How to Streamline Zombie Account Management?

Introduction

For a startup or an enterprise, employees mean business continuity and success. They are the prime contributors to innovation and growth, where they apply their expertise to build ingenious solutions. To build and deliver these solutions, the employees must be equipped with the necessary accesses. When enabled, solutions with infinite possibilities can be unlocked.

However, employees do not stick around forever, and once off-boarded, inactive accounts cannot remain in the system as they pose security risks. Managing these inactive accounts is a challenge for businesses when tens of thousands of profiles are involved. Let us uncover how to efficiently manage this issue.

Zombie Accounts — Are They a Threat?

Accounts of inactive users that are still in an accessible state are zombie accounts. The user journey from new joiner to tenured associate takes many turns. In every stage of the journey, they need to gain access to new information to address the requirements. The granularity of the information increases with different levels of access. Some accesses are generic and can be requested by everyone, like access to the confluence page or Jira board. Some accesses are internal or confidential, where access is granted to only a few users when valid approval is shared, for example, secrets manager or admin access in a production environment.

When users with admin access to many confidential and internal systems leave the organization, these zombie accounts remain in the system until handled. When organizations don’t deactivate or prune their accounts, the risks of users gaining external access are high. At times, exploiters can gain access to these accounts and can implement a series of attacks. These accounts need to be managed promptly to avoid security bottlenecks.

Streamlining Zombie Account Management

Scheduled and manual account maintenance is time-consuming and prone to misses. Support teams are tasked with cleaning up inactive accounts on every schedule. These efforts need a very detailed analysis of the user’s active and inactive statuses in the system. After gathering this information, they need to query access control lists and IAM groups to understand which groups or policies the inactive users are part of.

Now, the support teams will go to every access group and remove the inactive user accesses. Sometimes, user access from at least 2 out of 10 access groups can be missed, and a single miss can cause severe security incidents. Considering the following management strategies helps security teams stay vigilant and eliminate zombie accounts:

Centralized Management Service Synced with HR Systems

Maintaining a centralized service or tool that captures user access in a hierarchy is the key to streamlining the management. For instance, a custom implementation leveraging a service such as Active Directory or LDAP administers the access provisioning and logs the access level information into a registry.

This registry will hold all the information concerning user access to every tool and system in the organization. When such custom service is available, keeping the information in sync with HR systems can be easily achieved. With the information on user access and their account status, automation can be derived to handle zombie accounts.

Custom Process with Automated Schedules

Not all accesses are provisioned and managed through centralized tools or services. For cloud-based resources, SaaS offerings, and other third-party services, access is provisioned via IAM policies, groups, and third-party registries. With a centralized management service, one can only streamline the accounts that are part of AD or LDAP. Every inactive user account is a security risk, be it in internal systems or third parties.

A scripted solution with custom and extendable capabilities that integrates with organizational software and services is crucial. With this custom solution, every application, system, third-party registry, and more can be easily onboarded. This way, handling zombie accounts becomes streamlined and automated. Running the jobs on schedules to perform a sync with the HR system and apply security measures in real time can be achieved.

Access Isolation

Sometimes, anomalies are imminent, irrespective of efforts. With every precautionary step that is architected and implemented, some factors will influence the outcome. Custom solutions, automated syncs, and centralized management are effective when every stage is successful. At times, there will be some miss from the backend team to update the user status, the automated jobs will fail, and centralized services will go down. Considering every factor and handling every situation is overwhelmingly complicated.

Isolating the accesses works in every situation. Instead of enabling direct access to the base machine or the caller instance, leveraging virtual systems protected by dedicated VPNs is secure. These VPNs can be secured via multi-factor authentications. Users with legitimate permissions and access can log in and access the virtual instance. All the internal tools and services should be allowed to work through VPNs.

Another approach would be to apply IP filtering. The virtual instance approach can be useful for internal tools. However, when external tools are involved, IP restrictions should be enabled. User accounts must only be allowed to access SaaS or third-party services via allowed IPs. This way, external accesses can be blocked, and zombie accounts remain isolated from external use.

Conclusion

Zombie accounts expose personal and protected information, making them a security risk. Staying vigilant and conducting regular account cleanups is crucial to maintaining a robust security posture. Equipping existing services to streamline and creating custom solutions to automate the management of zombie accounts proves useful in the long run. Identifying, verifying, and deactivating the accounts should be handled efficiently to avoid vulnerabilities and attacks.