Tuebora Blog

Orphaned Accounts and IAM

There are only two times that all the people in your organization have the right level of access to the data, applications, and systems in your company—before they join the company and just after an audit. In between audits, inefficient identity and access management can increase the likelihood of having orphaned accounts. This article informs you about orphaned accounts and their dangers. 


What Are Orphaned Accounts?


Orphaned accounts are user accounts that remain open with access permissions even though they aren’t needed anymore and they no longer have a valid business owner. In an ideal world, a clear provisioning and de-provisioning process for user access ensures that no orphaned accounts exist within your network. Several normal business activities can increase the chances of having orphaned accounts on your network, including:




  • One-off access approvals: employees working on a project sometimes need once-off access to a system, database, or business application. 
  • Granting user access for additional applications: as employees advance in their roles, they often need access to additional business applications. 
  • Providing access to meet contractor needs: whether a contractor needs system access for a week or six months, this is a normal part of hiring contractors. 


These factors alone aren’t sufficient to lead to orphaned accounts. It’s the combination of these normal business activities with a lack of proper identity lifecycle management that causes trouble. 

The Security Risk of Orphaned Accounts

Orphaned accounts provide a potential attack vector for malicious intruders to access your information assets, systems, and applications. According to an article on SLPowers.com,


"Hackers often look for the easiest way in and one such entryway is through user and service accounts that are no longer in use. Disabling these accounts is a basic security step that is too often overlooked. In fact, a recent Varonis analysis found that 26% of all accounts belonged to “stale enabled users.” These accounts hadn’t accessed data or logged on to the network for more than 90 days. For one organization, approximately 90% of all user accounts were stale. That’s a lot of unlocked doors.


It doesn't take much effort for a hacker to find inactive accounts to target.  A quick search on LinkedIn or Twitter can lead to Information about which employees have recently left an organization.  What if one of those employees was a senior level staff member with access to a wide range of sensitive information? Valuable assets like intellectual property, personally identifiable information (PII), and financial records could be illegally accessed in minutes."


Companies in every industry are exposed to risks from orphaned accounts. In a startling example from 2019, cybersecurity software company Avast reported that its internal network, “was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA”. 


Efficient de-provisioning, automated or machine-assisted identification of unused accounts, and an agile IAM process are all key for reducing the information security risks or orphaned accounts. 


The Rubber-Stamping Problem


One particularly problematic IAM practice is rubber-stamping, which is when organizations bulk approve access requests to their systems, applications, and data. Rushing access approvals without adequately reviewing requests results in the perfect storm of orphaned accounts with too much access to your IT assets. All it takes for a data breach is a disgruntled former employee or a malicious attacker to access sensitive data through an orphaned account. 


It’s also worth noting that properly controlling user access is an important part of several regulations, including GDPR and HIPAA. Non-compliance with industry regulations poses significant monetary and reputational risks. Bulk approval of access requests without an appropriate review is the opposite of proper user access control. 


Dynamic IT Infrastructure


Compounding the risks of orphaned accounts is the changing and increasingly complex IT infrastructure at many modern organizations. The global Covid-19 pandemic’s unexpected shift to remote work resulted in access requests inundating many organizations to facilitate the new working norm for employees with remote access to systems. 


Additionally, many companies had to downsize and let go of some employees. which further complicated IAM lifecycle management. A natural result of such dynamic shifts in access privileges and IT infrastructure is an increase in orphaned accounts, particularly in cases where the IAM strategy wasn’t transparent enough anyway. 


Another dynamic aspect of the IT infrastructure at many organizations is their use of the cloud. In public cloud services like Google Cloud or AWS, it’s easier to provision resources than de-provision them. Often, an organization can end up with a “zombie” cloud infrastructure in which cloud resources remain running even though they’re no longer used. 


The problem with a zombie cloud resource, such as an unused cloud storage bucket, is that access to the data within it is not properly accounted for. In such a situation, it’s very easy for one or more orphaned accounts to exist. Whatever way you look at it, your IAM solution needs to be cloud-ready. 


How Tuebora Can Help You


Tuebora gives you visibility into orphaned accounts and the access granted to those accounts whether the account is for a cloud app, an on-premise system, or a file-share.  Our service monitors the access users have against what they should have and helps you take corrective action accordingly.  What someone should have is based on a review of account usage, peer work group, and their role in the context of business processes.  



Want to see how it works? Just press the blue button.                            


Get a Demo


















If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Leave a Reply