Orphaned accounts are leaving a hole in enterprise security many companies are leaving unplugged.
A new study by eMedia USA, commissioned by identity management vendor Symark, found that 27 percent of respondents had more than 20 orphaned accounts currently within their organization. More alarming, more than 38 percent of respondents said they had no way of determining whether a current or former employee used an orphaned account to access information, and 15 percent said this has occurred at least once.
For the report, released in May, eMediaUSA surveyed 850 security, IT, HR and C-level executives across a number of industries. In addition to the other findings, the report noted approximately 30 percent of respondents said it takes longer than three days to terminate an account after an employee or contractor leaves the company - 12 percent said it takes more than a month.
Though handling orphaned accounts may rank high on a company's list of security priorities, consider what happened in the recent LendingTree data breach: Former employees gave their old log-in information to mortgage lenders, which used the orphaned accounts to steal customer data.
"There remains a gap between definition and process from business to IT, and there just isn't enough automation to catch it," said Gartner analyst Earl Perkins. "I think the problem is also the lack of awareness on the part of many enterprises about their risk and exposure to not having good processes in place to address this. If an enterprise has a good security policy that stipulates how these accounts should be handled, coupled with the controls defined and implemented to make it real, it's less of a problem."
Ironically, compliance auditors may play a role in the situation as well.
"Finding as many as 70 orphaned accounts, many with activity, is not unusual at a mid-size organization," said Ellen Libenson, vice president of marketing at Symark. "If auditors just verbally tell IT 'this isn't good, clean it up' but don't write them up, chances are the issue goes another year without being addressed."
A number of vendors, including Symark, seek to address this problem with their identity management tools. The technology is out there, Gartner analyst Ray Wagner said, but enterprises need to buy in. Compliance initiatives can help there, he said.
"The tools are out there, but the larger identity management problem is complex," he said. "Projects are long-term, costly and require buy-in and participation across the entire enterprise. Orphaned accounts generally don't add or subtract anything from the bottom line, so they are less visible to business leaders."
Perkins said IT pros would also like to see a consolidation of functions with their existing user provisioning and access management tools when it comes to large-scale implementations. For example, allowing the compliance reporting of a provisioning tool to be able to dashboard monitor and report on de-provisioning, he said.