- Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
- A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.
Our Advice
Critical Insight
- Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.
Impact and Result
- Develop a common terminology and understanding of identity concepts.
- Identify the roles and responsibilities within your organization for the governance of identity security.
- Inventory your identity types, repositories, threats, and mitigations.
- Develop an identity security architecture to understand and mitigate weaknesses.
Onsite Workshop: Assess and Govern Identity Security
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Establish Identity Governance
The Purpose
Establish identity governance.
Key Benefits Achieved
Improved identity governance
Activities
Outputs
Adopt a standard identity taxonomy.
- Identity taxonomy
Identify the tasks for your identity security project.
Allocate responsibility and ownership for each task in a RACI chart.
- Identity security RACI chart
Analyze your RACI chart.
Module 2: Assess and Mitigate Identity Threats
The Purpose
Assess and mitigate identity threats.
Key Benefits Achieved
Assessed identity threats
Activities
Outputs
Document identity repositories.
Inventory your identity types.
- Identity inventory
Review and assess identity-based MITRE ATT&CK® threats.
Review and assess identity-based MITRE ATT&CK® mitigations.
- Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
- Identity security architecture with prioritized controls
Assess and Govern Identity Security
Strong identity security and governance are the keys to the zero-trust future.
Analyst Perspective
Effectively securing all managed identities
To ensure a significant improvement in identity security, organizations must be willing to take a step back and understand where the vulnerabilities lie and identify the threats that may take advantage of them.
Every organization likely juggles many different identity types. This results in a complex system of identity storage, ownership, and security requirements. The first step to improving anything related to identity security will be to fully understand all the different identities that exist, where they exist, who owns related processes, and what threats exist that might take advantage of a managed identity.
Only when an organization has successfully catalogued the information necessary to secure all their identities can they build an identity security architecture that describes an approach to identity security befitting the modern era.

Ian Mulholland
Research Director, Security, Risk, and Compliance Info-Tech Research Group
Executive Summary
Your Challenge
- Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
- A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.
Common Obstacles
Improving identity security can be challenging:
- For most organizations, identity and access management has been allowed to grow organically, and it has become inflexible and difficult to control.
- In most cases, the number of identities and the items they access has increased with each passing year, necessitating more scalable processes and technology.
Info-Tech's Approach
Info-Tech has developed an effective approach to building an identity security architecture.
This unique approach includes tools for:
- Establishing governance for identity security.
- Creating an identity inventory.
- Modeling identity-based threats.
- Building an identity security architecture.
Info-Tech Insight
Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.
Identity management and proper credential management are critical security factors
Key Findings:
+450%
Increase in Username/Password Breaches
Breaches containing usernames and passwords increased by 450% in 2020, totally 1.48 billion breached records.
$8.64 Million
The Average Cost of a Breach in the US
The average cost of a breach in the US was the highest in the world at $8.64 million, up 5% from the previous year.
2X
The Amount of Time Spent Online
The amount of time people spent online more than doubled in 2020, totaling more than seven hours per person per day.Source: ForgeRock
In 2020 the world saw a massive digital migration. However, the migration has not come with a secure transition. For the third year in a row, identity security has been one of the weakest links in any security program. The move to remote work has significantly contributed to increases in stolen data.
Weak identity controls have continually given bad actors an easy path to gaining access to enterprise data. Identity and access management practices have been a weak point for many organizations. Find out how to best manage and govern your identities with an identity-centric approach to your security program.
The average cost and frequency of malicious data breaches by root-cause vector

Compromised credentials is an expensive and common threat vector
Of the ten initial threat vectors in malicious breaches represented in a report by IBM, compromised credentials was the most frequently reoccurring attack vector, accounting for 20% of all malicious breaches.
Proper inventory of identities and their respective repositories is critical to ensuring the security of credentials and any of the access they may pertain to.
Preparing yourself properly can save you costs and headaches
Stolen or compromised credentials was one of the most expensive causes of malicious data breaches, according to a 2021 report conducted by IBM.
Unified endpoint management (UEM) and identity and access management (IAM) products and services can give security teams an edge by providing insight and deeper visibility into the internal network and potential suspicious activity.
20%
Of all breaches are through compromised credentials.
$5.33 million
Was the average total cost of a breach at enterprises of more than 25,000 employees, compared to $2.98 million for organizations with under 500 employees.
Identity Security & Governance Framework for Security Leaders
Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as SSO/MFA/PAM. However, this limited focus is reactive rather than proactive and may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Info-Tech’s methodology to Assess and Govern Identity Security
1. Establish Identity Security Governance | 2. Assess and Mitigate Identity Threats | |
---|---|---|
Phase Steps |
|
|
Phase Outcomes |
|
Insight summary
Overarching insight
Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as single sign-on, multifactor authentication, or privileged access management. However, this limited focus is reactive rather than proactive, and it may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.
