Orphan Account

Orphan Account

Alternative Forms

  • Dormant Account

  • Orphan

  • Orphaned Account

  • Uncorrelated Account

Definitions

Definition 1

An Orphan Account is a digital identity whose presence is not justified by the active and legitimate ownership of a linked entity.

This definition may be elaborated per IAM domains or classes of entities:

  • In workforce IAM, it is a digital identity that is not owned by an active and legitimate employee (e.g. a former employee or an employee that was planned to start but wasn’t eventually onboarded).

  • In CIAM, it is a digital identity that is not owned by an active and legitimate client.

  • In OIAM, it is a digital identity that is not owned by an active and legitimate object.

  • In PAM, it is a digital identity that is not owned by an active and legitimate account owner. A key distinction between Orphan Accounts in PAM and workforce IAM or CIAM is that in PAM, digital identities may be non-nominative and transferable while in workforce IAM and CIAM, they are nominative and non-transferable.

The causes of Orphan Accounts comprise:

  • Entities that do not take initial ownership of their digital identity during onboarding (e.g. a recruitment where the new joiner does not eventually show up)

  • Entities that loses their legitimacy to own a digital identity (e.g. an employee who leaves the organization)

  • Entities that reach the end of their lifecycle (e.g. the death of a person in workforce IAM or CIAM, or the destruction of an object in OIAM)

  • Non-nominative digital identities that are not initially assigned to an account owner

  • Non-nominative digital identities whose account owner leaves the organization or moves to a different position

  • Digital identities created without any owner as part of development, testing or maintenance

The presence of Orphan Accounts in an information system poses an operational risk to the organization. More precisely, it poses a security risk and, depending on regulatory requirements, may also pose a compliance risk. The following risk scenarii or potential consequences illustrate how this risk may occur:

  • It is a common tactique for attackers to hack Orphan Accounts and use them in unauthorized ways.

  • When Orphan Accounts have never been used by their parent entities are coupled with weak authentication initialization procedures may be particularly vulnerable (e.g. digital identities initialized with default passwords and a change password at first login option when the newly recruited employee does not show up).

  • It is a common tactique for attackers to create new accounts. The presence of Orphan Accounts may increase the difficulty to detect the presence of an illegitimate account by blurring the information system with numerous useless accounts. Moreover, the absence of a process to identify and clean Orphan Accounts implies the absence of a process to identity and detect illegitimate accounts.

  • Orphan Accounts may still be usable by their linked entity when that entity lost its legitimacy to use the account (e.g. a former employee accessing a cloud service).

  • For non-nominative accounts, Orphan Accounts imply a lack of accountability. This lack of accountability may pose a severe risk when considering privileged accounts.

The controls or countermeasures that may mitigate Orphan Accounts comprise:

  • Automated provisioning and de-provisioning processes

  • (Automated) reconciliation controls between identity repositories and golden sources that map identities to active and legitimate entities (e.g. HR systems)

  • Controls that deactivate inactive identities

  • IAM audits

  • Monitoring of accounts creation in IT systems

  • PAM processes that assures continuous ownership of non-nominative accounts (e.g. when account owners change position or leave the organization)

  • Recertification controls over third-party identities

Related Best Practices

Sample Sentence

Bob was the administrator of the Accounting application. One of his duties was to manually provision and de-provision user accounts on the application. Since he felt this was a boring task, he ceased to de-provision user accounts thinking that “anyway, former employees cannot access the application”. Eve worked in the Accounting department where she used the Accounting application. She then left the company and came back a few years later but as a trader this time. Out of curiosity, she tried to access the Accounting application with her old password and it worked. With this access, when she later ended up under heavy pressure because of losses she made on the markets, she was able to hide her unauthorized transactions.

Conceptual Diagram

Definition 2

In IT systems that require multiple declarations of digital identities in sub-systems, an Orphan Account is an out of order user account because it is not declared in all the sub-systems where declaration is required by the parent system.

Example

In Microsoft SQL Server, users are declared in the database as database users and in the Microsoft SQL Server instance as SQL logins. A database user without a corresponding SQL login is out of order, it is an orphaned user.

Related Best Practices

Orphaned accounts constitute a security risk as they may potentially be used in unauthorized ways. In consequence the best practice consists in removing these users. See OM-BP-0017: Remove orphans in systems requiring the declaration of user accounts in multiple sub-systems (Best Practice).

Related Terms

Quotes

Quotes are only visible for subscribed members.

Bibliography

See Also


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.