Dave Kearns recently quoted some vendor numbers on the state of orphaned accounts in enterprises that are pretty scary. It’s not that I don’t believe the numbers. Quite the contrary, they are depressingly familiar. These numbers are very much in line with what I regularly saw at customer deployments when I was at EnableSolutions (later renamed Access360 and then acquired by IBM)… 10 years ago.
That’s really quite staggering when you think about. 10 years, at least a dozen vendors entering the market, and a handful of compliance regulations later the situation with orphaned accounts isn’t any better than where it started.
However I didn’t understand this quote:
Almost all current provisioning software includes modules to de-provision accounts, but that hasn’t always been the case. As I noted in an article about the first identity provisioning application, back in 1999, de-provisioning was in the road map for the second release.
In 1999 I was working on version 4.0 of enRole, an identity provisioning application. And yes, it supported deprovisioning as Dave defines it, and had for several years before then. I am also fairly sure Control-SA (then produced by EagleEye/New Dimension) also supported deprovisioning back then as well.