This category of user is often a target for bad actors because turnover is high for these roles and orphaned accounts can stack up if there is an undefined process for cleaning up these accounts. And because these types of users are often not contained in a central repository, like an HRIS, it is difficult to identify a change in status quickly, like a closed contract, so the access can be removed in a timely manner. That’s why it’s essential not to overlook these types of workers or make them a lower priority in managing access. Even though they may not be highly privileged, if their access falls into the wrong hands, real damage can be inflicted by bad actors.
Does your organization have high turnover for certain positions or do you have seasonal employees? What about interns? Orphaned accounts are a natural part of the dynamic nature of business. And with so many users in your system, without automated processes and controls, you will not have visibility into who has access to what. Leaving these accounts open increases your threat surface and the likelihood that you will be breached. This risk becomes even greater if excess privileges are unused because nefarious access can go undetected. Combined together, these factors make it very difficult to manage risk within the business.
How Can You Combat the Risk of Orphaned Accounts?
So how can you put an end to orphaned accounts? First, you have to arm yourself with intelligence to quickly identify and evaluate access risks posed by internal threats across your business-critical systems. This means you have access to a continuous, comprehensive view and analysis of the relationships between identifies, access rights, policies, and resources that occur across your environments.
Automated Provisioning and Deprovisioning
With a manual system that relies on paper forms or their web version counterparts—basic lists of who has access to what and the types of applications that can be selected—or even worse, a field to type in a model user, you have little context of what access in your organization really should be. Rather, you need to automate provisioning actions based on the user lifecycle within your organization. One of the most important areas for this is when an employee leaves the organization, either voluntarily or through termination. Accounts should be quickly and automatically disabled, preventing any opportunity for employees to retain access to data upon their departure from the organization, and removing any opportunity of orphaned accounts.
Beyond when an employee leaves, the right process to manage the risk of orphaned accounts actually starts with proper onboarding. This is when a new employee, or a non-employee like a contractor or vendor, receives initial accounts and access to appropriate systems and applications. This means you can track the access that is approved and granted initially so that you know specifically who has what access and when it is time to remove it—with no guesswork.
Combating orphaned accounts also means you should adopt a role-based approach. Roles are really just a collection of access privileges typically defined around a job title or job function. Using roles, organizations have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs and what access to remove—reducing the chances for orphaned accounts. Embracing a role-based approach simplifies identity governance, and aids organizations as they grow and change—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions.
You also need to take advantage of micro-certifications to ensure you have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This means that when an access event is triggered where an employee may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as ‘out of band,’ a manager or business application owner will be alerted and can perform an access review immediately associated with the risk event. Provisioning outside the process is a common way that users get access that can be missed when it is time to remove it, whether it is a result of a transfer or separation.
Start Revealing Your Hidden Access Risks
Orphaned accounts pose a critical risk within your business. But you can’t act upon what you don’t see. Waiting for an internal audit to uncover orphaned accounts may be too late. You must take an active role in trying to prevent them through intelligent identity governance solutions. Remember, you can only manage what you can see. So don’t ignore the importance of dealing with orphaned accounts in your business today.