Do Organizations Truly Know Their Identities, Accounts, and Access Points?
If you ask the average business user whether IT knows all the identities, accounts, and access points in the organization, they’ll likely respond, “Yes, of course. How else can they ensure we’re protected?”
However, the reality is starkly different. Most organizations struggle to definitively say they know every directory, local account, database account, or application account in their environment—let alone the entitlements tied to those accounts. This fundamental challenge leaves many organizations in the dark. But why is discovery so difficult?
In this first blog post of a series, I’ll explore why organizations face such hurdles in discovery, the methods they’ve tried to address this issue, and why achieving identity hygiene remains a persistent challenge.
Why Is Discovery So Hard?
Let’s begin by examining the complexities of modern organizations. Most companies today are in the midst of digital transformation, which often includes cloud migrations, automation initiatives, or the retirement of legacy systems. However, digital transformation isn’t a new concept. Organizations have been evolving since they acquired their first mainframes—some of which they’ve been trying to retire for 30 years.
The reality of digital transformation is that new technologies are introduced to replace old ones, but the old rarely disappear quickly. This leaves organizations managing a patchwork of legacy and modern systems: mainframes, AIX, Unix, Linux, Windows, cloud infrastructures, SaaS applications, and more. These technologies often coexist, creating a management nightmare.
The lifecycle of technology in an organization isn’t as simple as new replacing old. Mainframes that were set to retire decades ago are still running, while cloud migrations are slow, with some organizations questioning whether everything belongs in the cloud. This results in a permanent state of transformation, with legacy and new technologies interwoven.
Despite the differences among these systems, they all share one thing in common: identities, accounts, and entitlements. Each system manages access differently—some use corporate directories, others rely on local accounts, and some have proprietary methods for granting permissions. Regardless of the approach, all accounts must be inventoried.
This complexity makes it incredibly difficult to answer a seemingly simple question: “Do you have a list of all the accounts in your organization?”
Why Is This Important?
It’s a fundamental security principle: you can’t protect what you don’t know. Visibility into your environment is the first step toward protecting it from breaches. Service accounts, in particular, are prime targets for attackers due to their lack of ownership, weak password policies, and general obscurity.
Recent analyses underscore the risks. A 2024 report by ReliaQuest found that 85% of breaches between January and July involved compromised service accounts. Additionally, over 70% of ransomware attacks involved lateral movement enabled by these accounts.
These breaches weren’t due to a lack of willingness to act. Organizations simply didn’t have visibility into the existence of these poorly managed accounts. Discovery and visibility remain the primary obstacles.
How Are Organizations Addressing This Issue?
Today, organizations rely on a mix of tools, data feeds, scripting, and ETL processes to create an inventory of their accounts. This patchwork approach often requires significant manual effort and relies on the scripting skills of employees for whom this task isn’t a primary responsibility.
This ad-hoc method leaves critical security tasks in the hands of individuals juggling other priorities. There must be a better way.
At SPHERE, we recognized that discovery is too important to rely on piecemeal solutions. Effective discovery requires:
- Subject Matter Expertise: Specialists who understand the nuances of target systems like Windows, Unix, AD, and databases. They need deep knowledge of permissions, group memberships, and platform-specific challenges.
- Data Expertise: Professionals who can analyze raw metadata, identify issues, and highlight policy and security violations.
- Ownership: Identifying the individuals responsible for accounts and entitlements is crucial for making the necessary changes to secure the environment.
Identity hygiene is about systematically and consistently managing accounts and entitlements—not through ad-hoc efforts, but with purpose and focus. Without tools like SPHEREboard, organizations must rely on manual processes to ensure ongoing protection.
What’s Next?
Discovery is just the first step. In the next post in this series, I’ll explore how to categorize accounts to enforce policies and identify security, configuration, and compliance issues. In the final post, I’ll dive into ownership—the cornerstone of remediation and the most critical element of achieving identity hygiene
