How Dormant Accounts Expand Your Cloud Workspace Attack Surface

Tl;DR

How Do Dormant Accounts Quietly Expan Your Cloud Worksapce Attack Surface?

The problem of dormant accounts is far more widespread than most organizations realize. They are the digital equivalent of leaving the keys to your old apartment on the welcome mat long after you've moved out. While you've forgotten about them, someone else is bound to find them.

Why Do So Many Dormant Accounts Exist?

Dormant accounts accumulate for several common reasons, often as a byproduct of normal business operations. Incomplete offboarding processes are a primary culprit. When an employee or contractor leaves, their account may be disabled but not fully deprovisioned, leaving access privileges intact. Other sources include:

• Service Accounts: Created for applications, integrations, or automated processes that are later decommissioned.
• Temporary Project Access: Granted for short-term projects but never revoked upon completion.
• Test Accounts: Created for development or testing and then abandoned.
  

The scale is significant. On average, 1 in 8 employee accounts in a typical organization is dormant. The problem is even more pronounced with non-human identities. For every human user in an organization, there can be as many as 40 service accounts, many of which are undocumented and forgotten.

The "Out of Sight, Out of Mind" Problem

These accounts are particularly dangerous because they are invisible to day-to-day security monitoring. Since there's no legitimate activity, security teams have no baseline to detect when one is suddenly compromised and used for malicious purposes. A recent report found that 88% of organizations have "ghost users"—stale but enabled accounts that retain access to sensitive data.

Attackers don't need to break down the front door if you've left a side window open. Dormant accounts are that open window, often with a direct line of sight to your most valuable assets.

Legacy security tools often struggle to identify and manage these threats, as an attacker can activate a dormant account, achieve their objective, and disappear, leaving little trace of their activity.

Why Are Dormant Identities So Attractice to Attackers?

A dormant account isn't just a passive risk; it's an active vulnerability waiting to be exploited. Attackers specifically hunt for these accounts because they provide an easy, low-resistance path into a network.

Unauthorized Access and Privilege Escalation

Dormant accounts are a "bad actor's best friend". They often suffer from poor security hygiene, such as weak or reused passwords that may have been exposed in other breaches. Crucially, they almost never have multi-factor authentication (MFA) enabled, making it trivial to compromise with a valid credential.

High-profile breaches have been traced directly back to this vulnerability:

• Microsoft: The "Midnight Blizzard" attack involved the compromise of a dormant, non-production test account that lacked MFA.‍
• Drizly: An attacker gained access to corporate credentials from a dormant GitHub account, leading to a major data breach.
  

Once inside, an attacker can use the dormant account's existing permissions to move laterally, escalate privileges, and access sensitive systems and data, all while appearing as a legitimate, albeit inactive, user. Research shows that a significant proportion of successful breaches leverage compromised identity credentials, with dormant accounts being a prime target.

The Danger of Stale, Excessive Permissions

The principle of least privilege (PoLP) dictates that users should only have the minimum access required to perform their jobs. Dormant accounts are a direct violation of this principle. An account for a former domain administrator, for example, retains those powerful permissions indefinitely unless they are actively removed.

This creates a massive pool of unnecessary risk. One study of Microsoft cloud environments found that while only 2% of assigned permissions were actively used, 50% of all permissions were classified as high-risk, meaning they could be used to access or destroy data. A compromised dormant account with these stale, high-risk permissions can lead directly to data exfiltration, system disruption, or ransomware deployment.

Compliance and Auditing Headaches

Beyond the direct security threats, dormant accounts create significant challenges for regulatory compliance and incident response. Regulations like GDPR, SOX, and HIPAA require strict controls over who can access sensitive data. The existence of unmonitored, over-privileged accounts is a clear violation that can lead to failed audits and hefty fines.

Furthermore, if a breach does occur, dormant accounts muddy the waters for investigators. They obscure audit trails and make it difficult to determine who was responsible for malicious activity, hindering remediation and accountability efforts.

How Can You Systematically Find and Clean Up Dormant Accounts?

Addressing the threat of dormant accounts requires moving beyond manual, periodic cleanups. You need a proactive, automated approach to Identity and Access Management that is built for the dynamic nature of modern cloud workspaces.

Implement a Lifecycle Management Policy

The first step is to establish a clear policy for the entire lifecycle of an identity, from creation to deprovisioning.

• Automated Deprovisioning: Integrate your HR systems with your IAM platform to automatically disable and deprovision accounts when an employee or contractor departs. While many organizations claim to have automated offboarding, data shows significant gaps, with many dormant accounts retaining access and even admin privileges.‍
• Regular Access Reviews: Implement a process for periodic reviews of all user accounts, especially those with privileged access. This ensures that permissions stay aligned with current job roles and that inactive accounts are identified and handled.
• Time-Bound Access: For temporary projects or third-party access, grant permissions that automatically expire after a set period.
  

Enforce the Principle of Least Privilege (PoLP)

Diligently apply PoLP to all accounts, both human and non-human. By ensuring accounts only have the permissions they absolutely need, you dramatically reduce the potential damage if one is compromised. This means regularly auditing not just what accounts exist, but what they can do.

Leverage Modern Tooling for Visibility and Response

Legacy security tools are not equipped to manage the scale and complexity of identities in cloud environments like Google Workspace and Microsoft 365. You need a solution that provides deep visibility and automated response capabilities.

Platforms like Material Security are designed to close these critical IAM gaps. By continuously monitoring your cloud environment, Material can automatically identify risky configurations, including dormant accounts with excessive permissions to sensitive data. It provides the visibility needed to see which accounts are inactive and what they can access, and offers automated workflows to remediate these risks by removing unnecessary access without disrupting business operations. This modern approach to IAM helps you move from a reactive cleanup model to a proactive security posture.

Secure Your Cloud Identities

Dormant accounts are more than just digital clutter; they are a critical vulnerability that attackers are actively exploiting. Leaving them unmanaged is an invitation for a breach. By implementing a robust IAM strategy that includes automated lifecycle management, least privilege enforcement, and continuous monitoring, you can eliminate these hidden threats and significantly strengthen your security posture.

Take the first step toward securing your cloud workspace. Discover how Material Security provides the detection and response capabilities needed to find and fix identity-based risks in your Microsoft 365 and Google Workspace environments.

‍