Why is Discovery vital to any organization’s Identity Hygiene program?
Imagine you have a messy room
Boxes, clothes, and dust everywhere. Now suppose you need to clean that room. How would you go about doing it? Would you just go in with your eyes closed and pick things up as you trip or run into them? Probably not. The way you clean a messy room is first to look around, take stock of what you are dealing with, come up with a plan of action, and then execute.
The same can be said about any security program. Of course, you need to reduce risk, clean up excessive access, or protect privileged accounts, but you shouldn’t go in blindly picking random accounts to clean up. While doing anything is better than nothing, is it really the most efficient use of your time and the most effective way to reduce risk? The better approach is to have a complete inventory of all your accounts and all the entitlements of those accounts. This is Discovery, and it’s the critical first step in any security program.
Cleaning your accounts is not as simple as cleaning your room
Discovery, while an important first step, is not enough. Accounts are pervasive and can live in many places.
Accounts can exist on operating systems as:
- Local accounts
- In multiple directories such as:
- AD (Active Directory)
- LDAP (Lightweight Directory Access Protocol)
- Azure, etc.
- As local database accounts
- Application accounts.
This jumble of entry points into your platforms requires more than just finding them. You need to better understand what the accounts are, how they are used, who is responsible for them, and finally, whether there is anything wrong with the access these accounts have.
To properly deal with the complexities of this mess, you need to apply the principles of Intelligent Discovery. The tenets of these principles are simple, yet extremely powerful. Intelligent discovery takes you from rudimentary finding to understanding. First, you must figure out who is the responsible identity (or human) for each account discovered. That is ownership.
Ownership is the single most important activity in any program
As a Security or Infrastructure professional, you cannot take the operational risk of changing these accounts; change the password on the wrong service account and you risk taking down a critical application.
The next principle is Asset Type. Across all your accounts, you must have a good understanding of which is a service account, a regular user account, an admin account, or any account type defined by you. Categorizing accounts this way allows you to take what will be a huge list of sometimes randomly named accounts and start to make sense of what they are being used for. More importantly, this allows you to discover if they are being used incorrectly.
The final leg of Intelligent Discovery – Controls and Violations
Controls are the things you desire in your organization, such as non-service accounts should not be running services or privileged accounts must be vaulted. These core controls and the resulting violations tell you exactly what you need to do to effectively reduce risk. Discovery will inherently find mass amounts of data; you need a way to cut through the noise and figure out what the most important things are that you need to focus on first. What will give you the biggest bang for the buck?
It is not easy and it takes a lot of work and commitment, regardless of whether we are talking about cleaning your room or cleaning your infrastructure. Too many times you look at that big messy room and think, “I have no idea where to even start” and close the door and try not to think about that messy room. Unfortunately, you cannot do that with security in your organization. The mess must be cleaned. So how do you get started? As they say, the best way to start is at the beginning. Take stock of what you have. Get a good understanding of what you find and then fix a little each day until you find the room is not as messy as it used to be.
Prefer to listen to a podcast? No Problem! Check it out here