Many of my recent blog posts have centered on obtaining a complete and contextual asset inventory. In all of these, I’ve focused on devices and those device’s characteristics as part of the overall inventory.
With 2021’s start, I’ll now focus a bit on a different inventory that has far reaching consequences for organizations. One that is recognized as a key inventory by the Center for Internet Security CIS Control.
A complete and contextual user inventory.
A user inventory is simply a complete account of every user account across the varied systems of an organization.
Like device inventories, organizations have long struggled to obtain a single, consolidated inventory for user information. (No surprise here, because of the sheer number of user accounts that exist across an enterprise.) Almost every application, database, and compute platform across an enterprise have their own associated (and siloed) user account inventory.
Even when organizations attempt to pull together some subset of these user inventories, they run into challenges similar to obtaining a complete device inventory:
Most enterprises have opted to forgo a complete inventory. Instead, they focus on identity and access management (IAM) solutions for their most critical applications and databases.
Within the IAM space, the most common barrier to centralizing user account information has been cost. Most IAM vendors charge individual licensing fees for integrations to each individual application, database, and platform, realizing the time, cost, and effort of the individual integration that is unique to the individual data source.
User account characteristics are expansive. There are some characteristics that are common across all data sources, while others are specific to an individual data source or platform. This is an important point, as aggregation and consolidation of user (and device) information is critical to obtaining context. Richness of context is a direct function of the quantity of integrated data sources.
Importantly, there are very common user characteristics across all data sources. These common characteristics are critical for formulating correlation rules used to deduplicate the various data sources. They enable an inventory tool to accurately pin the sundry of data characteristics from the individual sources to one consolidated user account record in the user inventory platform.
Without this correlation, obtaining and maintaining a unique inventory with relevant context would be impossible to achieve.
A sample of user account data fields are listed in the chart below.
Username |
User Title |
User Manager |
User Department |
Last Logon |
Last Logoff |
User Location |
Domain Ownership |
Account Locked |
Application Access |
Employee ID |
Employee Number |
AD Policies |
SSO Enrollment |
Display Name |
Last Seen on Device |
Logon Count |
Last Bad Logon Date |
AD Delegation Policy |
Account Disabled |
First Name |
Last Name |
Is MFA Enrolled |
Is MFA Enforced |
Is Admin |
User Path |
User Arn |
Account Alias |
Region |
Account Expiration |
Office Name |
Password Expired |
Organizational Unit |
User Creation Date |
Is Delegated Admin |
Last Seen in Domain |
|
Suspended |
Account ID |
Password Not Required |
There is a large number of data sources that contain user data. One question you may be asking yourself is, “Where do I start?”
The best starting point is the platform that casts the widest net: a directory services platform like Microsoft Active Directory (AD). If you are heavily invested in the cloud, you may want to start with your cloud directory service, which could include JumpCloud, Microsoft Azure AD, AWS Directory Service, GSuite and OneLogin — to name a few.
Directory services are an important baseline for users. They can serve as the sticky glue to help with user data correlation from other sources, simply because of the abundance of data objects typically populated in directory services.
Beyond directory services, other common sources include identity and access solutions, like single sign on (SSO) and multi-factor authentication tools. These tools are great sources for a few reasons:
In tandem with directory services information, IAM data provides for some interesting use cases. Additional data sources include:
A consolidated user inventory makes it easy to query, track, and monitor a wide range of user attributes, characteristics and conditions. When fully populated, a user inventory can solve use cases ranging from incident response to user policy management, from continuous monitoring of risky security conditions to zero trust reconciliation, enabling various personas across a variety of IT functions can better manage workflows and outcomes.
A sampling of use cases are outlined below.
With a complete, consolidated user inventory, common user account policies become easier to monitor and manage. Manual quarterly and annual audits that were previously time consuming and a regular distraction become a simple task with a consolidated user inventory.
The ability to query across all users, across any particular data source (or all of them) allows for quick daily checks for certain key policy infractions. Some of these include:
At the heart of many security incidents is credential theft, and the use of those credentials by attackers to escalate privileges and gain access to critical systems. In most security incidents, attackers have day, weeks, months, and sometimes years of unfettered, undetected access to the IT environment. Incident response investigations typically start well after the initial breach has occurred.
A user inventory can accelerate an incident response investigation and reduce mean time to recovery by giving Incident Responders the ability to quickly and easily.
A user inventory allows companies to define conditions and develop monitoring charts and graphs in the form of watchlists that track specific conditions. Acceptable risk varies from one company to the next, but some of the most common conditions are listed below:
Zero trust models have gained significant traction in recent years as companies attempt to use identity verification to establish trust before allowing access to resources from outside and inside the corporate network. A consolidated user inventory can help with several aspects of zero trust by tracking and/or alerting for:
41 Madison Avenue, 37th Floor
New York, NY 10010