Individuals such as system administrators and application developers often make use of multiple accounts to perform their roles. For example, an administrator, Joe, may have a personal account on a system (username=Joe.Smith) and may also have access to an administrator account (username=administrator) on the same system. The administrator account may be shared by multiple individuals (e.g., with another user, Fred, having a personal account of Fred.Jones and also having access to the administrator account). As another example, Joe may have access to accounts on multiple systems (e.g., access to one or more accounts on a database server and one or more accounts on an application server).
Suppose Joe is a nefarious individual (or, in the alternate, that Joe is an honest individual whose personal account has been compromised by a nefarious individual). Joe's authorization to use certain resources (e.g., log into a system as an administrator) can be leveraged to take unauthorized actions. Unfortunately, detecting such unauthorized behaviors can be difficult, particularly in network environments that make use of virtualized resources (e.g., cloud-based datacenters).