Attack of the zombie accounts: Stop dormant users & thwart cyber threats

SADA Says | Cloud Computing Blog

By Rocky Giglio | Director, Security GTM & Solutions

Cybersecurity Awareness Month: confronting zombie accounts

New threats can lead to identity theft & supply chain attacks. The cyber threat & cyber attack landscape impacts national security.

October is Cybersecurity Awareness Month, and to mark the occasion we’ll be publishing a series of blog posts on the most pressing cybersecurity issues facing businesses today. We’re kicking off the series with an especially scary topic: zombie accounts. Is your organization staying on top of your dormant accounts? Do hordes of former contractors and employees still have active logins? Read on and learn more about how to confront these security vulnerabilities without fear.

I spent a large part of my career helping customers design and deploy Active Directory environments, and one thing that was repeatedly a problem after we finished the design and implementation was the management of old accounts.

These accounts are so often overlooked. The process seems to break down no matter how large or proficient your organization is. From small environments to some of the largest directory services deployments in the world, I have seen this recurring issue of old accounts staying active or at least available in environments. And in the cloud era, that hasn’t gotten any better now that those accounts are replicated to cloud identity platforms, spreading the risk of exposure.

If you’re responsible for cloud security in your organization, you play a crucial role in ensuring the integrity of user access controls, especially when dealing with discontinued accounts.

In this post, I’ll explore the importance of managing dormant accounts, the potential cyber threats they pose, and how SADA and Google Cloud services can help you bolster access management and overall cloud security.

The significance of access management in cloud security

Cybersecurity threats & cyber attacks lead to security breaches. Business leaders prevent threats & combat security risks w/ security controls.

Effective cloud security protocols revolve around robust access management. Access management encompasses the processes and technologies used to control user access to cloud resources. It plays a pivotal role in preventing unauthorized access, data breaches, and other cyber threats by managing access privileges. Your organization’s security posture rests on your ability to manage user identities and protect access, including removing old accounts when they are no longer needed.

Understanding the risks of dormant accounts

Zombie accounts, also known as dormant, discontinued, or stale accounts, are those that are no longer actively used by their assigned users but remain accessible. These accounts pose several risks:

  1. Unauthorized access: Dormant accounts can become a gateway for threat actors if left unchecked. Hackers may exploit weak or forgotten credentials to gain unauthorized access to sensitive information.
  2. Data exposure: Dormant accounts may still have access to sensitive data, leaving it vulnerable to unauthorized disclosure or modification.
  3. Compliance issues: Regulatory bodies often require organizations to maintain strict control over user access. Neglecting dormant accounts can result in non-compliance, leading to fines and legal consequences.

Implementing best practices for managing zombie accounts

Malicious software can steal data and sensitive information. Cybersecurity threats and cyber attacks are increasingly sophisticated.

Building a security profile that includes centralized management, access management solutions, and smart data protection standards is just the start. With these best practices, you need to regularly review how you are doing and ensure you improve in each area. Nothing stays the same for long, so adding an annual or quarterly review of your practices will help ensure that you are constantly improving in each of these critical controls. Now let’s delve into some best practices for managing identities:

1. Regular account reviews

Conduct periodic reviews of user accounts to identify dormant accounts. Google Cloud’s Identity and Access Management (IAM) dashboard provides an overview of who has access to what resources, making it easier to spot inactive users.

2. Revocation of access

Once dormant accounts are identified, promptly revoke their access rights. Google Cloud IAM allows administrators to easily update policies and remove users from access lists.

3. Strong password policies

Enforce strong password policies to prevent unauthorized access. Encourage users to create unique, complex passwords and implement multi-factor authentication (MFA) wherever possible.

4. Account deactivation workflow

Implement a workflow for deactivating dormant accounts. This process should involve notifying the user and their manager, as well as documenting the deactivation for auditing purposes. Don’t forget HR here. They need to be included in the process and sign off on account deletion, disablement, or other removals. But help them understand how critical it is to do this well.

5. Role-based access control (RBAC)

If you are a Google Cloud Platform (GCP) user, utilize Google Cloud’s RBAC to assign permissions based on job roles rather than individual users. This simplifies access management and reduces the chances of dormant accounts slipping through the cracks. Do this with all of your clouds, systems, etc. Limit the number of admin accounts or root users and make sure you know when they are used by logging their usage.

Addressing cyber threats

A malicious actor, cyber attack, or cyber threat can steal information, steal data, and exploit vulnerabilities for financial gain.

By diligently managing dormant accounts, organizations can significantly reduce their susceptibility to cyber threats and threat actors. Here are some common threats and how proactive management of discontinued accounts can mitigate them:

1. Phishing attacks

Phishing attacks often target dormant accounts with outdated credentials. By promptly deactivating such accounts, the risk of them being compromised through a phishing attack is mitigated.

2. Insider threats

Disgruntled employees or former staff with access to dormant accounts can pose a serious insider threat. Regularly reviewing and revoking access ensures that these insider threats are minimized.

3. Unauthorized data access

Dormant accounts may still have access to sensitive data. Removing this access prevents data breaches and exposure.

Continuous access evaluation (CAE)

Criminal groups exploit vulnerabilities & gain access to confidential information for personal gain. Cybersecurity threats threaten national security.

Google Cloud is committed to staying at the forefront of cloud security. One of their recent innovations is continuous access evaluation (CAE). CAE enhances the security of cloud environments by continuously re-evaluating user access permissions in real time.

How CAE works

Continuous access evaluation leverages contextual signals such as device health, user behavior, and network conditions to dynamically adjust access controls. This means that if an account becomes dormant or if unusual activity is detected, access can be revoked instantly.

Benefits of CAE

  • Real-time protection: CAE provides real-time monitoring and response, reducing the window of opportunity for a cyber threat to exploit.
  • Adaptive security: It adapts access controls based on the user’s context, ensuring security without hampering productivity.
  • Reduced dormant account risk: CAE helps identify and respond to dormant accounts promptly, reducing the risk they pose.

Stay vigilant

Spear phishing is one type of cyber threat that threat actors use to access sensitive information.

In an era marked by relentless cyber threats, managing dormant accounts is not a task to be taken lightly. The risks associated with discontinued accounts can lead to data breaches, unauthorized access, and compliance issues. Google Cloud offers a robust set of tools and services, including IAM, Identity-Aware Proxy (IAP), and CAE, to bolster access management and overall cloud security.

As a systems administrator, you must remain vigilant, conducting regular reviews of user accounts, promptly revoking access for dormant accounts, and implementing strong security practices. By doing so, your organization can significantly reduce its vulnerability to cyber threats, ensuring a secure and compliant cloud environment.

Remember, in the world of cloud security, vigilance is the key to staying one step ahead of potential threats, and managing dormant accounts is a critical aspect of that vigilance. Stay secure, stay vigilant, and keep your cloud environment safe from increasingly sophisticated attacks. To get started on a comprehensive analysis of your security posture, be sure to sign up for SADA’s Cloud Security Confidence Assessment. This thorough examination of your systems provides you with a security score based on industry best practices, with detailed recommendations for how you can improve your security posture.


Our expert teams of consultants, architects, and solutions engineers are ready to help with your bold ambitions, provide you with more information on our services, and answer your technical questions. Contact us today to get started.

Scroll to Top