Get Instant Access
to This Blueprint

Security icon

Assess and Govern Identity Security

Strong identity security and governance are the keys to the zero-trust future.

  • Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
  • A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.

Our Advice

Critical Insight

  • Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Impact and Result

  • Develop a common terminology and understanding of identity concepts.
  • Identify the roles and responsibilities within your organization for the governance of identity security.
  • Inventory your identity types, repositories, threats, and mitigations.
  • Develop an identity security architecture to understand and mitigate weaknesses.

Assess and Govern Identity Security Research & Tools

1. Assess and Govern Identity Security Deck – A step-by-step document that walks you through how to properly inventory your identity types, repositories, threats, and mitigations.

Use this storyboard to learn how to assign identity security roles and responsibilities, inventory your identity types and repositories, assess your identity security threats and mitigations, and build an identity security architecture.

2. Identity Security RACI Chart – A best-of-breed template to help you document roles and responsibilities related to identity security.

Use this tool to document your roles and responsibilities related to identity security.

3. Identity Security Architecture Tool – A structured tool to help you inventory identity types, threats, and mitigations using the MITRE ATT&CK® framework.

Use this tool to:

  • Inventory your identity types and repositories.
  • Assess your identity security threats and mitigations using the MITRE ATT&CK® framework.
  • Build an identity security architecture.

Onsite Workshop: Assess and Govern Identity Security

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish Identity Governance

The Purpose

Establish identity governance.

Key Benefits Achieved

Improved identity governance

Activities

Outputs

1.1

Adopt a standard identity taxonomy.

  • Identity taxonomy
1.2

Identify the tasks for your identity security project.

1.3

Allocate responsibility and ownership for each task in a RACI chart.

  • Identity security RACI chart
1.4

Analyze your RACI chart.

Module 2: Assess and Mitigate Identity Threats

The Purpose

Assess and mitigate identity threats.

Key Benefits Achieved

Assessed identity threats

Activities

Outputs

2.1

Document identity repositories.

2.2

Inventory your identity types.

  • Identity inventory
2.3

Review and assess identity-based MITRE ATT&CK® threats.

2.4

Review and assess identity-based MITRE ATT&CK® mitigations.

  • Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
  • Identity security architecture with prioritized controls

Assess and Govern Identity Security

Strong identity security and governance are the keys to the zero-trust future.

Analyst Perspective

Effectively securing all managed identities

To ensure a significant improvement in identity security, organizations must be willing to take a step back and understand where the vulnerabilities lie and identify the threats that may take advantage of them.

Every organization likely juggles many different identity types. This results in a complex system of identity storage, ownership, and security requirements. The first step to improving anything related to identity security will be to fully understand all the different identities that exist, where they exist, who owns related processes, and what threats exist that might take advantage of a managed identity.

Only when an organization has successfully catalogued the information necessary to secure all their identities can they build an identity security architecture that describes an approach to identity security befitting the modern era.

This is a picture of Ian Mulholland.

Ian Mulholland
Research Director, Security, Risk, and Compliance Info-Tech Research Group

Executive Summary

Your Challenge

  • Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
  • A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.

Common Obstacles

Improving identity security can be challenging:

  • For most organizations, identity and access management has been allowed to grow organically, and it has become inflexible and difficult to control.
  • In most cases, the number of identities and the items they access has increased with each passing year, necessitating more scalable processes and technology.

Info-Tech's Approach

Info-Tech has developed an effective approach to building an identity security architecture.

This unique approach includes tools for:

  • Establishing governance for identity security.
  • Creating an identity inventory.
  • Modeling identity-based threats.
  • Building an identity security architecture.

Info-Tech Insight

Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Identity management and proper credential management are critical security factors

Key Findings:

+450%
Increase in Username/Password Breaches

Breaches containing usernames and passwords increased by 450% in 2020, totally 1.48 billion breached records.

$8.64 Million
The Average Cost of a Breach in the US

The average cost of a breach in the US was the highest in the world at $8.64 million, up 5% from the previous year.

2X
The Amount of Time Spent Online

The amount of time people spent online more than doubled in 2020, totaling more than seven hours per person per day.Source: ForgeRock

In 2020 the world saw a massive digital migration. However, the migration has not come with a secure transition. For the third year in a row, identity security has been one of the weakest links in any security program. The move to remote work has significantly contributed to increases in stolen data.

