Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • 1. User Lifecycle Variations
  • 2. Merging Users Across Platforms
  • 3. Managing Non-Human Identities
  • 4. Tracking Admin Access Across Shadow IT
  • Worth the Slog: Benefits of Getting a Comprehensive View
  • Conclusion
  1. Blogs

Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory

PreviousOort: Your Security Layer On Top Of OktaNextProtecting IT Help Desk Teams Against Cyber Attacks

Building a user inventory is often the most challenging aspect of an identity security program, but it is also fundamental to its success. Building an inventory is critical for any area of cybersecurity, and identity is no exception.

A comprehensive user inventory provides an organization with a complete view of all users, their access rights, and other relevant information that can help identify security risks, ensure compliance, and streamline user management. Moreover, a user inventory is essential to implementing a zero-trust security model because it provides complete visibility and control over user access and behavior. A user inventory is also a necessary precursor to other identity projects, enabling you to save time on projects like IGA.

Despite its importance, building a user inventory is not without its challenges. In this blog, we will explore the difficulties of creating a comprehensive user inventory, including managing different lifecycles, merging identities, managing machine identities, and understanding admin access. However, we will also highlight why it is so critical to get it right and the benefits of doing so.

1. User Lifecycle Variations

When we talk about “identities” in an enterprise, we’re not just talking about employees and customers. We need also to include contractors, vendors, and non-human identities. Critically, each of these types of identity has its own specific lifecycle and needs to be monitored differently.

Different types of users go through different stages in their relationship with an organization. This can create a problem for creating a single, unified user population because it can be difficult to track and manage all of these different lifecycles in a cohesive way.

For example, employees typically go through a hiring process, receive training and orientation, have ongoing performance evaluations, and eventually leave the organization through resignation or retirement. On the other hand, contractors may have a shorter onboarding process, work on specific projects or tasks, and may (or may not) have a defined end date for their engagement with the organization.

Vendors may have a completely different lifecycle, with a process for evaluation and selection, negotiation of contracts, and ongoing management of the vendor relationship. Customers may have their own lifecycle that includes marketing, sales, onboarding, and ongoing customer support.

These different lifecycles can make it difficult to create a comprehensive user population because it requires tracking and managing different types of users in different ways. For example, employees may have access to more sensitive information and systems than contractors or vendors, which means that their access needs to be managed differently. Customers may have different levels of access depending on their relationship with the organization.

Let’s be clear; there are legitimate business reasons for these discrepancies in lifecycles. For example, customers may not need as many controls as employees because they are not part of the organization and are not subject to the same security requirements. Similarly, there may be limited options for contractors in certain industries or locations, which means that organizations may need to work with contractors who have different lifecycles than employees. Vendors may also have different lifecycles depending on their size and capabilities; a small vendor may not be able to handle complex processes and may need more support from the organization, while a large vendor may be able to dictate more of the terms of the relationship.

Overall, these discrepancies between user lifecycles can create a complex and challenging environment for creating a single, unified user population. Organizations need to carefully manage and track different types of users in different ways, while also balancing legitimate business reasons for these discrepancies.

2. Merging Users Across Platforms

Difficulties in merging a user’s data across platforms is another reason that organizations struggle to get a unified view of their identities.

First, each identity provider may store user data in different formats, using different attributes and schemas. This can make it difficult to map and reconcile user data across different systems. This can be particularly challenging when trying to merge data between HR directories and identity providers.

Second, the data quality and accuracy of user data may vary across different systems. For example, user data in an HR directory may be more up-to-date and accurate than user data in a cloud-based identity provider. This can create discrepancies and inconsistencies in user data when attempting to create a unified view of user identities.

Third, each person may have multiple accounts that tie to their identity. On average, (Gmail, Yahoo, Hotmail, iCloud, etc) with access to company data. Many of these accounts should be tied to a corporate account.

Overall, getting a unified view of every identity in a workforce requires careful planning, standardization of data formats and attributes, and the ability to reconcile discrepancies and inconsistencies in user data. Integrating different identity providers, such as Okta, Azure AD, HR directories, and other identity providers, requires a deep understanding of each system's authentication protocols, security policies, and integration requirements.

3. Managing Non-Human Identities

Gaining visibility of machine identities, also known as service accounts, can pose several challenges. Initially, service accounts are usually created to cater to specific applications or services and may exist across various systems, which can make it arduous to keep track and manage them.

Furthermore, service accounts can possess elevated privileges and access to sensitive resources, thereby making them alluring targets for potential attackers.

Additionally, service accounts might be shared among multiple users or applications, which can create intricate scenarios and security risks.

To obtain a comprehensive understanding of service accounts, organizations might have to implement tools for discovering and managing them. Besides, implementing policies and controls to monitor activity and regulate access can also prove beneficial.

Most importantly, service accounts must always be linked to one human so there is one “throat to choke.” Ideally, accounts should be tied to more than one human in case someone leaves.

4. Tracking Admin Access Across Shadow IT

It can be difficult to know all administrators across different identity providers, especially if it involves Shadow IT - the use of unauthorized or unmanaged IT resources and services. This is because employees or departments may use identity providers that are not officially sanctioned by the organization, making it challenging to track and manage all administrators.

Lack of visibility into who has access to what resources and data can be detrimental to an organization's security posture, especially in the case of data breaches. It is crucial to know all administrators to ensure that only authorized individuals have access to sensitive data and resources. Additionally, it helps organizations to optimize resource allocation and ensure that employees have the appropriate level of access to the tools and data they need to do their jobs effectively. Knowing all administrators helps organizations to manage their identity and access management (IAM) system effectively, reducing the risk of cyber threats and data breaches.

Worth the Slog: Benefits of Getting a Comprehensive View

Despite all of these challenges, building a unified view of your identities is well worth it. You cannot protect your identities from account takeover until you know what you are protecting.

Once you know what you’re protecting, you can then start cleaning it up, resolving inconsistencies, and improving overall IAM hygiene. By identifying risks like dormant accounts and removing them, teams can reduce their attack surface and reduce the amount of unforeseen work for other identity projects. These are not sexy or fun things to resolve, but they will set you up for success with other identity projects like Identity, Governance and Administration (IGA).

Finally, building a user inventory is one of the core projects required as part of any zero trust journey. We’ll be exploring this topic in more detail over the coming weeks and months.

Conclusion

The creation of a user inventory is fundamental to the success of an identity security program. A comprehensive user inventory offers organizations a complete view of all users, their access rights, and other relevant information to identify security risks, ensure compliance, and streamline user management. However, creating a single, unified user population presents challenges, including managing different user lifecycles, merging identities, managing machine identities, and understanding admin access. These challenges require careful planning, standardization of data formats and attributes, and the ability to reconcile discrepancies and inconsistencies in user data. Ultimately, building a user inventory is critical to implementing a zero-trust security model by providing complete visibility and control over user access and behavior.

Oort specializes in providing enterprises with a single pane of glass into their identities and gives them a unified view of their identities from HRIS, SSO, Cloud Directories, and other identity providers. Get in touch to learn how we can help.

Oort finds that companies have 340.5 personal accounts