Identification and Authentication

Lucidum includes native features that help with identity management, such as:

• assets, users, and their relationships

• zombie users

• users not using MFA

• users not properly offboarded

This chapter describes these features.

Lucidum includes many other features that aid compliance. For example, detecting: users without identity management, administrative users with privilege management, users not using VPN, and user access to sensitive data.

After Lucidum ingests data from your security solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then create queries to find a list of all users and their access, export the list, or create dashboards.

You can also view pre-built dashboards, called Value-Oriented Dashboards or VODs. You can easily edit these dashboards to suit your needs or easily create your own custom dashboards about identity and authentication.

Users and Assets #

The Users & Assets dashboard displays information about assets, asset types, and the associated users. This dashboard is prebuilt and included with Lucidum.

The Users & Assets dashboard looks like this:

• Asset Records: Total. This chart displays the count of all asset records.

• Servers & VMs. This chart displays the sum of all servers and all VMs.

• Servers/VMs without IPs. This chart displays the total number of servers and VMs that do not have IP addresses.

• Asset Records: By Asset Type. This chart displays the number of assets for each asset type.

• User Records: Total. This chart displays the count of all user records.

• Assets with/without Users. This chart displays assets without users and assets with users.

• Servers/VMs with/without Users. This chart displays assets that are servers or VMS, organized by those that without users and those with users.

• Servers/VMs with/without IPs No Users. This chart displays servers and VMs that don’t have IP addresses and also don’t have associated users.

• Servers/VMs with/without IPs. This chart displays the servers and VMs that do not have IP addresses, organized by data source.

• User Status. This chart displays all the user statuses and the number of users in each status.

• Users with Assets. This chart displays users associated with assets and users not associated with any assets.

Zombie Users #

Zombie users are those users who are using applications in your environment but are not managed in directory services. Zombie accounts have no verifiable owner.

An example dashboard, the Tracking Zombie Users dashboard, displays information about zombies.

In this example, we use Okta and AWS as a directory service. This dashboard provides details about zombie users and the assets and applications accessed by zombie users.

This dashboard includes charts for:

• Users Not in Okta or AWS. Displays the number of users not in Okta or AWS and the applications they are accessing. In this case, zombie users are Aviatrix users, CloudFlare users, and Lucidum users.

• Okta Users. For all Okta users, the number of seats purchased for each application. If these applications have zombie users, you can cancel those licenses.

• Zombie Users Over Time. Displays the total number of zombie users discovered over time.

• Total Users over Time. Displays the total number of users discovered over time.

• Assets of Users Not in Okta or AWS. Displays the assets with zombie users and the number of zombie uses accessing the asset.

• Users Not in Okta or AWS. Displays the list of user names for the zombie users.

Users Without MFA #

The Users Without MFA dashboard displays information about uses who are not using MFA to access assets.

The Users Without MFA dashboard looks like this:

Offboarding Users #

The Unauth User Accounts dashboard displays information about users, their status (deprovisioned, suspended, unauthorized, unmanaged), and their access to your environment. In this dashboard, the example IAM is Okta. This dashboard is prebuilt and included with Lucidum.

The Unauth User Accounts dashboard looks like this:

• Total Okta User and Application Accounts. This chart displays a count of all user accounts and application accounts in okta.

• Okta User & Application Accounts Total Accounts. This chart displays the number of Okta users found each day.

• Okta Users By Application. This chart displays the top applications used by okta users.

• Deprovisioned/Suspended Okta User & App Accounts. This chart displays the number of okta users who have been deprovisioned or suspended.

• Okta User & Application Accounts Deprovisioned or Suspended. This chart displays the number of deprovisioned or suspended Okta users found each day.

• Non-Okta User Accounts Not in Okta at All & Exist Elsewhere. This chart displays the number of users who are active in your environment but not managed in Okta.

• Non-Okta Accounts Not in Okta at All & Exist Elsewhere. This chart displays the name of users who are active in your environment but not managed in Okta.

• Unauthorized Users Deprovisioned/Suspended in Okta & exist elsewhere. This chart displays a count of user accounts that have been deprovisioned or suspended in Okta but that still exists in other applications.

• Unauthorized Users Depov./Suspended in Okta & Exist Elsewhere. This chart displays the name of each user account that has been deprovisioned or suspended in Okta but that still exists in other applications.

• Unauthorized Users Deprovisioned/Suspended in Okta, active elsewhere. This chart displays a count of users that were previously managed in Okta and are either deprovisioned or suspended in Okta but still active in Sentry, AWS, Aviatrix, Lacework, Cloudflare, Lucidum, or GCP and the user account is active, attached, or provisioned in these other applications.

• Unauthorized Users Showing Asset Count. This chart displays the user names of users that were previously managed in Okta and are either deprovisioned or suspended in Okta but still active in Sentry, AWS, Aviatrix, Lacework, Cloudflare, Lucidum, or GCP and the user account is active, attached, or provisioned in these other applications.