Weak identity controls have continually given bad actors an easy path to gaining access to enterprise data. Identity and access management practices have been a weak point for many organizations. Find out how to best manage and govern your identities with an identity-centric approach to your security program.

The average cost and frequency of malicious data breaches by root-cause vector

This image contains a graph that shows the total cost of a number of different types of data breaches.

Compromised credentials is an expensive and common threat vector

Of the ten initial threat vectors in malicious breaches represented in a report by IBM, compromised credentials was the most frequently reoccurring attack vector, accounting for 20% of all malicious breaches.

Proper inventory of identities and their respective repositories is critical to ensuring the security of credentials and any of the access they may pertain to.

Preparing yourself properly can save you costs and headaches

Stolen or compromised credentials was one of the most expensive causes of malicious data breaches, according to a 2021 report conducted by IBM.

Unified endpoint management (UEM) and identity and access management (IAM) products and services can give security teams an edge by providing insight and deeper visibility into the internal network and potential suspicious activity.

20%
Of all breaches are through compromised credentials.

$5.33 million
Was the average total cost of a breach at enterprises of more than 25,000 employees, compared to $2.98 million for organizations with under 500 employees.

Identity Security & Governance Framework for Security Leaders

Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as SSO/MFA/PAM. However, this limited focus is reactive rather than proactive and may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

This picture contains the eight step identity security and governance framework for security leaders.

Info-Tech’s methodology to Assess and Govern Identity Security

1. Establish Identity Security Governance 2. Assess and Mitigate Identity Threats
Phase Steps
  1. Adopt a Standard Identity Taxonomy
  2. Establish Roles and Responsibilities Over Identity Security
  1. Create an Identity Inventory
  2. Assess Identity-Based Threats and Mitigations
  3. Build the Identity Security Architecture
Phase Outcomes
  • Identity Security RACI Chart
    • Identity Inventory
    • Assessment of Identity-Based Threats and Mitigations
    • Identity Security Architecture

    Insight summary

    Overarching insight

    Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as single sign-on, multifactor authentication, or privileged access management. However, this limited focus is reactive rather than proactive, and it may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

    Phase 1 Insights

    • People using different taxonomies can create conflicts. Use any existing conflicts in understanding as an education opportunity once standard definitions are set.
    • Work with other identity owners to ensure governance is clearly defined before making any large changes.

    Tactical insight

    To some extent, your identity processes are working, or else the business would not be able to function – your processes may just have more risk or cause more disruption than you would like. Use what exists today as a starting point instead of starting from scratch.

    Phase 2 insight

    Understanding the current and future threats to your identity program will be critical to modernizing your identity security. Use a structured approach to ensure you identify all identity-based threats that pose a risk for your organization.

    Tactical insight

    Modernization starts with understanding legacy components.

    Use Info-Tech’s blueprint to know how prepared you are for every threat vector

    IT Benefits

    • IT can determine the capabilities of its current security structure to deal with various attack vectors.
    • IT will no longer have to disallow certain applications and services because they are cloud based.
    • Analyzing and threat modeling are no longer simply guessing what the most pressing concerns are. Know your vulnerabilities and remediate and plan proactively instead of reactively.

    Business Benefits

    • Line-of-business managers can understand which areas need improvement and which can be deprioritized.
    • Gain an in-depth understanding of the management aspects of security and threat vectors and techniques.
    • Know which mitigative and detective measures should be implemented to best protect your environment without additional guesswork.

    Use Info-Tech’s blueprint to improve enterprise security posture

    Threat preparedness can be used to effectively evaluate:

    Organizational preparedness
    Expose operational weak points and transition teams from a reactive approach to a more proactive security program.

    Enhanced threat detection, prevention, analysis, and response
    Enhance the collaboration and use of your security investments through the simulated evaluation of your threat collaboration environment.

    Improve return on security investment
    Evaluate core staff on their use of process and technology to defend the organization.

    Identify blind spots and opportunities for continuous improvement
    Provide increased visibility into current performance levels, and accurately identify opportunities for continuous improvement with a holistic measurement program.

    Iterative benefit

    Over time, experience incremental value from knowing the attack vectors through which you can be attacked. Through continual updates your security protocols will evolve with less associated effort, time, and costs.

