Finding and Deactivating Orphan Accounts - Hitachi ID Identity Manager
Hitachi ID Identity Manager can be used to find orphan and dormant accounts:
- The last login time and date can be extracted from each managed
system, for each user. Users who have not logged in recently
can be flagged as dormant accounts.
- Login ID reconciliation data can connect dormant accounts on
one system, to unmarked accounts on another system, which may
not track last login date.
- Login ID reconciliation data can be used to identify
accounts that have no apparent owner -- i.e., they exist in
the login ID inventory on a system, but no current user has
attached the account to his or her own profile.
The lists of dormant and orphan accounts generated in this way are
tentative and should not in general be automatically disabled.
For example, apparently-dormant accounts may simply be infrequently
used, while apparently-orphan accounts may simply not yet have been
attached to their owner's profile.
Orphan and dormant account lists can and should be manually
reviewed, to remove obvious errors. The resulting, sanitized
lists should be resubmitted to Identity Manager first to batch-disable,
and later to batch-delete.
The time interval between disabling and deleting orphan accounts
gives the owners of those accounts time to notice the problem
and complain, thereby causing their accounts to be reactivated.
- Secure User Administration:
Changing business processes and infrastructure to secure user administration.
- Locking Down Identity Manager:
Protecting the Identity Manager server, its data and its communications against attack.
- Finding and Deactivating Orphan Accounts:
Using Identity Manager to find and deactivate dormant and orphan login accounts.
- User Access Deactivation:
Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
- Access Change Authorization:
Use Identity Manager to enforce robust processes to authorize changes to user access rights.
- Enforcing Security Standards:
Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
- Global Access Reporting:
One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
- Segregation of Duties Policy Enforcement:
Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
- Entitlement and Request History:
Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.