Ensuring continuous governance around “who has access to what” is a critical requirement for organizations. This is usually achieved through implementing an Identity Governance and Administration (IGA) solution. Users are mapped to accounts through a set of pre-defined rules. While mapping user to a single primary account is easily managed, complexities arise when a user has multiple accounts. Furthermore, establishing ownership of non-user accounts such as system accounts, application accounts, service accounts, etc. is a daunting task. Even if such a mapping can be established in some cases, they are usually not done in IGA systems since these accounts need to be managed differently than users’ primary accounts.
So, what happens to these accounts? They are left as orphan accounts which means that there is no associated owner to these accounts and hence no accountability. These accounts keep getting accumulated with time and become more and more voluminous. Since no strict governance can be established for these accounts systematically, they end up becoming more vulnerable with weak passwords, non-expiring passwords, accumulated permissions including privileged access.
Have you faced these issues? What can be done to address this gap or at least reduce it?