Unmanaged corporate login accounts are a significant source of riskCompanies have lost one in five of these login keys |
Login accounts are the keys to your company’s most important business systems. With Internet access to enterprise networks now the standard operating procedure, it is no longer necessary for users with active login credentials to be physically at a secured facility or to use a company-controlled computer. With this technological convenience comes risk: malicious users can — and do — access the network undetected from external access points using unrevoked “keys.”
Despite the growing trend, companies aren’t changing their locks.
The risks of unmanaged login accounts are real
Industry data suggests that one in five functioning login accounts are not controlled by the company to which they provide access. This constitutes a huge regulatory risk, and such security breaches are commonly found by auditors testing security systems. Despite this, many organizations are doing little to correct this problem, largely because they are unaware that it exists, or do not understand the seriousness of the risk involved.
| "Most companies report that scrubbing old accounts requires a massive, long-term, manual effort, while still leaving 10% to 20% of problem" |
|
— Andreas Faruki
|
Driven by external regulatory pressures and internal security requirements, companies are beginning to look for more effective ways to control user access to their critical business systems, and many are installing large-scale identity management systems. Companies are finding, however, that a pervasive issue is emerging that can hamper the implementation of these systems before they even get underway: legacy login credential data. This data, which must be entered and accounted for in any new identity management system, is in a much greater state of confusion and disarray than ever imagined.
Identity management risks affect all sectors
Across all industries, corporations are gradually becoming aware of these problems. Deloitte’s
Identity Management practitioners have conducted detailed analyses of login credentials. We have found that unmanaged login accounts are neither isolated instances nor industry-specific; in fact, these risks are present to some degree in almost all organizations.
This is the result of both the demands of doing business and the complex nature of managing outgoing and incoming personnel. It is natural for managers and IT departments to focus on quickly setting up new users to be productive rather than on de-provisioning every account that is, in theory, no longer in use.
Over time, this can lead to an accumulation of wide-ranging and disparate login credentials that research shows is surprisingly difficult to clean up. It is this difficulty in correcting the problem that perhaps explains its persistence. Most companies report that scrubbing old accounts requires a massive, long-term, manual effort, while still leaving 10% to 20% of problem credentials unmatched to any person, group or system. And unfortunately, these residual logins cannot simply be turned off, as they may rightfully belong to systems or people involved in critical business processes. Often, it is almost impossible to know.
Removing old login accounts is essential to robust identity management
Companies keen to reduce their risks can take advantage of specialized tools and processes. Deloitte’s
Identity Management group works with companies to implement such tools and processes that accomplish this scrubbing and matching job in a fraction of the time — and for lower cost — than some companies are experiencing. Using these methods, a modest project can immediately and significantly reduce potentially damaging risk and negative audit findings, as well as complete an essential first step to installing an identity management system.