How to Avoid a Zombie Account Apocalypse with IDM



They’re there, lurking, seemingly lifeless, clinging to the shadows.  Even just one of them is dangerous, but when they amass in a horde, they can become an overwhelming throng of chaos, destroying everything their path. 

Sounds like fiction, right? Well, unfortunately this type of zombie – zombie accountsis all too real.

Zombie Accounts

Zombie accounts are not the product of unchecked scientific experiments, but instead, the result of unchecked and invalid business processes.

For example, a report recently released by the State’s Office of the Inspector General highlighted that there were more than 2,600 State Department zombie email accounts, the majority of which had been inactive for more than a year, despite federal rules that inactive accounts are supposed to be shut down after 90 days. These untended, dormant accounts give hackers a potential entry point, making organizations with zombie accounts vulnerable to breaches.

Say your company has a project, and you’ve brought on a team of consultants from multiple companies.  Some need access to the network through VPN.  Some need access to local shares.  Some need email accounts in your domain.  All of them need access, and some of them will need deep access.

Every organization manages these events in different ways.  In many cases, those management controls are concerned with onboarding the access, but they fall short in the due diligence of monitoring, certifying, and appropriately removing that access.

How can Identity Management (IDM) protect you from the zombie horde?  The truth is, most, IDM solutions fail to control these use cases.  For the most part, companies are forced to custom develop against what IDM solutions consider “exception handling.”

The root cause lies in the absence of a source of authority to provide your identity management workflows with insight into the coming and going of these users.  Most IDM platforms look exclusively at an HR system to serve as the source of truth for an account.  Contractors, for the most part, do not reside in an HR package, since they are not employed by the company, nor do they get a paycheck from the company.

RapidIdentity: Sponsorship

RapidIdentity approaches the issue of zombie accounts on two fronts: business impact and IT oversight.

Using RapidIdentity Sponsorship, the ability to request accounts on behalf of external users is delegated to the appropriate business teams who can then submit requests using a simple form that captures relevant data (name, email, etc). Additionally, IT can put a time to live on the account, ensuring a mandatory certification or review of the account. Failing to certify ensures the account becomes disabled.

Each resource the contingent account has can be set to its own certification time-frame.  Account in SalesForce?  Maybe a 30-day certification review.  Access to a key Security Group?  Maybe a weekly review.  IT can set the framework.  Business managers then initiate and validate. And, failing to validate ensures the account loses all access.


Zombies when attacking a city of fleeing, helpless people?  That’s a horror movie.  Zombies being attacked by survivors with big guns, flamethrowers, and axes?  That’s an action movie.  In which scenario do you want to star?


Additional Resources


Subscribe Here!