Phase 1 Insights
- People using different taxonomies can create conflicts. Use any existing conflicts in understanding as an education opportunity once standard definitions are set.
- Work with other identity owners to ensure governance is clearly defined before making any large changes.
Tactical insight
To some extent, your identity processes are working, or else the business would not be able to function – your processes may just have more risk or cause more disruption than you would like. Use what exists today as a starting point instead of starting from scratch.
Phase 2 insight
Understanding the current and future threats to your identity program will be critical to modernizing your identity security. Use a structured approach to ensure you identify all identity-based threats that pose a risk for your organization.
Tactical insight
Modernization starts with understanding legacy components.
Use Info-Tech’s blueprint to know how prepared you are for every threat vector
IT Benefits
- IT can determine the capabilities of its current security structure to deal with various attack vectors.
- IT will no longer have to disallow certain applications and services because they are cloud based.
- Analyzing and threat modeling are no longer simply guessing what the most pressing concerns are. Know your vulnerabilities and remediate and plan proactively instead of reactively.
Business Benefits
- Line-of-business managers can understand which areas need improvement and which can be deprioritized.
- Gain an in-depth understanding of the management aspects of security and threat vectors and techniques.
- Know which mitigative and detective measures should be implemented to best protect your environment without additional guesswork.
Use Info-Tech’s blueprint to improve enterprise security posture
Threat preparedness can be used to effectively evaluate:
Organizational preparedness
Expose operational weak points and transition teams from a reactive approach to a more proactive security program.
Enhanced threat detection, prevention, analysis, and response
Enhance the collaboration and use of your security investments through the simulated evaluation of your threat collaboration environment.
Improve return on security investment
Evaluate core staff on their use of process and technology to defend the organization.
Identify blind spots and opportunities for continuous improvement
Provide increased visibility into current performance levels, and accurately identify opportunities for continuous improvement with a holistic measurement program.
Iterative benefit
Over time, experience incremental value from knowing the attack vectors through which you can be attacked. Through continual updates your security protocols will evolve with less associated effort, time, and costs.
Short-term benefits
- Ensure organizational preparedness.
- Identify effectiveness of the overall security program.
- Streamline the security management program.
- Identify people, process, and technology gaps.
Long-term benefits
- Reduce incident costs and remediation time.
- Increase operational collaboration between prevention, detection, analysis, and response efforts.
- Enhance security pressure posture.
- Improve communication with executives about relevant security risks to the business.
- Preserve reputation and brand equity.
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit
Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.
Guided Implementation
Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track
Workshop
We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place
Consulting
Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.
Diagnostics and consistent frameworks are used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
Phase 1:
Establish Identity Governance
Call #1: Scope requirements, objectives, and your specific challenges.
Call #2: Build an identity security RACI chart.
Phase 2:
Assess and Mitigate Identity Threats
Call #3: Identify and record existing identity types.
Call #4: Assess identity-based threats and mitigations.
Call #5: Create the identity security architecture.
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 1 to 5 calls over the course of 1 to 5 months.
Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | |
---|---|---|---|
Establish Identity Governance | Assess and Mitigate Identity Threats | Assess and Mitigate Identity Threats | |
Activities | 1.1 Adopt a standard identity taxonomy. 1.2 Identify the tasks for your identity security project. 1.3 Allocate responsibility and ownership for each task in a RACI chart. 1.4 Analyze your RACI chart. |
2.1 Document identity repositories. 2.2 Inventory your identity types. 2.3 Review and assess identity-based MITRE ATT&CK® threats. 2.4 Review and assess identity-based MITRE ATT&CK® mitigations. |
3.1 Complete in-progress deliverables from previous two days. 3.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
Executive Brief Case Study
Industry: Advisory Services
Source: Cloud Security Alliance
Deloitte
Deloitte experienced a major data breach on September 25, 2017, in part due to weak identity, credential, and access management. The breach was a direct result of a poorly secured administrative email account the attacker used to achieve privileged unrestricted access to all areas of the company.
The account only had a single password, with no multifactor or additional verification processes. Even more concerning was that the attacker had access to the account for over a year without being detected, allowing them to store and monitor all emails that moved in and out of the company. Sensitive information, personally identifying information (PII), usernames, passwords, IP addresses, and architectural diagrams were all accessed, including the personal data of blue-chip clients.
Key Takeaways
- Secure accounts, including two-factor authentication and limiting the use of root accounts.
- Practice the strictest identity and access controls for cloud users and identities.
- Segregate and segment accounts, virtual private cloud (VPCs), and identity groups based on business needs and the principles of least privilege.
- Rotate keys, remove unused credentials or access privileges, and employ central, programmatic key management.