    Short-term benefits

    • Ensure organizational preparedness.
    • Identify effectiveness of the overall security program.
    • Streamline the security management program.
    • Identify people, process, and technology gaps.

    Long-term benefits

    • Reduce incident costs and remediation time.
    • Increase operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhance security pressure posture.
    • Improve communication with executives about relevant security risks to the business.
    • Preserve reputation and brand equity.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

    Guided Implementation

    Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

    Workshop

    We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

    Consulting

    Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

    Diagnostics and consistent frameworks are used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1:
    Establish Identity Governance

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Build an identity security RACI chart.

    Phase 2:
    Assess and Mitigate Identity Threats

    Call #3: Identify and record existing identity types.

    Call #4: Assess identity-based threats and mitigations.

    Call #5: Create the identity security architecture.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 1 to 5 calls over the course of 1 to 5 months.

    Workshop Overview

    This is a picture of Ian Mulholland.

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3
    Establish Identity Governance Assess and Mitigate Identity Threats Assess and Mitigate Identity Threats
    Activities 1.1 Adopt a standard identity taxonomy.
    1.2 Identify the tasks for your identity security project.
    1.3 Allocate responsibility and ownership for each task in a RACI chart.
    1.4 Analyze your RACI chart.
    2.1 Document identity repositories.
    2.2 Inventory your identity types.
    2.3 Review and assess identity-based MITRE ATT&CK® threats.
    2.4 Review and assess identity-based MITRE ATT&CK® mitigations.
    3.1 Complete in-progress deliverables from previous two days.
    3.2 Set up review time for workshop deliverables and to discuss next steps.
    Deliverables
    1. Identity taxonomy
    2. Identity security RACI chart
    1. Identity inventory
    2. Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
    3. Identity security architecture with prioritized controls

    Executive Brief Case Study

    Industry: Advisory Services

    Source: Cloud Security Alliance

    Deloitte

    Deloitte experienced a major data breach on September 25, 2017, in part due to weak identity, credential, and access management. The breach was a direct result of a poorly secured administrative email account the attacker used to achieve privileged unrestricted access to all areas of the company.
    The account only had a single password, with no multifactor or additional verification processes. Even more concerning was that the attacker had access to the account for over a year without being detected, allowing them to store and monitor all emails that moved in and out of the company. Sensitive information, personally identifying information (PII), usernames, passwords, IP addresses, and architectural diagrams were all accessed, including the personal data of blue-chip clients.

    Key Takeaways

    1. Secure accounts, including two-factor authentication and limiting the use of root accounts.
    2. Practice the strictest identity and access controls for cloud users and identities.
    3. Segregate and segment accounts, virtual private cloud (VPCs), and identity groups based on business needs and the principles of least privilege.
    4. Rotate keys, remove unused credentials or access privileges, and employ central, programmatic key management.

    Impact Statement for Deloitte

    Security incidents and data breaches can occur due to the following:

    • Inadequate protection of credentials
    • Lack of regular, automated rotation of cryptographic keys, passwords, and certificates
    • Lack of scalable identity, credentials, and access management systems
    • Failure to use multifactor authentication
    • Failure to use strong passwords
    Malicious actors masquerading as legitimate users, operators, or developers can:
    • Read, exfiltrate, modify, or delete data
    • Issue control plan and management functions
    • Snoop on data in transit
    • Release malicious software that appears to originate from a legitimate source

    Phase 1

    Establish Identity Governance

    Phase 1 Phase 2
    1.1 Adopt a Standard Identity Taxonomy
    1.2 Establish Roles and Responsibilities for Identity Security
    2.1 Create an Identity Inventory
    2.2 Assess Identity-Based Threats and Mitigations
    2.3 Build the Identity Security Architecture

    This phase will walk you through the following activities:

    • Adopting a standard taxonomy to understand and discuss identity-related security risks.
    • Establishing roles and responsibilities for identity governance and security.

    This phase involves the following participants:

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    Assess and Govern Identity Security

    1.1 Adopt a standard identity taxonomy

    Estimated Time: 30 minutes

    1.1.1 Review Info-Tech identity taxonomy: Review the terms and definitions related to identity security on the following slide.
    1.1.2 Customize as required: As a group, discuss each term and its related definition. Modify the definitions as required to fit within your organization. The goal should be to arrive at a common taxonomy for identity security.

