Want Better Identity Management? Remove your Orphaned Accounts

Want Better Identity Management? Remove your Orphaned Accounts

While the name may appear adorable – like a digital Oliver Twist – orphaned accounts resemble Bill Sikes more than a ruddy-cheeked street urchin.

You shouldn’t consider orphaned accounts as just another contributor to your enterprise’s network and active directory clutter. They could, can, and do represent potentially damaging attack vectors into your enterprise’s IT environment. Orphaned accounts could allow hackers or insider threats to conceal their malicious activities for months, if not years.

Why do orphaned accounts pose such a threat? What can you and your IT security team do to find and remove them?

Here are some of our favorite suggestions:

How Accounts Become Orphaned Accounts  

Understanding how orphaned accounts come into being must serve as the first step to preventing them from damaging your network and databases. What distinguishes accounts from orphaned accounts.   

The account forms the core of all of your users’ identities. These accounts contain all the necessary identifying and supplemental data your network needs to authenticate your users in their day-to-day capacities. As such, accounts can contain usernames, legal names, passwords, phone numbers, emails, and more. The diversity of information embodied in an account can pose a threat on its own.

Your IT team creates new accounts every time an employee or administrator joins your enterprise. This should come as no surprise;  without a relevant account, your employees wouldn’t be able to perform their everyday digital duties. Logically, your IT team would remove these accounts once the employees or administrators in question leave the enterprise for whatever reason.

Except, in reality, you can’t always rely on your IT security team to remove the accounts at the end of their life-cycles. Everyday cybersecurity demands, constant workloads, and professional burnout combine to allow accounts to remain long after the deprovisioning process. Sometimes, the size of the enterprise network conceals old accounts from discovery.

In short, these accounts linger on, abandoned both by their original owner and any other valid user. These become orphaned accounts.

Why Orphaned Accounts Pose a Serious Risk

Orphaned accounts have no valid user, but they still exist in the network and have valid credentials.

Therefore, they can still access resources like email and application logins. In cases of orphaned accounts from privileged users, these rogue credentials could continue to access proprietary or private data.

Thus. if an external or internal threat actor was so inclined and could find the accounts lingering on the network, they could weaponize these orphaned accounts. In fact, with a legitimate but unclaimed account, the possibilities of what a hacker could do on your network prove overwhelming. A threat actor could, with orphaned accounts:

  • Send a legitimate-looking email for their phishing attack, bypassing typical email security.
  • Access valuable databases or assets without raising security alerts or even suspicion, allowing for easy theft, transcription, or illicit interference.
  • Allow a dwelling threat onto the network like a cryptojacking malware.
  • Use the supplemental information in an account to intercept two-factor authentication protocols via SMS message.
  • Disrupt your business processes or change your digital policies without raising immediate suspicion.   

Individuals aware of their own orphaned accounts—perhaps former employees who left in bad terms with your enterprise—could maliciously use their former credentials even more easily.

Do Orphaned Accounts Exist On Your Network?

Most likely, yes. According to the privileged access management solution provider Thycotic report “2018 Global State of Privileged Access Management (PAM) Risk & Compliance,” 70% of enterprises fail to discover all of the privileged access accounts in their networks. 40% never even bother to look for all their network’s privileged accounts. Moreover, 55% fail to revoke permissions after a privileged employee is removed.

Most importantly, these findings only apply to privileged accounts, the most powerful credentials in your network. Obviously, the more insidious question follows: how many regular, workaday accounts receive this neglect as well?

What Can You Do?

If your enterprise wants to remove the threat of orphaned accounts, it first needs to find them. Selecting and deploying an effective privileged access management solution must be your next step. PAM solutions almost always come with tools to help you improve your identity visibility, helping your IT security team to locate and remove orphaned accounts still lingering in the network.

Additionally, a PAM solution will also help relieve some of the burdens on your IT security team in the first place by automating the provisioning and deprovisioning process, preventing the birth of orphaned accounts in the first place.

In conclusion, don’t let your orphaned accounts become a pickpocket living in the alleys of your network. Keep a watchful eye out with a privileged access management solution.      

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner