Many of my recent blog posts have centered on obtaining a complete and contextual asset inventory. In all of these, I’ve focused on devices and those device’s characteristics as part of the overall inventory.
With 2021’s start, I’ll now focus a bit on a different inventory that has far reaching consequences for organizations. One that is recognized as a key inventory by the Center for Internet Security CIS Control.
A complete and contextual user inventory.
What is a User Inventory?
A user inventory is simply a complete account of every user account across the varied systems of an organization.
- User accounts are generally associated with a wide range of platforms — from databases to applications, from directory services, to identity and access management platforms.
- User accounts serve a number of purposes, including user authentication, authorization, and accounting controls.
- An aggregated user account inventory can inform a wide array of administrative, operational, and technical security workflows.
Obtaining a User Inventory
Like device inventories, organizations have long struggled to obtain a single, consolidated inventory for user information. (No surprise here, because of the sheer number of user accounts that exist across an enterprise.) Almost every application, database, and compute platform across an enterprise have their own associated (and siloed) user account inventory.
Even when organizations attempt to pull together some subset of these user inventories, they run into challenges similar to obtaining a complete device inventory:
- Fragmented administrative ownership across systems and platforms
- Developing, managing, and maintaining integrations to the various data sources
- Developing, managing, and maintaining a common normalization framework
- Managing the rate of user characteristic changes across each source
- Widely varied naming conventions making correlation rules complex and difficult
- Maintaining historical snapshots of users over time
- Ability to query for conditions that map to varied administrative, technical, and operational policies across security, IT, GRC etc.
Most enterprises have opted to forgo a complete inventory. Instead, they focus on identity and access management (IAM) solutions for their most critical applications and databases.
Within the IAM space, the most common barrier to centralizing user account information has been cost. Most IAM vendors charge individual licensing fees for integrations to each individual application, database, and platform, realizing the time, cost, and effort of the individual integration that is unique to the individual data source.
User Account Characteristics
User account characteristics are expansive. There are some characteristics that are common across all data sources, while others are specific to an individual data source or platform. This is an important point, as aggregation and consolidation of user (and device) information is critical to obtaining context. Richness of context is a direct function of the quantity of integrated data sources.
Importantly, there are very common user characteristics across all data sources. These common characteristics are critical for formulating correlation rules used to deduplicate the various data sources. They enable an inventory tool to accurately pin the sundry of data characteristics from the individual sources to one consolidated user account record in the user inventory platform.
Without this correlation, obtaining and maintaining a unique inventory with relevant context would be impossible to achieve.
A sample of user account data fields are listed in the chart below.
Last Seen on Device
Last Bad Logon Date
AD Delegation Policy
Is MFA Enrolled
Is MFA Enforced
User Creation Date
Is Delegated Admin
Last Seen in Domain
Password Not Required
User Data Sources
There is a large number of data sources that contain user data. One question you may be asking yourself is, “Where do I start?”
The best starting point is the platform that casts the widest net: a directory services platform like Microsoft Active Directory (AD). If you are heavily invested in the cloud, you may want to start with your cloud directory service, which could include JumpCloud, Microsoft Azure AD, AWS Directory Service, GSuite and OneLogin — to name a few.
Directory services are an important baseline for users. They can serve as the sticky glue to help with user data correlation from other sources, simply because of the abundance of data objects typically populated in directory services.
Beyond directory services, other common sources include identity and access solutions, like single sign on (SSO) and multi-factor authentication tools. These tools are great sources for a few reasons:
- They are typically expansive in terms of enterprise-wide employee and user coverage.
- They contain depth of information about user security and access groupings, and access to specific applications and services.
In tandem with directory services information, IAM data provides for some interesting use cases. Additional data sources include:
- Emerging digital management and intelligence tools, like DynaTrace and NextThink
- Privilege management tools, like CyberArk and Centrify
- Platform management tools, like Chef, Jira, and SCCM
- Human resource management tools, like ADP, Workday and BambooHR
- Storage management platforms, like NetApp and Nasuni
User Use Cases
A consolidated user inventory makes it easy to query, track, and monitor a wide range of user attributes, characteristics and conditions. When fully populated, a user inventory can solve use cases ranging from incident response to user policy management, from continuous monitoring of risky security conditions to zero trust reconciliation, enabling various personas across a variety of IT functions can better manage workflows and outcomes.
A sampling of use cases are outlined below.
With a complete, consolidated user inventory, common user account policies become easier to monitor and manage. Manual quarterly and annual audits that were previously time consuming and a regular distraction become a simple task with a consolidated user inventory.
The ability to query across all users, across any particular data source (or all of them) allows for quick daily checks for certain key policy infractions. Some of these include:
- Last password change within X days
- Accounts where password is not required
- Accounts where password is set to never expire
- Policies specific to guest, external or contractor user accounts
- Check users who have access tokens which have not been rotated in last X months
At the heart of many security incidents is credential theft, and the use of those credentials by attackers to escalate privileges and gain access to critical systems. In most security incidents, attackers have day, weeks, months, and sometimes years of unfettered, undetected access to the IT environment. Incident response investigations typically start well after the initial breach has occurred.
A user inventory can accelerate an incident response investigation and reduce mean time to recovery by giving Incident Responders the ability to quickly and easily.
- Group high privilege accounts (HPA) into a single view
- Understand where a user account was used on a specific date
- Understand recent password and privilege changes
- Understand devices associated with the user account
Monitoring Risky Conditions
A user inventory allows companies to define conditions and develop monitoring charts and graphs in the form of watchlists that track specific conditions. Acceptable risk varies from one company to the next, but some of the most common conditions are listed below:
- No password change for an account associated with credential breach in X time period
- Service accounts being used on abnormally high number of devices
- Disabled accounts that are still actively logged into a device
- Disabled SSO account where AD account is still active
Zero Trust Reconciliation
Zero trust models have gained significant traction in recent years as companies attempt to use identity verification to establish trust before allowing access to resources from outside and inside the corporate network. A consolidated user inventory can help with several aspects of zero trust by tracking and/or alerting for:
- Users who are admins with no MFA enabled
- Disallowed user to device associations
- Ensuring all active users are attached to the corporate SSO solution(s)
- Least privilege access is applied across all SSO, MFA and IAM solutions