Identity and Access Management

Managing user access is the first line of defense against cyber attacks. These use cases show how Lucidum can help you manage:

• Users who do not use IAM

• Root accounts that are not management with Privileged Access Management (PAM)

• Users who do not use MFA

• Users who do not use VPN

Find Users Who Do Not Use Identity and Access Management #

To find all the users in your environment who do not Identity and Access Management:

1. Configure Lucidum connectors for:

   • the identity and access management solutions in your environment (for example, Okta, AWS IAM, PingOne, OneLogic, SecurAuth)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users without IAM.

   • • In our example, we use Okta and AWS IAM for users.

   • Our query is: “find users where the data source does not match Okta AND the data source does not match AWS IAM.”.

   • This query finds users whose records do not include any information from Okta and do not include any information from AWS IAM. In our example environment, this means that these users are not using IAM.

3. The query results show all users who are not using an IAM solution:

   

4. You can also include this query and its results in a dashboard.

   

5. To remediate, you can add these users to an IAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Root Accounts That Are Not Managed with Privileged Access Management (PAM) #

To find users who have admin privileges and are not monitored with a privileged access management solution:

1. Configure Lucidum connectors for:

   • Privileged access management (PAM) (for example, CyberArk, BeyondTrust, HashiCorp, SecureONE, Thycotic)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users with administrator access and who don’t use PAM.

   • In our example, we use Thycotic.

   • Our query is: “find users where User Admin is yes AND where data sources do not match thycotic”

   • This query finds users who have administrator privileges but do not include any data from Thycotic. In our environment, this means that these users are not monitored with Thycotic PAM.

3. The query results show all users who have administrator privileges and are not monitored with a PAM solution.

4. You can use these query results in a dashboard.

5. To remediate, you can add these accounts to your PAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find User Who Do Not Use Multi-Factor Authentication (MFA) #

To find all the users in your environment who do not use MFA:

1. Configure Lucidum connectors for:

   • the multi-factor authentication solutions in your environment (for example, Duo, Microsoft Azure AD, Microsoft Authenticator, RSA SecurID, HYPR Passwordless )

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users without MFA.

   • Our query is “find users where MFA status matches no”.

   • This query finds users whose records do not include information about MFA. This means that these users are not using MFA.

3. The query results show all users who are not using an MFA solution:

   

4. You can also include this query and its results in a dashboard.

   

5. To remediate, you can add these users to an IAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Remote Assets That Do Not Use VPN #

1. 1. Configure Lucidum connectors for:

      • the VPN solutions in your environment (for example, Cisco AnyConnect, Fortinet FortiClient, Aviatrix, Zscaler, OpenVPN)

   2. After Lucidum ingests data from these solutions, you can then create queries to find a list of assets that don’t use VPN.

      • In our example, we use Palo Alto VPN for VPN.

      • Our query is: “find assets where data sources do not match pan_vpn_log AND asset type is workstation”.

      • This query finds asset records for workstations that do not include any data from Palo Alto VPN. In our environment, this means that these workstations are not using VPN to connect to the corporate network.

   3. The query results show workstations that are not using a VPN solution:

      

   4. You can also include this query and its results in a dashboard.

      

   5. To remediate, you can install a VPN solution on these workstations.

1. Then perform step #2 again until there are no results.

2. Run this query frequently to ensure compliance.