Search
Close this search box.

What is a Zombie or an Orphan Account

What is a Zombie or Orphan Account

It is surprising to many people that these terms mean the same thing especially when you consider the day to day meaning of the two terms. An orphan conjures up an image of a poor child and invokes an emotional outpouring of love and sympathy. Zombies on the other hand, these un-dead creatures invoking emotions of fear and terror.

Even with the strange world of IAM they cannot be the same thing and when you consider what they are, either definition is correct.

An orphan account is an account that exists in an end system that does not belong to a user and is not a service account.  In other words, it does not belong to anyone and has no parent user.

A Zombie account is an account that exists in an end system that does not belong to a user and is not a service account.  In other words, it is an identity that has continued to live long after the user has been deleted.

Either definition is fine and mean exactly the same thing. Industry preference is for Orphan accounts. (Author’s preference is for Zombies as he likes the idea of going round saving the world by killing undead creatures!!)

Risk

The risk associated with these accounts is that they are a vulnerability that can be used to log into the system either by a hacker or by the disgruntled ex-employee. There are numerous examples where an ex-employee has seen that their credentials are still live on a system, logged in and looked at some of their old data. (Exchange the verb looking for any malicious activity you can imagine).

Depending exactly on what went wrong, it is likely that the account is not protected with MFA for authentication or any conditional policy controlling access. The reason for this is that often the account will be deleted in the Identity Store. One would assume that authentication will be rejected, but numerous systems do allow a backdoor, no sso login process in which the only protection is username and password.

Irrespective of the risk, and the biggest thing that causes companies to act is license costs. Unless an organisation has negotiated an enterprise wide, unlimited user agreement, that license for the zombie account is still going to occur costs. Saving a license is not going to make the shareholders jump for joy. However the likelihood is that if this problem has occurred once, it will likely have occurred many many times.

Cause

Why do these zombie accounts occur. The simple answer is that they are indicative of a broken leaver’s process. When a user leaves an organisation all of their accounts should be removed. (Some processes may keep accounts for a period of time for data access reasons) but eventually all should be deleted. If the process fails for any reason, then accounts will not be deleted.

This is an over trivialisation but there are many reasons why the leaver’s process fails.

Often with many organisations at best the leaver’s process is semi-automated and relies upon a certain number of manual processes. Unfortunately, us humans (yes, this article is being written by a human) are prone to mistakes and don’t do everything as accurately as our silicon counterparts.

Apart from some degree of carelessness, the issue often occurs because the inventory of accounts belonging to an individual is not accurate. Especially during a long career, the number of applications that a user has access to may not always be known. This is certainly the case when applications are managed by different teams.

The inaccuracy of the inventory may also to blame even if there is a fully automated process to remove the accounts. Access (and therefore credentials) are rarely a static thing and will change especially over a long career. Therefore, it is essential that the process works off the complete list rather than a list of birth rights. (A birth right is an access right that is given when you join a company and is likely given to everyone. Most common example is email).

With the inventory being key, it is essential that any new access must be logged.

Detection

This is where the term orphan account is probably more accurate than a zombie account. Using Hollywood, TV Series and comic books as a guide, they would suggest it is fairly easy to spot a zombie. Spot an orphan, that is very difficult because there are no obvious signals.

That is the same as in IAM. There will be no half dead creatures walking around (unless on a Monday morning or after an office party) alerting you to the fact you have a problem.

However, there are some clues, but they must be actively looked for.

The most common sign and is often spotted by the finance or accounting team is that the number of licenses for a product is greater than the number of staff. This is more noticeable where exact number of licenses is required. However, sometimes a rounded number of users is provided and therefore the sign can be missed.

Non-returned computer equipment is also a good indication. It is likely though that the check of the IT inventory is done very infrequently.

Both require manual detection similar to that of your favourite detective.

Technology, as always, can solve the problem. There are a number of tools that can perform discovery and can be very good at it. However as with all things technology they can come at a cost and be limited by their ability to connect to different systems.

Advice is to look at dedicated Identity Discovery and IGA (Identity Governance and Administration) tools.

Remedies

Every IGA vendor will claim that the solve this problem, and that is certainly true.  What they provide are automation functions that can help in the leaver’s process.

It’s not just IGA tools that can automate this process, good old-fashioned scripts work and there are numerous products in associated fields can help with the automation.

As discussed, any automation tool, now matter how good an inventory of the accounts to be deleted must be accurate. An IGA tool, again, is the obvious choice, but again doesn’t have to be. What is required is a mechanism where access requests and access changes are maintained. This will then give a complete list of accounts to be removed.

Summary

Whether you believe orphan or zombie accounts is the correct term, they do need to be removed as they can cause a security risk and just as likely can cause additional costs.

They occur as a result of a pool leaver’s process, or an adequate inventory of access granted.

An IGA tool is the most obvious tool to both discover and remedy the solution. Alternative tools and mechanisms can be used instead.

Disclaimer

The future of mankind is safe, for now, as this article was not created by a silicon overlord in training.

share this blog

About Chris

Chris Martin is another industry veteran of 20+ years. With a career spanning multiple disciplines in the identity space, Chris is ideally placed to lead our advisory practice.

Other Posts

Is ROI the right way to fund Identity Projects >
How to Discover User Personas >
How to Make IAM Projects Successful >
dotnext

UK based identity and access management consultancy

[email protected] 

0141 212 0017

Linkedin
UK Glasgow Office

Suite 121, The Wright Business Center, 1 Lonmay Road, Glasgow, G33 4EL

 

UK London Office

2nd Floor College House, 17 King Edwards Road, Ruislip, London, Ha4 7AE

 

Company
Quick Links

We are a proud member of scotlandIS

Copyright ©2025 DOTNEXT EUROPE LTD. All rights reserved.