Failure to Terminate Accounts after Employee Leaves

[The1ntern]

It has been seen many times before with companies that old accounts, legacy, or even employees that left and use old account logins to do damage (internal threat) have and can create havoc on a network. It should be standardized that after an employee is terminated or leaves that their access to critical infrastructure, VPN, or even email be revoked immediatly.

[cellarweasel]

This is essentially "failure to implement SSO(single sign on)" but restated in terms of the biggest problem. Failure to have a central control over the accounts is the root cause, in my experience, of why this happens. Nobody with a central identity management system that just has a menu option, like in Active Directory Users and Computers, doesn't do this. It's when there are hundreds of systems with their own internal passwords that this happens in droves on the other hand. My personal experience was that folks usually would kind of have both. There would be a windows domain and first thing after a disgruntled employee would get fired is that employee's account would be disabled in AD. But somehow over the next week many things like the VPN concentrator or networking equipment would end up still having the old employees accounts totally active because they weren't Windows and joining non-windows systems to Active Directory is a totally different skill than getting windows boxes on the MS AD domain.
Many places have too few privileged Admins who can do things like lock accounts immediately after someone is fired for malfeasance. And the reason they have too few is because of other 'best practices' like restricting Privileged Users. But that best practice advice seems to assume an ideal situation like fully converged and centrally managed SSO where there aren't that many different admins for different platforms/systems of systems. When you get to a messy reality too few admins is just as much of a problem.
Heck! even like half of all these bad practice suggestions and 2 of the 3 official bad practices are covered by "Failure to implement SSO"!
Just putting this here for posterity, but even Google ended up reimplementing a Kerberos over HTTP2 at the end of their Zero Trust journey. I read about Beyond Corp and it was mentioned in one little paragraph near the end but it was pretty profound.

kerberos forever!!! (And kerberos like systems like OpenID)