Zombie Users and Improper Offboardings

Zombie users are those users who are using applications in your environment but are not managed in directory services. Zombie accounts have no verifiable owner.

Zombie accounts are particularly challenging for businesses that have had layoffs, have frequent transfers within the company, use contractors, do seasonal hiring, and use interns.

Zombie accounts leave your business at risk for hacking. To prevent zombie users, IT departments need to audit their offboarding procedures.

Lucidum ingests data from all the solutions in your environment. Lucidum Machine Learning algorithms then enrich the ingested data through deduplication, triangulation, and aggregation. This allows Lucidum to discover every account and user, even those not discovered by your security solutions, so you can protect your environment.

Tracking Zombie Users #

tracking_zombie_users_dash1.png

In this example, the business uses Okta and AWS as a directory service. This dashboard provides details about zombie users and the assets and applications accessed by zombie users.

This dashboard includes charts for:

  • Users Not in Okta or AWS. Displays the number of users not in Okta or AWS and the applications they are accessing. In this case, zombie users are Aviatrix users, CloudFlare users, and Lucidum users.

  • Okta Users. For all Okta users, the number of seats purchased for each application. If these applications have zombie users, you can cancel those licenses.

  • Zombie Users Over Time. Displays the total number of zombie users discovered over time.

  • Total Users over Time. Displays the total number of users discovered over time.

  • Assets of Users Not in Okta or AWS. Displays the assets with zombie users and the number of zombie uses accessing the asset.

  • Users Not in Okta or AWS. Displays the list of user names for the zombie users.

Validate User Offboarding #

unauth_user_accounts_dash1.png

This dashboard examines Okta users, both active users, deprovisioned users, suspended users, and users who are not managed in Okta. This allows the IT department to remediate any problems with offboarding.

This dashboard includes charts for:

  • Total Okta Users & Application Accounts. Displays the total number of user and application accounts in Okta.

  • Deprovisioned/Suspended Okta Accounts and Applications. Displays the total number of user and application accounts that have been deprovisioned or suspended in Okta.

  • Non-Okta User Accounts. Displays the total number of user accounts that do not exist in Okta but appear in other assets or applications.

  • Unauthorized Existing Users. Displays the total number of user and application accounts that have been deprovisioned or suspended in Okta but appear in other assets or applications.

  • Unauthorized Active Users. Displays the total number of user and application accounts that have been deprovisioned or suspended in Okta but that are currently active in other assets or applications.

  • Okta User & Application Accounts. Displays the total number of user and application accounts in Okta over time.

  • Deprovisioned/Suspended Okta Users & Application Accounts. Displays the total number of user and application accounts that have been deprovisioned or suspended over time in Okta.

  • Non-Okta User Accounts that Exist Elsewhere. Displays the user names for user accounts that do not exist in Okta but appear in other assets or applications.

  • Unauthorized Users. Displays the user names for user and application accounts in Okta that have been deprovisioned or suspended.

  • Unauthorized Users. Displays the asset name of assets that are accessed by user and application accounts that have been deprovisioned or suspended in Okta.