Data breaches where user credentials have been stolen and leaked online are all too common, and the aftermath follows the same pattern. The Service Provider will investigate, invalidate the affected login credentials and require users to reset passwords. But, what happens when credentials are stolen from applications that are no longer in use in your organisation, applications that were probably long abandoned? There's no action required and no need to be concerned, right?
You may have forgotten those apps, but those apps haven’t forgotten your password
Your organisation may have left apps or services behind when you’ve found more cost-effective ones, but those abandoned accounts may be coming back to haunt you.
So, what’s the risk?
When a Service Provider (SP) is hacked and user credentials are stolen, the SP will invalidate the passwords for all affected accounts and notify the account holders. So, what's the big worry about having usernames and passwords stolen for old abandoned accounts your organisation no longer use? The concern centres around weak employee practices - where employees will typically have used those same credentials for other applications within the organisation.
While this is a problem regardless of whether an account has been abandoned, these abandoned accounts can present a greater risk because the organisation is less likely to be aware that they've been compromised, and even if made aware, less likely to act on that information - who cares about accounts that are no longer used after all...
The consequence is that the authentication credentials stolen for a long-abandoned account that you potentially didn't know was compromised, or didn't care was compromised, are posted online and available to be tried against other accounts that are in use across your organisation.
The two main practices that leave your organisation open to this risk:
- employees using the same password for multiple applications
- organisations moving away from old applications without de-provisioning the accounts.
When employees are tasked with creating application passwords for your organisation, they will typically use the same password they've previously used elsewhere, either for personal use such as LinkedIn, or other business accounts.
Systems and applications become obsolete and organisations often choose to move on and use something new to the market – but often little thought is given to that redundant account. It may be inactive, and the license is no longer paid for, but the account and the credentials that protect it remain out in the wild. The use of same or similar passwords by employees result in live applications being protected by these same credentials that were stolen and now available to hackers. Ceasing end-user access to accounts doesn’t close the accounts - those accounts need to be de-provisioned/deleted.
What can our organisation do to protect against this risk?
Where possible, replace credential-based authentication with token-based authentication (e.g. SAML). Where this isn’t possible, organisations can implement Single Sign-On (SSO) that will auto-generate strong passwords on users’ behalf, removing the practice of employees choosing to use the same password across multiple accounts. The SSO can also auto-fill for users when accessing applications, removing the need for employees to remember, type or even ever know these complex passwords.
Additionally, the provisioning functionality of an Identity & Access Management solution enables you to use a flexible set of rules to automatically provision and de-provision access to accounts, ensuring that the right level of access is given to the right people, but also that accounts are de-provisioned when they are no longer in use.
Automated provisioning and de-provisioning of user access to applications mitigates the risk of abandoned accounts coming back to haunt your organisation. Download our whitepaper below for more information on how automated provisioning and de-provisioning of user access to applications can help your organisation or let us know the challenges you are facing and one of our Identity Experts can provide free advice.