Visibility is a foundational element to any cyber defense strategy – after all, you can’t protect what you can’t see. This principle is also at the bedrock of modern Identity and Access Management (IAM) programs. Discovery is the mechanism to gain visibility – and continuous discovery is a goal many organizations look to achieve. Continuous discovery enables security teams to identify, monitor, and manage all identities (human and non-human), all access privileges, and all identity activity in real-time. This is no-doubt a lofty goal and may require a mix of tools, processes, and teams to achieve. This blog post delves into the importance of continuous discovery and how it contrasts with static discovery approaches in IAM.
Traditional Discovery Approaches
Uncovering security blind spots caused by poor identity hygiene is challenging and for good reason. The sheer number of human and non-human accounts within an organization are growing at an unpredictable and accelerated pace. This is often fueled by the adoption of new applications, services, and DevOps tooling across any combination of public, private, and hybrid infrastructure. Traditional discovery approaches rely on periodic scans – quarterly or annually – and manual reviews, followed by manual intervention and response. This practice is all too common in legacy approaches to PAM and IGA. Chances are, you own an IAM tool today that utilizes a traditional discovery job to capture point-in-time data. This discovery scan must be carefully scheduled and configured to ensure limited network and application performance impact.
Ensuring the freshness of discovery data is not the primary, or even secondary, function of most IAM tools that provide authentication, identity governance, or privileged access management. The discovery job is usually good enough for the individual tool’s purposes and suitable for less dynamic environments. But this kind of discovery was not designed to support multiple user directories, systems and applications with local user repositories, and across hybrid environments with a mix of SaaS and on-premise infrastructure and applications. Scalability and performance are always a challenge in complex environments.
Because of these limitations, many IAM software providers have attempted to utilize network monitoring and log parsing to replace a standard discovery job. These approaches are ideal for monitoring events and performance from several different sources, in different formats, and in massive volumes. But when it comes to visibility and control of all identities, these approaches should be limited to providing supplemental data and cannot replace the breadth of data standard discovery jobs collect. Like approaches designed to reactively secure the perimeter, an event must occur first so that it can be sent across the network or logged. Products that only utilize network monitoring and/or log parsing thus cannot provide total visibility into the state and hygiene of every single identity – however this data is very useful on top of baseline identity data and can be used for advanced capabilities like anomalous activity detection. For example, if you are using a point-in-time discovery product that runs once a week, you might miss when an attacker leverages a stale account to escalate privileges as a part of an ongoing attack and you now have to play defense. Alternatively, with continuous discovery-based products, you have this information immediately and can take proactive action to prevent the account takeover from happening in the first place.
Based on this history, you can see why organizations have high hopes for continuous discovery. Maintaining proper identity hygiene in complex, dynamic environments is a challenge that modern technological approaches can finally help us solve. This is where continuous discovery tools and processes become essential, and their findings often surprise IAM teams. The purpose of continuous discovery is not just to maintain an accurate, real-time inventory of all user accounts across systems and applications. Continuous discovery should also include mapping relationships between users, roles, and permissions and utilizing the richness of this data to analyze identity hygiene, privilege, and access violations and emerging risks. The technology and approach to identity discovery requires an innovative, streamlined mechanism of consuming large datasets in real-time without impacting business operations.
Modern identity security
A rapid continuous discovery job is a necessary component to empower security teams to proactively detect and respond to threats. Continuous discovery, where the data is standardized and thus consumable by other critical IAM products, needs to be at the heart of every security team. Security leaders and practitioners want interoperability between the point solutions and platforms they already own. And with the AI explosion, organizations are looking for ways to feed their models with the largest and most accurate data.
We designed the Hydden platform to help bridge the gaps between existing IAM tools – like IAM, PAM, IGA, and CIEM. Hydden closes the gaps across siloed teams, technologies, and phases of the identity lifecycle so that data can be shared between different tools in order to look at the identity attack surface holistically and thus help organizations effectively reduce risk. Rather than replacing your existing solutions, Hydden builds a single data layer across your identity stack. It automatically discovers, normalizes, correlates, and models complex identity-related data so that any system can surface and automatically act on the insights. Historical trend analysis tracks your progress so you can quantifiably demonstrate how your actions are reducing risks.
Book a demo to see why we are the leaders in continuous discovery with our highly performant data collections from any SaaS and on-premise system.