I'm facing a serious challenge with our identity and access management (IAM) setup ahead of an upcoming SOC 2 audit. We have a mix of systems: Workday for HR, Active Directory (AD) on-premises, and Entra for our cloud services. While our core applications integrated with our Identity Governance Administration (IGA) function well, we're struggling with legacy applications that aren't connected to the IGA. We have issues with orphaned accounts, especially on older systems like a custom PHP admin panel for our warehouse and Oracle Forms for procurement, as these use local database authentication. When someone's AD account is disabled, their app accounts remain active, leading to significant security risks. I often rely on managers to inform us about which applications departing employees used, but many times they're unaware or forget. Recently, I discovered over 30 orphaned accounts across various legacy tools, including some that went unnoticed for months. As the audit date approaches, I'm looking for effective strategies to identify all applications in our environment, especially those outside our IGA, and to find orphaned accounts without conducting manual reviews. Any advice on how to build a remediation plan quickly?
5 Answers
Most applications can generate user lists in CSV format, or sometimes vendors can provide you with scheduled reports. Importing these exports alongside your HR data into your IGA should help flag accounts linked to former employees.
Identifying 'forgotten' apps can be tricky. One effective strategy we used was to analyze 90 days of DNS and firewall logs to find internal traffic patterns that revealed unknown apps. For orphaned accounts, compare active AD users against each app's user database—this can help you quickly disable any accounts that shouldn't be active anymore. It's a practical way to show progress in your remediation plan!
Consider combining network scans with database login audits to pinpoint orphaned IAM accounts ahead of your SOC 2 audit. Additionally, regularly checking for shadow IT can really help—try doing that every quarter!
It's unrealistic to expect managers to know all account details. Use tools like LANsweeper to see who has access to what across your systems—that can help uncover those hidden accounts.
At my previous job, we automated disabling AD accounts with a PowerShell script. It included a specific tag in the disable request to generate an XML file of member groups for auditing later. Adding timestamps and ticket numbers in the account description helped us keep everything transparent during audits. Consider implementing something similar!
You can also check the email domains you receive correspondence from; it might provide clues about shadow IT lurking in your environment.