    Input

    • Current taxonomies
    • Identity architecture material

    Output

    • Common, shared understanding of identity security terms and definitions

    Materials

    • Taxonomy slide

    Participants

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    1.1 Identity concepts and definitions

    A common identity taxonomy can foster mutual understanding

    This image contains definitions for common identity terms and how they relate to each other. The terms included are: Natural Person; Personal Identity; Persona; Digital Persona; Digital Identity; Identity Proofing; Account; Identity Mapping; Authentication; Authorization; and Machine.

    1.2 Establish roles and responsibilities for identity security

    Estimated Time: 1-2 hours

    1.2.1 List the tasks for your project: Begin building the RACI chart by defining a list of project tasks. Organize tasks into the following four categories: plan, execute, monitor, and measure. List tasks along the side of your RACI chart as row headers.

    1.2.2 Allocate responsibility and ownership for each task: For each task in your RACI chart, determine which stakeholder groups are accountable (A), responsible (R), consulted (C), and/or informed (I). Stakeholder groups should be listed along the top of your RACI chart as column headers.

    1.2.3 Analyze your RACI chart: To ensure you have a strong allocation of roles, watch out for common errors and red flags when building the RACI chart. These can include having too many people responsible for a task or not having assigned an accountable person/group. These are defined in more detail in a later slide.

    Download the Identity Security RACI Chart Tool

    Input

    • List of tasks that must be completed as part of the identity security project
    • List of stakeholder groups that will be involved in some capacity with the identity security project

    Output

    • A RACI chart that defines roles for stakeholder groups executing tasks for the identity security project

    Materials

    • Laptop
    • Identity Security RACI Chart Tool

    Participants

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    1.2.1 List the tasks for your project

    To begin building the RACI chart for your identity security project, list out the project’s required tasks. Organize these tasks into four categories: plan, execute, monitor, and measure. To assist with the development of this task list, consider the sample tasks listed below:

    PLAN

    • Adopt a common identity security taxonomy.
    • Build an identity and access management policy.
    • Establish identity governance objectives.
    • Inventory identities and assign data owners.
    • Model identity-based threats.
    • Identify identity security control requirements.
    • Develop the identity security architecture.
    • Define separation-of-duties constraints.
    • Define authorization requirements and ensure systems support those requirements.

    EXECUTE

    • Create accounts with access that follows the principle of least privilege.
    • Deprovision accounts.
    • Track policy exceptions when assigning access.

    MONITOR

    • Monitor access requests (cloud access security broker/security information and event management).
    • Report violations of policy or process.
    • Review/audit access privileges to prevent privilege creep.

    MEASURE

    • Build a business case for architecture technology components.
    • Measure efficiency and effectiveness of identity security processes.

    If you are using Info-Tech’s Identity Security RACI Chart tool, enter your list of tasks into Column B of tab 2, Smart RACI Chart.

    1.2.2 Allocate responsibility and ownership for each task

    For each task in your RACI chart, determine which stakeholder groups are accountable, responsible, consulted, and/or informed. Each task should have one and only one person/group held accountable and at least one person/group given responsibility. The number of consulted and informed people/groups will differ for each organization.

    Responsible (R): The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.

    Accountable (A): The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.

    Consulted (C): The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).

    Informed (I): The person(s) who is updated on progress. These are resources who are affected by the outcome of the activities and need to be kept up to date.

    Senior Management Security and IAM The Business
    Board of Directors CIO CISO or Director of Security Security/IAM Systems Architect Security/IAM Engineer Security/IAM Analyst Security/IAM Administrator Privacy Personnel Identity Owners Finance Human Resources Legal
    Plan
    Adopt a common taxonomy for securing identities at the organization I A R C R C - - I - I -
    Build and maintain an identity and access management policy I I A C C R R - I - I I
    Establish Identity Governance Objectives A R R R R R R - I - I -
    Inventory identities and assign data owners I C R/A R R R C - C - C -

    If you are using Info-Tech’s Identity Security RACI Chart tool, complete the table on tab 2, Smart RACI Chart.

    1.2.3 Analyze your RACI chart

    To ensure a strong RACI chart, perform vertical and horizontal analyses. These analyses can identify potential breakdowns in project efficiency.

    This image contains a screenshot of tab two of Info-Tech's Identity Security RACI Chart tool, with a green arrow linking the columns and an orange arrow linking the rows.

