Orphan accounts represent two kinds of security risk:
- If the account actually has no owner, or the owner has left, they represent an elevated risk of misuse, since any unusual use of the account will not be detected by the account's (absent) owner.
- Orphan accounts cannot be reliably deactivated when their owner leaves, because of the missing linkage to that owner.
Orphan accounts are related to, but not the same as, orphan users, which are users whose relationship to the organization is undefined, but whose identity is known.
Hitachi ID Identity Manager can be used to find orphan and dormant accounts:
- The last login time and date can be extracted from each managed
system, for each user. Users who have not logged in recently
can be flagged as dormant accounts.
- Login ID reconciliation data can connect dormant accounts on
one system, to unmarked accounts on another system, which may
not track last login date.
- Login ID reconciliation data can be used to identify accounts that have no apparent owner -- i.e., they exist in the login ID inventory on a system, but no current user has attached the account to his or her own profile.
The lists of dormant and orphan accounts generated in this way are tentative and should not in general be automatically disabled. For example, apparently-dormant accounts may simply be infrequently used, while apparently-orphan accounts may simply not yet have been attached to their owner's profile.
Orphan and dormant account lists can and should be manually reviewed, to remove obvious errors. The resulting, sanitized lists should be resubmitted to Identity Manager first to batch-disable, and later to batch-delete.
The time interval between disabling and deleting orphan accounts gives the owners of those accounts time to notice the problem and complain, thereby causing their accounts to be reactivated.