CIS Safeguard 5.6 Centralize Account Management

CIS Safeguard 5.6 Centralize Account Management

By Steve Gold
Posted in Security
On August 19, 2025

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

CIS Safeguard 5.6: Centralize Account Management

In Thor: Ragnarok, there’s a memorable and comical scene where Thor is trying to escape Sakaar aboard a QuinJet. Thor starts the QuinJet with the panel green.

QUINJET (V.O.): Voice verification required.

THOR: Thor.

QUINJET (V.O.): Access denied.

THOR: Thor, son of Odin.

QUINJET (V.O.): Access denied.

THOR: God of Thunder.

QUINJET (V.O.): Access denied.

THOR: Strongest Avenger.

QUINJET (V.O.): Access denied.

THOR: Strongest Avenger!

QUINJET (V.O.): Access denied.

THOR: Damn you, Stark.

(rolls his eyes)

Point Break.

It’s a hilarious moment, but it also highlights a serious cybersecurity issue: fragmented and inconsistent account management. Thor didn’t know the correct credentials because access was managed ad hoc, with no centralized system or clear identity governance.

What Is CIS Safeguard 5.6?

This safeguard is part of the Center for Internet Security (CIS) Critical Security Controls, under Control 5: Account Management.

Centralize account management to ensure consistent enforcement of security policies and reduce the risk of unauthorized access.”

Why It Matters

In the Thor: Ragnarok scene, the ship’s access control is tied to a nickname assigned by someone else (Tony Stark), not to Thor’s actual identity. This is a perfect metaphor for what happens in organizations without centralized account management:

  • Users have multiple, inconsistent identities across systems
  • Access is granted informally or manually
  • Orphaned accounts remain active after users leave
  • Auditing and compliance become nightmares

Without a centralized system, your organization is vulnerable to mismanagement, privilege creep, and security gaps.

How to Implement Safeguard 5.6

Here’s how to avoid your own “Point Break” moment:

  1. Deploy a Centralized Identity and Access Management (IAM) System: Use platforms like Microsoft Entra ID (Azure AD), Okta, or JumpCloud to manage all user accounts from a single source of truth.
  2. Integrate with HR Systems: Automate account provisioning and deprovisioning based on employee lifecycle events.
  3. Use Role-Based Access Control (RBAC): Assign permissions based on job roles to ensure users only access what they need.
  4. Audit Regularly: Schedule periodic reviews of user accounts and access rights to detect anomalies.
  5. Enforce Least Privilege: Limit access to the minimum necessary for users to perform their duties.

Final Thoughts: Don’t Let “Point Break” Be Your Access Policy

Thor eventually got the ship running, but only because he remembered a nickname someone else gave him years ago. In your organization, that kind of guesswork isn’t just inefficient—it’s dangerous.

Centralized account management ensures that access is secure, consistent, and auditable. It’s the difference between fumbling for the right password and confidently taking control of your systems.

Because in cybersecurity, as in the Marvel Universe, identity is everything—and managing it well is heroic.

"

Resources

Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6  provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 5 – Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

CIS Safeguard 5.6 - Centralize Account Management

Centralize account management through a directory or identity service.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.