    Horizontal Analysis

    One Group Accountable: There should be one and only one stakeholder group accountable for a given task. Watch out for cases where there are no A’s or multiple A’s for a task.

    No Responsibility: Do any of your rows have zero R’s? If so, this task may not be completed. Ensure each task has responsibility assigned to at least one stakeholder group.

    Too Much Responsibility: Do any of your rows have too many R’s? If so, this can be an indication that the task should be split into more specific items.

    Vertical Analysis

    No Empty Spaces: Do any of your columns have no empty spaces? If so, these stakeholder groups may be involved in too many activities.

    Too Much Responsibility: Do any of your columns have too many R’s? If so, does this group have the resourcing to support that much work?

    Too Much Accountability: Do any of your columns have too many A’s? If so, can any of these A’s be given to people/groups at a lower level?

    If you are using Info-Tech’s Identity Security RACI Chart tool, review Column P on tab 2, Smart RACI Chart, for potential action items based on the tool’s analysis

    Phase 2

    Identify Threat-Based Identity Security Controls

    Phase 1 Phase 2
    1.1 Adopt a Standard Identity Taxonomy
    1.2 Establish Roles and Responsibilities for Identity Security
    2.1 Create an Identity Inventory
    2.2 Assess Identity-Based Threats and Mitigations
    2.3 Build the Identity Security Architecture

    This phase will walk you through the following activities:

    • Inventorying your identity types and repositories.
    • Identifying and assessing threats to your identities and mitigations for those threats.
    • Building out an identity security architecture.

    This phase involves the following participants:

    • Security team
    • IT leadership
    • Business stakeholders
    • Human resources

    Assess and Govern Identity Security

    2.1 Create an identity inventory

    Estimated Time: 2-4 hours

    2.1.1 Document identity repositories: Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.

    2.1.2 Inventory your identity types: List all identity types that exist at the organization. For each identity type, document that type’s boundary (e.g., internal identity, external identity, hybrid identity), owner, and risk level based on typical access levels, as well as repositories where that identity type is stored.

    Download the Identity Security Architecture Tool

    Input

    • List of tasks that must be completed as part of the identity security project
    • List of identity types and associated information

    Output

    • An identity inventory that can be used to determine which identity-based threats need to be considered

    Materials

    • Laptop
    • Identity Security Architecture Tool

    Participants

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    2.1.1 Document identity repositories

    Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.

    This image contains a screenshot of tab two of Info-Tech's Identity Security Architecture Tool.

    Location

    Internal: Repository is on premises.
    Hybrid: Repository exists both on premises and in the cloud.
    External: Repository is in the cloud.

    Owner

    Who manages the identity repository?

    If you are using Info-Tech’s Identity Security Architecture Tool, document items on tab 2, Repositories.

    2.1.2 Inventory your identity types

    List all identity types that exist at the organization. For each identity type, document that type’s boundary (e.g., internal identity, external identity, internal and external identity), owner, and risk level based on typical access levels, as well as repositories where that identity type is stored.

    This image contains a screenshot of tab three of Info-Tech's Identity Security Architecture Tool.

    Boundary

    Internal Only: Housed within your organization.
    External Only: External to your organization.
    Internal/External: Identity applies internally and externally.

    Risk Level

    The more access this identity type typically has, the higher the risk level should be. In the case where access levels vary widely for an identity type, either separate these into two separate types (e.g., Employee separates into Non-Privileged Employee and Privileged Employee) or choose the highest applicable risk level.

    If you are using Info-Tech’s Identity Security Architecture Tool, document items on tab 3, Identity Types.

    2.2 Assess identity-based threats and mitigations

    Estimated Time: 1-2 hours

    2.2.1 Review and assess identity-based MITRE ATT&CK® threats: For each identity-specific threat technique from the MITRE ATT&CK® framework, assess the likelihood that your organization may experience that threat. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the repository being more or less likely to experience the threat being considered.

    2.2.2 Review and assess identity-based MITRE ATT&CK® mitigations: For each identity-specific threat mitigation from the MITRE ATT&CK® framework, assess the strength of that mitigation within your organization. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the mitigation being considered having a higher or lower strength for that repository.