Impact Statement for Deloitte
Security incidents and data breaches can occur due to the following:
- Inadequate protection of credentials
- Lack of regular, automated rotation of cryptographic keys, passwords, and certificates
- Lack of scalable identity, credentials, and access management systems
- Failure to use multifactor authentication
- Failure to use strong passwords
- Read, exfiltrate, modify, or delete data
- Issue control plan and management functions
- Snoop on data in transit
- Release malicious software that appears to originate from a legitimate source
Phase 1
Establish Identity Governance
Phase 1 | Phase 2 |
---|---|
1.1 Adopt a Standard Identity Taxonomy 1.2 Establish Roles and Responsibilities for Identity Security |
2.1 Create an Identity Inventory 2.2 Assess Identity-Based Threats and Mitigations 2.3 Build the Identity Security Architecture |
This phase will walk you through the following activities:
- Adopting a standard taxonomy to understand and discuss identity-related security risks.
- Establishing roles and responsibilities for identity governance and security.
This phase involves the following participants:
- Security team
- IT leadership
- Business stakeholders
- Legal
- Human resources
Assess and Govern Identity Security
1.1 Adopt a standard identity taxonomy
Estimated Time: 30 minutes
1.1.1 Review Info-Tech identity taxonomy: Review the terms and definitions related to identity security on the following slide.
1.1.2 Customize as required: As a group, discuss each term and its related definition. Modify the definitions as required to fit within your organization. The goal should be to arrive at a common taxonomy for identity security.
Input
- Current taxonomies
- Identity architecture material
Output
- Common, shared understanding of identity security terms and definitions
Materials
- Taxonomy slide
Participants
- Security team
- IT leadership
- Business stakeholders
- Legal
- Human resources
1.1 Identity concepts and definitions
A common identity taxonomy can foster mutual understanding

1.2 Establish roles and responsibilities for identity security
Estimated Time: 1-2 hours
1.2.1 List the tasks for your project: Begin building the RACI chart by defining a list of project tasks. Organize tasks into the following four categories: plan, execute, monitor, and measure. List tasks along the side of your RACI chart as row headers.
1.2.2 Allocate responsibility and ownership for each task: For each task in your RACI chart, determine which stakeholder groups are accountable (A), responsible (R), consulted (C), and/or informed (I). Stakeholder groups should be listed along the top of your RACI chart as column headers.
1.2.3 Analyze your RACI chart: To ensure you have a strong allocation of roles, watch out for common errors and red flags when building the RACI chart. These can include having too many people responsible for a task or not having assigned an accountable person/group. These are defined in more detail in a later slide.
Download the Identity Security RACI Chart Tool
Input
- List of tasks that must be completed as part of the identity security project
- List of stakeholder groups that will be involved in some capacity with the identity security project
Output
- A RACI chart that defines roles for stakeholder groups executing tasks for the identity security project
Materials
- Laptop
- Identity Security RACI Chart Tool
Participants
- Security team
- IT leadership
- Business stakeholders
- Legal
- Human resources
1.2.1 List the tasks for your project
To begin building the RACI chart for your identity security project, list out the project’s required tasks. Organize these tasks into four categories: plan, execute, monitor, and measure. To assist with the development of this task list, consider the sample tasks listed below:
PLAN
- Adopt a common identity security taxonomy.
- Build an identity and access management policy.
- Establish identity governance objectives.
- Inventory identities and assign data owners.
- Model identity-based threats.
- Identify identity security control requirements.
- Develop the identity security architecture.
- Define separation-of-duties constraints.
- Define authorization requirements and ensure systems support those requirements.
EXECUTE
- Create accounts with access that follows the principle of least privilege.
- Deprovision accounts.
- Track policy exceptions when assigning access.
MONITOR
- Monitor access requests (cloud access security broker/security information and event management).
- Report violations of policy or process.
- Review/audit access privileges to prevent privilege creep.
MEASURE
- Build a business case for architecture technology components.
- Measure efficiency and effectiveness of identity security processes.
If you are using Info-Tech’s Identity Security RACI Chart tool, enter your list of tasks into Column B of tab 2, Smart RACI Chart.
1.2.2 Allocate responsibility and ownership for each task
For each task in your RACI chart, determine which stakeholder groups are accountable, responsible, consulted, and/or informed. Each task should have one and only one person/group held accountable and at least one person/group given responsibility. The number of consulted and informed people/groups will differ for each organization.
Responsible (R): The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
Accountable (A): The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
Consulted (C): The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
Informed (I): The person(s) who is updated on progress. These are resources who are affected by the outcome of the activities and need to be kept up to date.
