Maintaining proper identity hygiene in complex, dynamic environments can be challenging. How can you be sure you’re scanning, monitoring, scraping, and collecting identity information from every system and application? You can see a shift in thinking as cybersecurity frameworks like NIST CSF 2.0 and Gartner’s CTEM are modernized by guiding organizations to begin with an inventory and scoping process before any discovery process begins. Even if you have to start with putting pen to paper, maintaining an up-to-date list of every asset must be step 1 for any discovery process to return valuable information. This is where continuous discovery tools and processes become essential – their findings often surprise even the most mature IAM teams who believe they have a complete inventory of all identities. The purpose of continuous discovery is to:
- Maintain an accurate, real-time inventory of all user accounts across every single system and application
- Automatically map every account (human and non-human) to a governed identity
- Implement proper identity security hygiene to proactively reduce the attack surface
- Continuously analyze if users require their assigned permissions to identify unused or unnecessary access rights to enforce least privilege
You can’t protect what you don’t know
The first step in preparing for continuous discovery is identifying all user repositories. While this may sound like a simple objective, most business, workforce and security applications utilize local application-specific repositories. Those local accounts are likely completely unmanaged and have bypassed any IGA and PAM processes organizations have in place. It can be shocking to realize how many accounts are local to an endpoint’s operating system, or are privileged for IaaS infrastructure, are local to databases, or are simply application accounts stored in the app’s local repository. These account types do not have any link to a specific human identity and are thus likely untracked. It’s not just accounts but other standalone credentials that must be included in this discovery: API keys, OAuth client credentials and refresh tokens, SSH keys and certificates, and X.509 certificates. Now you can see how quickly account sprawl, and poor identity hygiene allows attackers to simply log in to your systems.
Some of the IAM tools you own have automated discovery processes as a part of their offering. However, there are usually 3 major shortcomings with these:
- The discovery process cannot be performed continuously because the discovery job takes too long to complete and is often prohibitively resource-intensive.
- A scheduled discovery job will require extensive customization and configuration to discover the particular locations from which the tools need to gather data.
- Discovered data isn’t consumable by other tools in your tech stack, specifically, it’s critical for integration with your broader identity governance and administration (IGA) and Privileged Access Management (PAM) solutions.
If you can utilize your existing solutions, you’ll have to assemble and orchestrate your own discovery process to make it as close to continuous as possible. Then, you’ll need to start building out responses to clean up and remediate issues.
Why Continuous Discovery Matters
- Dynamic Environment Changes: IT environments are constantly evolving. New users are added, roles constantly change, and permissions are modified regularly. These changes can lead to access creep, orphaned accounts, and other identity-related vulnerabilities without continuous monitoring.
- Detecting Anomalies and Potential Threats: Continuous discovery allows IAM teams to identify unusual patterns or behaviors that may indicate a compromised account or insider threat. By constantly analyzing access patterns, organizations can detect and respond to potential security incidents more quickly.
- Compliance and Audit Readiness: Many regulatory frameworks require organizations to maintain accurate inventories of users, accounts, privileges, and access. Continuous discovery ensures that this information is always up to date, simplifying compliance efforts and audit processes. A global identity inventory performed on March 1st is likely out of date by March 2nd.
- Efficient Resource Allocation: Continuous discovery helps organizations optimize their resource allocation and reduce unnecessary costs associated with idle licenses or over-provisioned access by automatically identifying unused accounts or excessive permissions.
Where to start
Make sure you have a complete list of assets that an identity has access to. If you have to, maintain this list manually until you have a tool in place. For discovery of data on those assets, make sure you implement tools that can automatically gather identity data from across your IT ecosystem. This should include:
- User accounts and attributes from all directories, including on-premise or “legacy” infrastructure (e.g., Active Directory, LDAP)
- Access rights and permissions
- Application and system entitlements
- User activity data
Now, I’m going to make this sound simple, but the complexity and sheer amount of data collected can make this process harder than it should be. At a high level, you will need to utilize analytics capabilities to process the collected data and uncover potential issues. Focus on data indicating anomalous or unusual access patterns, risk scoring for user accounts and entitlements, and correlate identity data with threat intelligence. From there, set up real-time monitoring and alerting to notify IAM teams of high-risk events or policy violations like dormant accounts becoming active or sudden changes in user permissions. Then implement workflows to streamline the response to discovered issues like automated ticket creation for access reviews or automated vaulting of discovered identities into your PAM vault.
At Hydden, we’ve recognized that the challenge of identity hygiene is too complex to be effectively addressed by piecemeal solutions that don’t work together. Despite the acquisition of more security tools, many organizations continue to struggle with deteriorating identity hygiene. The proliferation of numerous accounts, credentials, and entitlements creates significant gaps and vulnerabilities that attackers can exploit. This is why continuous discovery is no longer a luxury in IAM—it’s a necessity. Recent version of the NIST CSF framework and Gartner’s CTEM have both been updates to suggest continuously governing all aspects of controls and threat exposure management initiatives. By adopting robust continuous discovery tools and processes, organizations can make substantial improvements to their identity hygiene, reduce the risk of cyberattacks, and establish a strong security posture, which then serves as a secure foundation to build more advanced capabilities.