Two recent Blog posts (by Kearns and JBohren) refer to a damning number - the high percentage of orphan accounts that exist in most applications and most large organizations. An “orphan” is an account that belongs to some person who’s left the organization (or never existed in the first place). It can’t be associated with a real person with a real need for access.

The usual concern here is for corporate assets: The “ex” employee can still be logging in and looking at data after he’s gone to work for your competitor.  We have many examples where automation has exposed and eliminated this back-door.

But what about you and your personal liability? If you leave a company, and your ID stays behind, and stays active, are you liable if it’s used for bad purposes? Personally, if I were doing something “prohibited” I’d much rather be using an ID belonging to a departed employee or contractor.

As a consultant, I deal with this issue a lot. On multiple occasions, I have returned to a client months or years after leaving, and discovered that my old accounts IDs and passwords were still valid!  So, my current policy is to send the company an email, (receipt requested) telling them that I am leaving, and formally request that they de-provision the accounts. If I could put the account in a shredder myself, I would. If only there WERE a virtual account shredder I could use!

Typically, I receive what are known as “privileged” accounts.  My “heebie jeebie” meter goes way up, whenever I get one of these accounts, and it pegs the meter when I leave a gig.  Someone else, using this account, in essence in my name, can do tremendous damage, and I’d have a very hard time proving it wasn’t me.

So, what do you do to make sure your accounts die when you leave?

Filed under: Identification, Legal, Provisioning, Security