Simply put, unused accounts – also referred to as dormant or inactive accounts – are accounts that haven’t been used for a longer period. In most cases, accounts that remain inactive for a period exceeding 30 to 90 days are considered as ‘unused’.
This description of course strongly resembles the definition of orphaned accounts. However, there is an important difference between the two. An account which remains inactive for a longer time is called an unused account. However, as long as this account still has a valid owner - normally a current staff member (or subcontractor) of the organization -, it is not an orphaned account.
It’s only when there is no longer a connection between an unused account and an owner - or if the connection becomes invalid as the owner no longer works for the company - that an unused account also becomes an orphaned account. There’s also a third category, called ‘rogue accounts’. These are previously unused accounts that are hijacked by an unauthorized person or organization.
Rise of the unused accounts
There are a number of typical scenarios in which unused accounts are brought into existence. One of those scenarios is when a staff member is promoted to another function and therefore will no longer use specific software that was needed for his previous function. The account he used to access this software will become unused. Another scenario is when somebody goes on maternity leave for several months. If that information was not transferred properly to IT, the accounts of this person will also get an unused status.
Why bother, anyway?
First, unused accounts provide an angle of attack for hackers. From a hacker’s perspective, unused accounts are the equivalent of a home whose residents are absent, and from which door keys can be found under a flowerpot or on a nail in the carport. Joking aside, it’s a fact that hackers, much like burglars, tend to look for the easiest way in. And that’s precisely why they are attracted to unused accounts.
However, hackers are not the only problem here. Unused accounts could cause your organization to pay significant amounts of money for software that is no longer used. Typical examples are Office 365, Adobe Creative Cloud Suite, Salesforce, and many more.
US company 1E’s Software Usage and Waste Report calculated that in the US and the UK $ 34 billion is wasted on software licenses. In turns out that 30% of the licenses is not used at all. This waste is of course also due to companies investing in software licenses they don’t actually need, but it’s a fact that this percentage can significantly be reduced by taking care of unused accounts.
Besides the risk for data breaches and unnecessary costs for unused software, compliancy is yet another important reason as to why unused accounts could cause problems. ISO 27001 for instance demands that redundant user ID’s have to be identified and removed on a regular base. And as NIS demands organizations to be compliant with ISO 27001, NIS indirectly asks the same thing.
Track & Trace
As will be discussed further, using the right technology can largely prevent the existence of unused accounts, but the phenomenon can also be limited if HR informs IT correctly and promptly whenever someone will be inactive in the organization for an extended period of time. However, in practice, many companies’ IT departments are overworked already, so they often lack the manpower to use this information in a proper way.
A more reliable solution, which also prevents extra pressure on the shoulders of IT, consists of the use of intelligent tools that can independently – without human intervention, that is – detect and list unused accounts in the company. In general, these tools work on the basis of a set of user determined guidelines. This way, you can for instance set how long a software account can remain unused before it is considered as a potential problem.
The right approach
Once you successfully mapped a number of unused accounts, it’s time to take the necessary steps to make sure they cannot harm your organization. The right approach for this depends on different factors, such as the amount of unused accounts that were discovered, the length of the period in which they are inactive, involved software costs, and so on. Of course, there’s no need to treat all unused accounts equally. On the contrary, it makes perfect sense to prioritize unused accounts which bring the most risks.
There is no doubt that it’s vital to ensure that all accounts in the organization are active and are properly governed and monitored. If not, compliance (and company) requirements won’t be met, the organization might pay unnecessary costs for software and the risk for data breaches will lurk under the surface...
Where Elimity comes in
Elimity developed a powerful, yet easy-to-use tool which – amongst other things – successfully traces and enlists all unused accounts in an organization. This highly intelligent tool can be used on its own, but also integrates flawlessly with most IAM software on the market.