Former systems administrator Jeff Nielsen has a message for CIOs in this season of horrific employee layoffs and hard times: Beware orphaned user accounts.
A study from Symark International Inc., a maker of systems access management solutions, suggests that orphaned accounts -- user accounts that remain open after an employee leaves a company -- are a significant security risk at many corporations.
The survey of about 850 security, IT, human resource and C-level executives revealed that four in 10 businesses don't know how many orphaned user accounts exist in their organization, said Nielsen, now a senior product manager at Agoura Hills, Calif.-based Symark. And, even worse, 30% have no procedure to locate them. The survey also showed that even if the companies can locate orphaned accounts, in many cases it can take a month or longer to shut them down.
Say what? How is it possible that a business prepared to lay off thousands of people would not have a process in place to sever systems access?
"One reason is the number of applications in the organization," said certified security professional Scott Crawford, director of research at consulting firm Enterprise Management Associates (EMA) in Boulder, Colo. "Ask anybody that works with the black box assessment tool like Watchfire and they'll always tell you it's an eye-popper. It's an order of magnitude out of whack from what anybody thinks."
When Crawford was researching the issue, an auditor told him about a financial services firm where 42% of systems permissions were either overly broad or should have been retired. One person was still on the payroll six months after being terminated.
"Auditors have been pointing a finger at this quite a bit over the last couple of years," Crawford said, because lapses in systems control leave the door open to access to sensitive information and resources.
Orphaned accounts after employee layoffs pose special risks
Sally Hudson, research director, identity and access management, at IDC, said it's not really the number of orphaned accounts that puts a company at risk. It's the fact that the orphan accounts belong to people who may have a grievance after employee layoffs at a company, for example.
"There is a certain amount of risk posed by disgruntled, laid-off employees. It is very important that they be deprovisioned from all systems access, building access, telephone, etc., immediately upon termination," Hudson said.
Symark's Nielsen concurred. "If somebody is going to lose their job or lose their house or can't make their car payments or feed their family, they are more likely to do stupid stuff," he said.
Most people who have been laid off from their companies, he hastened to add, act honorably. "It is the 1% guy who can cause huge problems," he said.
The most dangerous of the 1-percenters? That would be your own IT staff.
In particular, systems administrators bring higher risk for two reasons: privileged systems access and IT's relative low profile. In employee layoff situations, especially at large companies, CIOs focus on the business side rather than the relatively small IT workforce.
"We see CIOs more worried about what their business managers are physically carrying and emailing out of the company or copying on to memory sticks than on the IT people, who can do all that and more," said Ellen Libenson, vice president of product management at Symark.
IT people who have been given responsibility for protecting company systems and keeping them running "usually have the keys to the kingdom," Libenson said. If they are upset because they have been let go, retaliation can go far beyond walking out the door with a customer list.
"It can take the form of denial of service, sabotaged servers, selling information in chatrooms to identity theft criminals, cooperating with criminals to do some sort of data collection that is illegal," Libenson said. "We have seen it all."
When an employee leaves an organization, security administrators must make it a priority to immediately disable his systems access, she said. But this is easier said than done.
There is a certain amount of risk posed by disgruntled, laid-off employees. It is very important that they be deprovisioned from all systems access.
Sally Hudson, research director, identity and access management, IDC
Thirty years ago, when a company's IT environment revolved around the mainframe computer, de-commissioning an employee's computer access to an organization was a one-stop deal. Today IT departments are dealing with a constellation of access points, Nielsen said.
"Through the 1980s and '90s, when we started getting a proliferation of platforms specialized for various tasks -- Windows workstations for people's desktops, Unix servers to handle databases and mainframes to handle real-time ticketing systems and things like that -- you started to get a user's identity scattered across many, many systems, " Nielsen said.
Part of the way to guard against retaliation from users, whether they have privileged or ordinary access, is to centralize technology and directory management. "If somebody goes out the door you can turn him off in five places, instead of 1,000," Nielsen said.
IDC's Hudson said identity and access management software provisioning systems, such as those from IBM, CA Inc., Oracle Corp., Courion Corp. and Novell Inc., can greatly reduce these risks by automatically deprovisioning an employee for all systems access. The Symark products all integrate into the common directories, either Microsoft's Active Directory or the Lightweight Directory Access Protocol directories from Sun Microsystems Inc. and Novell, so you can manage an identity in as few spots as possible. Then you have a much better chance of not only giving people appropriate access when they join the firm, but also of removing access when they leave, Nielsen said.
The last step in the identity management lifecycle
Besides the technology, having a process in place is crucial. Typically the corporate department that "owns" the status of an employee is human resources (HR), Nielsen said.
"What you really need to do is have a process where the IT folks who are responsible for turning off their computer access [are] integrated with whoever owns the status of the employee," he said. Most HR departments have a checklist for decommissioning employees. A line should be included to instruct IT to shut off the computer access and confirm that the shutdown has been completed.
But how is it possible that the loop is not closed when an employee is let go?
"If IT people are being laid off in droves, there are fewer of them to do it, and if the HR people are too busy and don't notify them, they will never do it. People who want to perpetrate fraud count on that to happen," Libenson said.
EMA's Crawford summarized: "IT is complex, and deprovisioning is not necessarily a consistent process across all organizations. But the last step in the identity management lifecycle of all employees must be deprovisioning."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.