    Download the Identity Security Architecture Tool

    Input

    • List of identity-specific threat techniques from the MITRE ATT&38;CK® framework
    • List of identity-specific threat mitigations from the MITRE ATT&CK® framework

    Output

    • Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework

    Materials

    • Laptop
    • MITRE ATT&CK® framework

    Participants

    • Security team

    2.2.1 Review and assess identity-based MITRE ATT&CK® threats

    For each identity-specific threat technique from the MITRE ATT&CK® framework, assess the likelihood that your organization may experience that threat. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the repository being more or less likely to experience the threat being considered.

    This image contains a screenshot of tab four of Info-Tech's Identity Security Architecture Tool.

    Probability

    Is there a zero, low, medium, or high probability that this threat could be experienced at the organization?

    Repositories

    For each known identity repository, is there a higher or lower probability of a threat being experienced?

    In Info-Tech’s Identity Security Architecture Tool, assess the threats listed on tab 4, Threats.

    2.2.2 Review and assess identity-based MITRE ATT&CK® mitigations

    For each identity-specific threat mitigation from the MITRE ATT&CK® framework, assess the strength of that mitigation within your organization. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the mitigation being considered having a higher or lower strength for that repository.

    This image contains a screenshot of tab five of Info-Tech's Identity Security Architecture Tool.

    Strength

    For applicable mitigations, is the mitigation’s strength low, medium, or high?

    Repositories

    For each known identity repository, is the strength of the mitigation being considered higher or lower?

    In Info-Tech’s Identity Security Architecture Tool, assess the mitigations listed on tab 5. Mitigations.

    2.3 Build the identity security architecture

    Estimated Time: 1-2 hours

    2.1.1 Document identity repositories: Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.

    2.3.1 Assess architecture controls: Once you have completed tabs 2 to 5 of the Identity Security Architecture Tool, the tool will produce an architecture diagram on tab 6. The architecture diagram also functions as a risk heat map, allowing you to quickly identify areas of high risk or weak controls. As you review the diagram, consider the following:

    • Reducing risks associated with identity types – for instance, by implementing role-based access control – can be effective but is often very difficult.
    • Concentrate most of your efforts on improving mitigations because these tend to be the architectural components that you have the most control over.
    • Use a copy of the tool to experiment with how improvements to mitigations might affect overall repository risk. You can do this by making incremental changes to the mitigation strengths and then seeing how that impacts your repository risks.
    • Mitigation improvements that show significant risk reduction should be prioritized for implementation.

    Download the Identity Security Architecture Tool

    Input

    • Identity inventory
    • Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework

    Output

    • An identity security architecture with prioritized controls

    Materials

    • Laptop
    • Identity Security Architecture Tool

    Participants

    • Security team
    • IT leadership

    2.3 Review the identity security architecture

    When you have completed the data entry for the architecture tool, you can review tab 6, which presents a heat map architecture of risks and mitigations across your identity stores. The architecture can be used to identify areas for improvement.

    This image contains a screenshot of tab six of Info-Tech's Identity Security Architecture Tool.

    If you are using Info-Tech’s Identity Security Architecture Tool, review the architecture on tab 6, Architecture.

    Summary of accomplishment

    Problem Solved

    By following Info-Tech’s methodology for assessing and governing identity security, you will have:

    • Developed a common terminology and understanding of identity concepts.
    • Identified the roles and responsibilities within your organization for the governance of identity security.
    • Inventoried your identity types and identity repositories.
    • Identified security threats against your identities.
    • Assessed your identity security mitigations.
    • Developed an identity security architecture to understand and mitigate weaknesses.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    This image contains a screenshot of Info-Tech's RACI Matrix This image contains a screenshot of Info-Tech's Identity Security Architecture Tool
    RACI Matrix
    Capture roles and responsibilities using the Identity Security RACI Chart.
    Architecture Tool
    Complete the Identity Security Architecture Tool.

    Related Info-Tech Research

    Simplify Identity and Access Management

    • Our research will help organizations take back control of their IAM environment by creating and implementing an RBAC model.
    • The tools included in this research help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
    • This research will educate readers on selecting and implementing IAM vendors. It will assist in producing vendor RFPs and shortlisting vendors to ensure that selected vendor solutions offer capabilities required by the organization (e.g. MFA) based on business goals, compliance, and other gaps, and offer integration functionality with the different cloud vendors used by the organization.

