Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
Jurassic Park and the Forgotten Gatekeepers: Why You Need an Inventory of Authentication and Authorization Systems
In Jurassic Park, the park’s downfall wasn’t just the dinosaurs, it was the lack of control over who had access to what. Dennis Nedry, the disgruntled systems engineer, had unchecked access to critical systems. When he disabled security to steal embryos, no one knew how to stop him because no one had a clear inventory of the systems he controlled.
That’s exactly the kind of chaos CIS Safeguard 6.6 is designed to prevent.
What is CIS Safeguard 6.6?
“Establish and Maintain an Inventory of Authentication and Authorization Systems.”
This safeguard ensures that organizations know exactly which systems are responsible for verifying identities and granting access , and that this inventory is kept up to date.
Why It Matters
In Jurassic Park, the park’s leadership didn’t know which systems Nedry had access to — or how to override them. In your organization, a similar lack of visibility can lead to:
- Orphaned access points that attackers can exploit
- Inconsistent policies across cloud and on-prem systems
- Audit failures due to undocumented systems
- Privilege creep where users retain access they no longer need
Real-World Parallels
- A global enterprise suffered a breach when attackers exploited a forgotten legacy VPN server with outdated authentication.
- A financial institution failed a regulatory audit because it couldn’t produce a complete list of systems managing user access.
How to Implement CIS 6.6
- Discover: Use tools to scan for identity and access management (IAM) systems, including cloud-native and legacy platforms.
- Document: Maintain a centralized, living inventory that includes:
- System name and function
- Owner and administrator
- Integration points
- Authentication methods (e.g., SSO, MFA)
- Review Regularly: Tie inventory updates to change management and access reviews.
- Decommission Securely: Ensure systems are removed from the inventory when retired — and that access is revoked.
Pro Tip
Integrate this inventory with your Identity Governance and Administration (IGA) platform. This allows you to automate access reviews, detect anomalies, and enforce least privilege.
Final Thought
In Jurassic Park, the dinosaurs weren’t the only threat — it was the invisible systems no one was tracking. Don’t let your organization fall into the same trap.
CIS Safeguard 6.6 is your blueprint for visibility, control, and resilience in a world where access is everything.
Resources
Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 6 – Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Safeguard 6.6 – Establish and Maintain an Inventory of Authentication and Authorization Systems
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.