Centralize Account Management
Description
Centralize account management through a directory or identity service.
Implementation Checklist
Tool Recommendations
Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence
SailPoint · Per-identity subscription
Cloud identity and access management with SSO, MFA, conditional access, and identity governance
Microsoft · Per-user subscription (P1/P2)
Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management
Okta · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Inconsistent Account Policies Across Decentralized Systems
ConfidentialityLocal accounts on individual systems bypass centralized security policies like password complexity, lockout thresholds, and MFA requirements, creating weak access points.
Unmanaged Local Accounts as Persistent Backdoors
IntegrityAttackers create local accounts on compromised systems that exist outside centralized directory services, establishing persistence that survives directory-level password resets.
Vulnerabilities (When Safeguard Absent)
Decentralized Account Management
Without centralized account management through a directory service, accounts are managed independently on each system with inconsistent security policies and no unified visibility.
No Single Source of Truth for Identity
Without a centralized identity service, user provisioning, deprovisioning, and access reviews must be performed system-by-system, leading to errors and orphaned access.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |