CIS-8.1.6.6 — Establish and Maintain an Inventory of Authentication and Authorization Systems
Executive Summary
Establish and maintain an inventory of all authentication and authorization systems used to manage access to enterprise assets. This includes identity and access management (IAM) systems, directory services, multi-factor authentication (MFA) platforms, privileged access management (PAM) systems, role-based access control (RBAC) implementations, and any custom or third-party solutions that manage digital identities and permissions.
Why This Safeguard Matters
Without visibility into all authentication and authorization systems, organizations cannot effectively manage access controls, detect unauthorized systems, or respond to identity-based threats. Shadow IT authentication systems bypass security policies and create attack surfaces. Maintaining a comprehensive inventory enables identification of legacy systems requiring upgrades, unsupported platforms, and redundant systems that should be consolidated.
Technical Deep Dive
Core Components of Authentication and Authorization Inventory
A complete inventory includes:
- Identity Systems: Active Directory, Azure AD, Okta, OneLogin, and other directory services
- IAM Platforms: Comprehensive IAM solutions managing user lifecycles and access policies
- MFA Systems: Multi-factor authentication platforms and hardware token systems
- PAM Solutions: Privileged access management systems protecting administrative credentials
- RBAC Implementations: Role-based access control systems mapping roles to permissions
- Federation Services: SAML, OAuth, and OpenID Connect implementations
- Custom Solutions: In-house developed authentication and authorization systems
- Third-Party Integrations: SaaS applications with delegated authentication
Inventory Data Collection
Effective inventory collection involves automated discovery and manual validation:
- Automated Discovery: Network scanning, API discovery, and application discovery tools
- Configuration Review: Examination of authentication settings across applications
- User Interviews: IT and application teams identify systems they manage
- Access Logs Analysis: Network and application logs reveal authentication endpoints
- Documentation Review: IT documentation and architecture diagrams
Software Bill of Materials (SBOM)
Include SBOM data for authentication and authorization systems to track:
- Software components and versions
- Known vulnerabilities and patches
- License compliance and support status
- End-of-life dates and upgrade paths
Inventory Attributes
Each system should include:
- System name and type
- Owner and responsible team
- Business purpose and user base
- Integration points and dependencies
- Authentication methods supported
- Authorization model (RBAC, ABAC, etc.)
- Geographic locations and data residency
- Compliance status and certifications
- Maintenance and support information
- Last review date
Implementation Roadmap
Phase 1: Discovery and Documentation (Weeks 1-4)
- Conduct infrastructure assessment to identify all authentication systems
- Interview IT, security, and application teams
- Document current systems and their purposes
- Create baseline inventory
Phase 2: System Analysis and Classification (Weeks 5-8)
- Classify systems by type, criticality, and risk level
- Document authentication and authorization methods
- Identify integration dependencies
- Collect SBOM information
Phase 3: Tooling and Automation (Weeks 9-12)
- Implement automated discovery tools
- Configure continuous monitoring and alerting
- Establish change notification workflows
- Integrate with asset management systems
Phase 4: Ongoing Management (Ongoing)
- Quarterly inventory reviews and updates
- Vulnerability tracking for all systems
- Decommissioning processes for deprecated systems
- Integration with change management
Evidence Packages
Evidence Package 1: Inventory Documentation
Objective: Demonstrate comprehensive inventory of all authentication and authorization systems.
Contents:
- Spreadsheet listing all systems with attributes
- System categorization and classification
- Owner and support information
- Integration mapping
- Review dates and sign-offs
Evidence Package 2: Automated Discovery Configuration
Objective: Demonstrate automated discovery and monitoring of authentication systems.
Contents:
- Discovery tool configuration and schedules
- Monitoring dashboards and alerts
- Change detection and notification logs
- Integration with CMDB or asset management systems
Evidence Package 3: SBOM and Vulnerability Data
Objective: Demonstrate tracking of software components and known vulnerabilities.
Contents:
- Software Bill of Materials for each system
- Version tracking and lifecycle information
- Known vulnerabilities and patch status
- End-of-life tracking
Evidence Package 4: Inventory Update Process
Objective: Demonstrate regular maintenance and updates of inventory.
Contents:
- Quarterly review schedules and results
- Change management integration
- Approval and sign-off documentation
- Decommissioning records
Reference Architecture
Centralized Inventory Management System
A centralized system maintains the complete inventory with:
- Central database of all authentication and authorization systems
- Automated discovery feeds from network and application scanning
- Integration with configuration management database (CMDB)
- API endpoints for querying inventory data
- Reporting and dashboarding capabilities
- Integration with vulnerability scanning and patch management
Data Flow
- Discovery tools scan networks and APIs to identify systems
- Configuration reviews document system details
- Human validation confirms automated findings
- Changes flow through change management process
- Inventory feeds into security and operational tools
Real-World Examples
Example 1: Enterprise with Distributed Identity Systems
A global enterprise discovered it had 47 different authentication systems across business units:
- 5 Active Directory forests
- 3 Azure AD tenants
- 2 Okta instances
- 12 custom LDAP servers
- 25 application-specific authentication systems
By consolidating to 2 primary identity platforms, the organization reduced administrative overhead by 60% and improved security posture through centralized policy enforcement.
Example 2: Shadow IT Discovery
An organization implementing automated discovery identified 8 unauthorized authentication systems:
- Departmental AD forests created without central IT approval
- Third-party SaaS platforms with independent authentication
- Legacy systems with custom authentication implementations
Bringing these systems into the managed inventory enabled consistent policy enforcement and vulnerability management.
Example 3: Vulnerability Correlation
By maintaining an inventory with SBOM data, an organization quickly identified 23 systems running a vulnerable version of an authentication library after a zero-day announcement. They prioritized patching based on business criticality.
Services and Support
Assessment Services
- Current-state assessment of authentication infrastructure
- Shadow IT discovery and analysis
- System classification and prioritization
- Gap analysis and recommendations
Implementation Services
- Inventory tool selection and deployment
- Automated discovery configuration
- SBOM data collection and analysis
- Integration with existing systems
- Process and governance setup
Ongoing Support
- Quarterly inventory reviews
- Vulnerability tracking and correlation
- System consolidation planning
- Compliance reporting and attestation
Readiness Check
Before implementing this safeguard, verify:
- Current inventory documentation is baseline-complete (includes 90%+ of known systems)
- Automated discovery tools are operational and validated
- Change management process includes authentication system changes
- SBOM data collection methods are defined
- Quarterly review schedules and owners are assigned
- Integration with vulnerability management is configured
- Stakeholders understand inventory requirements and processes
- Access controls for inventory data are defined and enforced
- Reporting dashboards are operational for management visibility
- Compliance attestation process is documented