A recent study and last month's LendingTree data breach underscore the importance of managing orphaned accounts.
Orphaned accounts are leaving a hole in enterprise security many companies are leaving unplugged.
A new study by eMedia USA, commissioned by identity management vendor Symark, found that 27 percent of respondents had more
than 20 orphaned accounts currently within their organization. More
alarming, more than 38 percent of respondents said they had no way of
determining whether a current or former employee used an orphaned
account to access information, and 15 percent said this has occurred at
For the report,
released in May, eMediaUSA surveyed 850 security, IT, HR and C-level executives across a
number of industries. In addition to the other findings, the report
noted approximately 30 percent of respondents said it takes longer than
three days to terminate an account after an employee or contractor
leaves the company - 12 percent said it takes more than a month.
Though handling orphaned accounts may rank high on a company's list
of security priorities, consider what happened in the recent
LendingTree data breach: Former employees gave their old log-in
information to mortgage lenders, which used the orphaned accounts to
steal customer data.
"There remains a gap between definition and process from business to
IT, and there just isn't enough automation to catch it," said Gartner
analyst Earl Perkins. "I think the problem is also the lack of
awareness on the part of many enterprises about their risk and exposure
to not having good processes in place to address this. If an enterprise
has a good security policy that stipulates how these accounts should be
handled, coupled with the controls defined and implemented to make it
real, it's less of a problem."
Ironically, compliance auditors may play a role in the situation as well.
"Finding as many as 70 orphaned accounts, many with activity, is not
unusual at a mid-size organization," said Ellen Libenson, vice
president of marketing at Symark. "If auditors just verbally tell IT
'this isn't good, clean it up' but don't write them up, chances are the
issue goes another year without being addressed."
A number of vendors, including Symark, seek to address this
problem with their identity management tools. The technology is out
there, Gartner analyst Ray Wagner said, but enterprises need to buy in.
Compliance initiatives can help there, he said.
"The tools are out there, but the larger identity management
problem is complex," he said. "Projects are long-term, costly and
require buy-in and participation across the entire enterprise. Orphaned
accounts generally don't add or subtract anything from the bottom line,
so they are less visible to business leaders."
Perkins said IT pros would also like to see a consolidation of
functions with their existing user provisioning and access management
tools when it comes to large-scale implementations. For example,
allowing the compliance reporting of a provisioning tool to be able to
dashboard monitor and report on de-provisioning, he said.