IAM, SSO, MFA, PAM, zero trust, and identity governance
36 total articles
A service account is a non-human identity used by an application, script, scheduled task, or automated process to authenticate to systems, call APIs, and access resources.
Access control is the set of rules and mechanisms that determine which users, systems, and processes can perform which actions on which resources.
Just-in-Time Access (JIT) and Just-Enough Access (JEA) are the operational implementations of least privilege: the security principle that every identity should have access to exactly the resources it needs, for exactly the time it needs them, and nothing more.
Operational runbook for privileged account audit procedures.
Operational runbook for cloud account provisioning procedures.
Operational runbook for mfa enrollment and support procedures.
Operational runbook for new employee security onboarding procedures.
Operational runbook for employee offboarding security procedures.
Operational runbook for certificate renewal procedures.
Operational runbook for user access review procedures.
Practice OAuth 2.0 and OpenID Connect security testing including token manipulation and flow attacks.
Defining and enforcing authentication standards for APIs including OAuth 2.0, mutual TLS, and API key management.
Securing remote access methods (VPN, ZTNA, RDP gateways) with appropriate authentication and monitoring controls.
Establishing a credential management program covering password policies, credential rotation, and breach credential monitoring.
Deploying detection capabilities for identity-based attacks including credential compromise, privilege escalation, and lateral movement.
Implementing lifecycle management, access reviews, and monitoring for service accounts and non-human identities.
Managing cloud IAM policies, roles, and permissions across multi-cloud environments with consistent governance.
Hardening Active Directory and other directory services against common attacks including Kerberoasting, DCSync, and Golden Ticket.
Automating periodic access reviews to ensure permissions remain appropriate as roles change and employees transition.
Designing and implementing single sign-on and identity federation to reduce credential sprawl while maintaining security.
Implementing zero trust access principles that verify every request based on identity, device health, and context.
Establishing a PAM program that secures, monitors, and audits all privileged access across the organization.
Planning and executing MFA deployment across all user populations and critical systems with appropriate method selection.
Managing the complete identity lifecycle from provisioning through deprovisioning, ensuring timely access grants and revocations.
Moving beyond network segmentation: microsegmentation strategies, policy design, and Zero Trust network enforcement.
CIEM tools and practices for managing overprivileged cloud identities: right-sizing permissions, detecting toxic combinations, and enforcing least privilege.
Designing conditional access policies: signal evaluation, grant controls, session controls, and policy testing methodology.
Automated identity provisioning with SCIM: protocol mechanics, IdP integration, error handling, and deprovisioning strategies.
IGA programs: access certification, joiner/mover/leaver automation, role mining, and segregation of duties enforcement.
MFA deployment beyond checkboxes: method selection, phishing-resistant MFA, recovery procedures, and user experience optimization.
PAM beyond the vault: session recording, just-in-time access, privilege elevation, and emergency break-glass procedures.
The hidden risk of service accounts: discovery, ownership, credential rotation, least privilege, and decommissioning.
Hardening Active Directory and cloud identity providers: Tier 0 protection, Kerberos security, and identity attack path reduction.
Secure implementation of OAuth 2.0 and OpenID Connect: grant types, token management, and common implementation vulnerabilities.
Phased approach to Zero Trust: identity-centric controls, microsegmentation, continuous verification, and least privilege enforcement.
MFA blocks 99.9% of automated attacks. Best practices span factor selection, deployment strategy, and phishing-resistant options.
Continue your mission