Dormant accounts, big security concern

Leaing Identity and Access Management (IAM) vendor, One Identity, part of Quest Software released the findings on corporate security and key strategies to combat the situation.

Recent research by One Identity indicates that the problem of dormant accounts are much more widespread than previously thought. Survey respondents (consisting of over 900 IT security professionals from across the world) overwhelmingly (96%) stated that dormant accounts are a concern, but only 19% of respondents have tools in place to help locate the accounts. Additionally, 84% admitted to taking a month or more to proactively discover dormant accounts and 64% are not completely confident that they know what dormant accounts exist. It is a recipe for a security disaster. No matter what efforts go into protecting against phishing and social engineering back-doors, if dormant accounts remain available, the risk is too high.

Locating and eliminating dormant accounts will significantly reduce security risks. But the practice is often difficult because of the way companies handle provisioning and deprovisioning. To mitigate security involved in the proliferation of dormant accounts, companies should place the line-of-business leaders in charge of setting up and terminating accounts, as these individuals know best what is appropriate and inappropriate. They also have the most to lose if it is not done correctly.

When IT (as opposed to the line of business) is tasked with managing employee access, they typically lack the context of what is and is not appropriate and are not accountable to attest to the accuracy and appropriateness of that access. Therefore, even with the best intentions, IT often “over-provisions” users or bases permissions on those of other users, which may or may not be appropriate.

Another method that companies should employ is to automate and unify processes. When a single action, initiated by an authoritative data-source (such as an HR system) fully sets up a user’s rights (provisioning) and fully terminates those rights when they are no longer needed (deprovisioning), dormant accounts quickly becomes the exception, not the rule.

This utopian approach where the line-of-business is equipped to request, assign, manage, and terminate user rights is achievable, although generally requires a shift from traditional, IT-centered approaches to a more business-focused strategy. It is vital to ensure that the underlying technologies support the shift. In other words, the legacy tactics of provisioning and deprovisioning by email, phone call, spreadsheet, and work-ticket is simply insufficient and ineffective.

Another effective way to minimize the impact of bad actors is to manage and monitor access to the many administrative accounts that exist in an enterprise. Nothing discourages a bad actor more than making it impossible for them to gain access to the privileges and systems they desire. This principle of privileged access management eliminates the sharing of administrative credentials and assigns individual accountability to their use. When combined with effective provisioning/deprovisioning security is dramatically improved.

The same research that revealed the challenges of dormant accounts also provided some useful insight into the need for effective privileged access management. For instance, only 14% of security professionals use tools designed to manage the distribution and lifecycle of administrative access credentials while more than half of the respondents reported an inability to monitor all activity performed with administrative access and another 88% admitted to facing challenges in effectively managing privileged passwords. Perhaps the most alarming (and the best news for bad-actors) is that 86% do not change administrative passwords after each use and 40% continue to use default admin passwords.

There are strategies to remedy this situation. Some of the key strategies include never using a default password or at the very minimum changing the password when new installations or updates are made to the system. It is also important that passwords should not be shared as research has shown that the root of critical security issues is due to many administrators sharing passwords required for their jobs. This removes individual accountability and opens the door to former employees gaining inappropriate access.

Additionally, changing the admin password after each use and using a ‘vaulting’ technology that stores and distributes the passwords automatically changes them after each use is also effective at closing security gaps. Further, carrying out regular preventative and forensic audits of administrator activity significantly reduces risk.

Finally, a key strategy is delegation. Most of the administrative activity required for day-to-day operations is relatively harmless, but is performed with the same permissions and credentials that can wreak havoc if it falls into the wrong hands. Technologies exist to enforce a ‘least privilege’ access model where individual administrators are issued just enough permission to do their daily jobs, but not enough to do damage. If they need additional permissions these can be checked out from the vault and audited for appropriate use.

Unfortunately, the world has shifted from ‘will I be hacked?’ to ‘when will I be hacked?’ But with effective methodologies such as a dual strategy of closing easy front doors in the form of dormant accounts, and removing highly-dangerous security vulnerabilities like unchecked privileged account access, this malice can be countered. In implementing security strategies, the company not only becomes an unattractive target but also minimizes the damage if and when an incident occurs.