    Mature Your Identity and Access Management Program

    • Info-Tech provides a high-level framework that helps organizations ensure they are following best practice at all stages of an identity's lifecycle.
      • Identify the drivers behind improving your IAM practices.
      • Develop best-practice processes for each section of the identity lifecycle.
      • Understand the benefits of using IAM software.
    • Use our research to start your journey to mature the IAM program at your organization.

    Build an Information Security Strategy

    • Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
    • This approach includes tools for:
      • Ensuring alignment with business objectives.
      • Assessing organizational risk and stakeholder expectations.
      • Enabling a comprehensive current-state assessment.
      • Prioritizing initiatives and building out a security roadmap.

    Research Contributors

    Brian Michell
    Chief Information Officer
    Effort Trust

    Don Davidson
    Enterprise Security Architect
    Canada Life

    Eric Galis
    VP Compliance and Security
    Engage

    Keith Scarbeau
    Cyber Security Architect
    St. Luke’s Health System Ltd.

    Marc Mazur
    Senior Consultant
    KPMG

    Mark Galloway
    Associate Partner
    IAMConcepts Security Solutions Inc.

    Luc Gagne
    Senior Vice President
    IAMConcepts Security Solutions Inc.

    Fabrizio Ienna
    IAM Solutioning/Project Manager
    IAMConcepts Security Solutions Inc.

    Raj Sookha
    Manager IT Architecture
    Toronto Community Housing

    Ron Pirau
    Chief Information Officer
    Archdiocese of Indianapolis

    Sumit Jain
    Chief Information Security Officer
    Louisiana State University

    Bibliography

    "2021 ForgeRock Consumer Identity Breach Report" ForgeRock, 2021. Accessed 3 March 2021.
    Ashford Warwick. “How to modernise identity governance and administration.” Computer Weekly, 27 Nov. 2020. Accessed July 9, 2021.
    Bender, Lara. “Data-centric security vs. identity-centric security: Which is better?” Microfocus, 5 July 2019. Accessed 3 March 2021.
    Blum, Dan. “Control Access with Minimal Drag on the Business.” Rational Cybersecurity for Business, 13 Aug. 2020. Accessed 12 Aug. 2021.
    Chik, Joy. “Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work.” Microsoft, 2 March 2021. Accessed 12 April 2021.
    Cooper, Zach. “What is Identity management and what role does it play in a security strategy?” ITPro, 20 July 2021. Accessed 9 Sept. 2021.
    “Data Mapping for Identity Management.” Idenhaus, Feb. 2018. Accessed 1 Sept. 2021.
    de Kerckhove, Derrick, and Cristina de Almeida. “What is a digital persona?” ResearchGate, Dec. 2013. Accessed 28 April 2021.
    Department of Computer Science. “Cybersecurity Roles and Job Titles.” The George Washington University, n.d. Accessed Sept. 2021.
    Ferrill, Tim. “The Best Identity Management Solutions” PC Mag, 27 Dec. 2019. Accessed 13 April 2021.
    Fulton III, Scott. “Identity management 101: How digital identity works in 2020.” ZDNet, 10 March 2020. Accessed 29 March 2021.
    Goodell, Geoff, and Tomaso Aste. “A Decentralized Digital Identity Architecture.” Frontiers in Blockchain, 5 Nov. 2019. Accessed 14 April 2021.
    Grassi, Paul et. al. “NIST Special Publication 800-63-3: Digital Identity Guidelines.” National Institute of Standards and Technology, June 2017. Accessed 3 March 2021.
    Haber, Morey, and Darran Rolls. Identity Attack Vectors. Apress, 2020.
    “Identity for the CISO not yet paying attention to identity.” Health Information Sharing and Analysis Center (H-ISAC), n.d. Accessed 3 March 2021.
    Hopkins, Nick. “Deloitte hit by cyber-attack revealing clients’ secret emails.” The Guardian, 25 Sept. 2017. Accessed 20 June 2021.
    “How to Build an Identity and Access Management Architecture.” RSI Security, 6 Aug. 2020. Accessed 30 May 2021.
    “IBM Cost of a Data Breach Report 2021” IBM, 2021. Accessed 3 March 2021.
    “Identity Defined Security Framework.” Identity Defined Security Alliance (IDSA), 2020. Accessed 3 March 2021.
    Identity Management Institute. “Identity and Access Management Jobs.” Identity Management Institute; Center for Identity Governance, 2019. Accessed 5 May 2020.
    “Identity Security + CIEM; Eliminate All identity Risks. Get to Least Privilege and Stay There.” Sonrai Security, 2021. Accessed 6 Sept. 2021.
    IDSA. “IDSA Integration Framework; Identity Governance.” IDAP, 18 June 2018. Accessed 13 July 2021.
    “Information Security Roles and Responsibilities.” Michigan Tech, 20 Sept. 2016. Accessed 10 July 2021.
    Kantor, Bob. “The RACI matrix: Your Blueprint for project success.” CIO, 30 Jan. 2018. Accessed 14 Sept. 2021.
    Lee, Stephen. “How to adopt an Identity-Centric Security approach.” Infosecurity Magazine, 9 November 2020. Accessed 3 March 2021.
    Metcalfe, Keith. “The Digital Identity: What It Is + Why It's Valuable.” Learning Hub, 30 July 2019. Web. 28 April 2021.
    Milică, Lucia. “Successfully Navigating Identity Management Strategies.” Risk Management Monitor, 11 June 2021. Accessed 14 June 2021.
    MITRE. “ATT&CK Matrix for Enterprise.” MITRE ATT&CK®, 2021. Web.
    Rose, Scott, et. al. “NIST Special Publication 800-207: Zero Trust Architecture.” National Institute of Standards and Technology, August 2020. Accessed 3 March 2021.
    “Security Roles and Responsibilities.” British Columbia, n.d. Accessed 2 Aug. 2021.
    Shea, Sharon. “Identity Governance.” TechTarget, Aug. 2014. Accessed 15 Aug. 2021.
    Simons, Alex. “Decentralized digital identities and blockchain: The future as we see it.” Microsoft Azure Active Directory Identity Blog, 12 Feb. 2018. Accessed 12 April 2021.
    Smith, Michael L., and James Erwin. “Role & Responsibility Charting (RACI).” Project Management Institute California Inland Empire, n.d. Accessed 2 July 2021.
    “The State of Identity: How Security Teams are Addressing Risk.” IDSA, Dec. 2019. Accessed 3 March 2021.
    Tsing, William. “Deloitte breached by hackers for months.” Malwarebytes Labs, 28 Sept. 2017. Accessed 17 Aug. 2021.
    Wende, Kristin, "A Model for Data Governance – Organising Accountabilities for Data Quality Management." ACIS 2007 Proceedings, 2007.
    “What’s the Difference Between IAM, IGA, and PAM.” Core Security, HelpSystems, n.d. Accessed 12 June 2021.
    “What is Identity Governance | Azure Active Directory.” Microsoft Azure Active Directory, 11 Nov. 2019. Accessed 10 Aug. 2021.

