Identity has become the new perimeter in the digital world. Online identities hold the key to the most important data and functionality in your business. Identities can become a nightmare to manage without identity governance in place. Much of this framework will focus on security controls for protecting identities, but before any of those can be implemented, you need to inventory all of the digital identities currently used in your business.

If your digital environment has limited oversight, this step may take a bit of time. One of the most common security issues present in organizations today, specifically smaller ones, is Identity Sprawl. This involves the uncontrolled growth of user identities across various systems and applications, with multiple redundant identities in use for individual users. This is very common in organizations that utilize online/cloud services heavily. Many business owners don’t even know it is occurring, making it an even riskier issue. Many times, employees are issued a company email address, and from there, they create accounts on various cloud platforms and web applications. This will quickly get out of hand, as the employees often forget about many of the accounts and management is unaware that company data is being used on unvetted platforms. It is critical to catch identity sprawl now so you can properly govern the use of company identities moving forward.

A digital identity inventory should include all of the company-sanctioned identities, such as email accounts and proprietary software accounts. However, for a complete view of your identity surface, you should conduct interviews with employees and ask them what applications they have signed up for with their company-issued email addresses. You may need to go even further and conduct discovery by reviewing logging data to uncover accounts that have been forgotten about. The following attributes should be included in the inventory:

  • Service Provider or Product
  • Account Owner
  • Account Type
  • Username
  • Account Creation Date
  • Account Deletion Date
  • Account Expiration Date
  • Account Status (Enabled, Disabled, Deleted, Dormant, Locked)
  • MFA Enabled?
  • Review Date (Date Validated)
  • Business Unit