My wife has been on a minimalist/organizing kick lately. She has been donating bags and bags of clothing and has “encouraged” me to do the same. One Saturday afternoon, I went up to my closet and looked at the mess of t-shirts, sweatshirts, dress shirts, undershirts, sweaters, and hoodies, thinking, Where do I even begin? And that was just the tops!
The accounts in your organization are very much like a closet full of clothing.
In my first post in this series on discovery, I spoke about visibility and how you collect the source data—primarily accounts and entitlements. That was the first step in discovery. Now, I would like to go over what needs to be done to start making sense of everything gathered in step one, and ultimately the clean-up that will reduce risk.
Finding Is Not Discovery
What are the series of actions you must take to say you have achieved discovery and positioned your organization to be safer? Is visibility into all your accounts, assets, and entitlements enough?
With any cleanup project—whether you are dealing with account entitlements or a messy closet full of clothes—you can easily feel overwhelmed by the sheer size of the issue. Just like looking at that room full of t-shirts and think, I don’t know where to start, similarly, you might face a list of thousands or even millions of accounts, entitlements, assets, policies, and roles, wondering, what do I do now?
Organize the Graphic Ts
One of the first steps is to look at all the accounts you have collected and organize them by account type: service accounts, admin accounts, and regular user accounts, for example. Grouping accounts in this way allows you to assess what needs to be done. The way you manage accounts—from password policies to the level of access permitted—will be heavily influenced by the account type.
Some of the most common account types include service accounts, admin accounts, and regular user accounts. However, you can go one step further and implement a tiering system, such as:
- Tier 1 application service accounts
- Infrastructure admin accounts
- Network admin accounts
- East Coast DBA SOC Application Accounts
The name doesn’t matter but by categorizing accounts effectively, you establish the groundwork for applying the right security controls and policies to the right accounts.
How Many Hoodies Does One Need Anyway?
Now, consider the kinds of policies you want to enforce on a regular user account versus a service account. You wouldn’t want a developer using their primary account to run a critical service on a production server for a tier 0 application. A password change or disabled account could lead to a disastrous outage for your business.
The logical next step is to define the policies for different account types. Critical tier 0 accounts might have highly restrictive password policies, while non-production accounts may have more lenient ones. The key principle is that not all accounts should be treated the same.
This control-to-account-type assignment—and, more importantly, the resulting policy violations—is perhaps the most crucial aspect of the entire process. This approach truly makes sense of the data and highlights the issues that need to be addressed to reduce risk. Other data may be interesting, but it’s mostly noise. Assigning the right control to the right account type allows you to pinpoint exactly what needs to be done—much like my wife telling me, Do you really need that ‘I am Kenough’ hoodie?
The Risk Analysis Closet: Keeping It Organized
Discovery and categorization alone are not enough. Without continuous monitoring and risk analysis, your identity landscape will inevitably return to chaos—just like my closet if I don’t keep up with it. It’s not just about cleaning up once but creating sustainable rules and processes that keep everything in order.
In security, this means
- Continuously auditing accounts and entitlements for anomalies.
- Automating the cleanup process wherever possible.
- Defining ownership and accountability for each type of account.
- Setting clear access control policies that evolve with the business.
Taking a structured approach to account discovery, categorization, and risk analysis allows organizations to stay ahead of potential security threats instead of constantly reacting to them. Just like keeping a tidy closet, ongoing effort is required—but it makes finding what you need (or identifying what doesn’t belong) much easier.
So, as you look at your organization’s account landscape, ask yourself: Do we really need all of this? And if so, is it organized in a way that makes sense and, more importantly, secure?