    About Info-Tech

    Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

    We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

    What Is a Blueprint?

    A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

    Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

    Strong identity security and governance are the keys to the zero-trust future.

    Need Extra Help?
    Try Our Guided Implementations

    Get the help you need in this 2-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

    Guided Implementation #1 - Establish identity governance
    • Call #1 - Scope requirements, objectives, and your specific challenges.
    • Call #2 - Build an identity security RACI chart.

    Guided Implementation #2 - Assess and mitigate identity threats
    • Call #1 - Identify and record existing identity types.
    • Call #2 - Assess identity-based threats and mitigations.
    • Call #3 - Create the identity security architecture.

    Authors

    Ian Mulholland

    Kevin Peuhkurinen

    Contributors

    • Brian Michell, Chief Information Officer, Effort Trust
    • Marc Mazur, Senior Consultant, KPMG
    • Mark Galloway, Associate Partner, IAMConcepts Security Solutions Inc.
    • Fabrizio Ienna, IAM Solutioning Project Manager, IAMConcepts Security Solutions Inc.
    • Don Davidson, Enterprise Security Architect, Canada Life
    • Luc Gagne, Senior Vice President, IAMConcepts Security Solutions Inc.
    • Eric Galis, VP Compliance and Security, Cengage
    • Keith Scarbeau, Cyber Security Architect, St. Luke's Health System Ltd.
    • Ron Pirau, Chief Information Officer, Archdiocese of Indianapolis
    • Sumit Jain, Chief Information Security Officer, Louisiana State University
    • Raj Sookha, Manager IT Architecture, Toronto Community Housing
    Visit our COVID-19 Resource Center and our Cost Management Center
    Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019