Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
Why Every Organization Needs an Inventory of Authentication and Authorization Systems
Identity is the new perimeter. As organizations adopt cloud services, remote work, and third-party integrations, the number of systems that manage authentication and authorization has grown, often without centralized oversight. That’s where CIS Safeguard 6.6 comes in.
What is CIS Safeguard 6.6?
CIS Safeguard 6.6, part of the CIS Critical Security Controls v8, requires organizations to:
“Establish and maintain an inventory of authentication and authorization systems.”
This means identifying and documenting all systems that verify user identities (authentication) and control access to resources (authorization), across all environments (cloud, on-premises, and hybrid).
Why It Matters
Authentication and authorization systems are the gatekeepers of your digital infrastructure. If you don’t know where they are, who manages them, or how they’re configured, you’re at risk of:
- Access sprawl: Redundant or outdated systems granting unnecessary privileges
- Shadow IT: Unapproved tools with their own access controls
- Audit failures: Inability to demonstrate control over identity systems
- Security gaps: Forgotten systems that can be exploited by attackers
A complete inventory is foundational to zero trust, identity governance, and incident response.
What Should Be Included?
Your inventory should cover:
- Identity providers (e.g., Azure AD, Okta, Google Workspace)
- LDAP directories and RADIUS servers
- Privileged Access Management (PAM) systems
- VPNs and remote access tools
- Custom-built or embedded authentication modules
- Third-party SaaS platforms with their own access controls
Each entry should include metadata such as system owner, purpose, integration points, and user base.
How to Build and Maintain the Inventory
- Discover: Use automated tools to scan for identity and access systems across your environment.
- Document: Create a centralized, accessible inventory with consistent naming and tagging
- Classify: Group systems by criticality, compliance requirements, and user roles
- Review Regularly: Integrate inventory checks into change management and audit cycles
- Decommission Responsibly: Ensure systems are removed from the inventory when retired or replaced
Benefits of a Well-Maintained Inventory
- Improved visibility into your identity and access landscape
- Faster incident response when access-related issues arise
- Stronger compliance posture for audits and regulatory reviews
- Better alignment with Zero Trust and identity-first security models
Final Thoughts
Authentication and authorization systems are not just technical components — they are strategic assets. Without a clear inventory, organizations risk losing control over who has access to what, and why. CIS Safeguard 6.6 ensures that your identity infrastructure is visible, accountable, and secure.
Resources
Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 6 – Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Safeguard 6.6 – Centralize Access Control
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.