Orphaned Identities: Identifying the 8% Leak in Modern Infrastructure
Orphaned Identities: Identifying the 8% Leak in Modern Infrastructure
Orphaned Identities: Identifying the 8% Leak in Modern Infrastructure
What happens to a user account when the user leaves?
Ideally, HR triggers a process, IT clicks a button, and access is revoked everywhere.
In reality, our data shows that in the average enterprise, **8% of all active accounts are "Orphaned."** These are accounts that belong to users who no longer work at the company, yet the account remains active, often with valid credentials.
The Disconnect Between HR and IT
The root cause is usually a disconnect between the "System of Record" (HR) and the "Systems of Access" (Cloud, SaaS, Legacy Apps).
**Scenario:** Jane leaves the company. HR disables her AD account. She can't log in to her laptop or email.
**The Leak:** But Jane also had a local admin account on a dev server, a separate login for a marketing tool, and an API key for a reporting script. None of these were connected to AD. They are now orphans.
Why 8% is a Crisis
If you have 5,000 employees, an 8% leak means you have **400 active accounts** floating around with no owner.
This is a goldmine for attackers.
**No Monitoring:** Since no one uses the account, no one notices if it's being brute-forced.
**No MFA:** Often these side accounts lack the strict controls of the main corporate identity.
**Persistence:** Attackers who breach a network often look for orphaned accounts to establish a permanent foothold.
Closing the Gap
To fix the 8% leak, you need **Identity Reconciliation**.
**Correlate Everything:** You need a tool that pulls user lists from *every* app (not just AD) and compares them against the active HR roster.
**Automate Offboarding:** Don't rely on tickets. Build workflows that automatically trigger de-provisioning across all connected systems when an employee status changes in HR.
**Orphan Hunts:** Regularly run scans specifically looking for accounts with no clear owner (e.g., accounts named "test", "admin2", or linked to personal emails).
Conclusion
An orphaned identity is a ticking time bomb. It has all the privileges of an employee but none of the accountability. Finding and removing these ghosts is one of the fastest ways to reduce your attack surface.