Senior Management | Security and IAM | The Business | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Board of Directors | CIO | CISO or Director of Security | Security/IAM Systems Architect | Security/IAM Engineer | Security/IAM Analyst | Security/IAM Administrator | Privacy Personnel | Identity Owners | Finance | Human Resources | Legal | |
Plan | ||||||||||||
Adopt a common taxonomy for securing identities at the organization | I | A | R | C | R | C | - | - | I | - | I | - |
Build and maintain an identity and access management policy | I | I | A | C | C | R | R | - | I | - | I | I |
Establish Identity Governance Objectives | A | R | R | R | R | R | R | - | I | - | I | - |
Inventory identities and assign data owners | I | C | R/A | R | R | R | C | - | C | - | C | - |
If you are using Info-Tech’s Identity Security RACI Chart tool, complete the table on tab 2, Smart RACI Chart.
1.2.3 Analyze your RACI chart
To ensure a strong RACI chart, perform vertical and horizontal analyses. These analyses can identify potential breakdowns in project efficiency.

Horizontal Analysis
One Group Accountable: There should be one and only one stakeholder group accountable for a given task. Watch out for cases where there are no A’s or multiple A’s for a task.
No Responsibility: Do any of your rows have zero R’s? If so, this task may not be completed. Ensure each task has responsibility assigned to at least one stakeholder group.
Too Much Responsibility: Do any of your rows have too many R’s? If so, this can be an indication that the task should be split into more specific items.
Vertical Analysis
No Empty Spaces: Do any of your columns have no empty spaces? If so, these stakeholder groups may be involved in too many activities.
Too Much Responsibility: Do any of your columns have too many R’s? If so, does this group have the resourcing to support that much work?
Too Much Accountability: Do any of your columns have too many A’s? If so, can any of these A’s be given to people/groups at a lower level?
If you are using Info-Tech’s Identity Security RACI Chart tool, review Column P on tab 2, Smart RACI Chart, for potential action items based on the tool’s analysis
Phase 2
Identify Threat-Based Identity Security Controls
Phase 1 | Phase 2 |
---|---|
1.1 Adopt a Standard Identity Taxonomy 1.2 Establish Roles and Responsibilities for Identity Security |
2.1 Create an Identity Inventory 2.2 Assess Identity-Based Threats and Mitigations 2.3 Build the Identity Security Architecture |
This phase will walk you through the following activities:
- Inventorying your identity types and repositories.
- Identifying and assessing threats to your identities and mitigations for those threats.
- Building out an identity security architecture.
This phase involves the following participants:
- Security team
- IT leadership
- Business stakeholders
- Human resources
Assess and Govern Identity Security
2.1 Create an identity inventory
Estimated Time: 2-4 hours
2.1.1 Document identity repositories: Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.
2.1.2 Inventory your identity types: List all identity types that exist at the organization. For each identity type, document that type’s boundary (e.g., internal identity, external identity, hybrid identity), owner, and risk level based on typical access levels, as well as repositories where that identity type is stored.
Download the Identity Security Architecture Tool
Input
- List of tasks that must be completed as part of the identity security project
- List of identity types and associated information
Output
- An identity inventory that can be used to determine which identity-based threats need to be considered
Materials
- Laptop
- Identity Security Architecture Tool
Participants
- Security team
- IT leadership
- Business stakeholders
- Legal
- Human resources
2.1.1 Document identity repositories
Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.

Location
Internal: Repository is on premises.
Hybrid: Repository exists both on premises and in the cloud.
External: Repository is in the cloud.
Owner
Who manages the identity repository?
If you are using Info-Tech’s Identity Security Architecture Tool, document items on tab 2, Repositories.
2.1.2 Inventory your identity types
List all identity types that exist at the organization. For each identity type, document that type’s boundary (e.g., internal identity, external identity, internal and external identity), owner, and risk level based on typical access levels, as well as repositories where that identity type is stored.

Boundary
Internal Only: Housed within your organization.
External Only: External to your organization.
Internal/External: Identity applies internally and externally.
Risk Level
The more access this identity type typically has, the higher the risk level should be. In the case where access levels vary widely for an identity type, either separate these into two separate types (e.g., Employee separates into Non-Privileged Employee and Privileged Employee) or choose the highest applicable risk level.
If you are using Info-Tech’s Identity Security Architecture Tool, document items on tab 3, Identity Types.
2.2 Assess identity-based threats and mitigations
Estimated Time: 1-2 hours
2.2.1 Review and assess identity-based MITRE ATT&CK® threats: For each identity-specific threat technique from the MITRE ATT&CK® framework, assess the likelihood that your organization may experience that threat. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the repository being more or less likely to experience the threat being considered.
2.2.2 Review and assess identity-based MITRE ATT&CK® mitigations: For each identity-specific threat mitigation from the MITRE ATT&CK® framework, assess the strength of that mitigation within your organization. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the mitigation being considered having a higher or lower strength for that repository.
Download the Identity Security Architecture Tool
Input
- List of identity-specific threat techniques from the MITRE ATT&38;CK® framework
- List of identity-specific threat mitigations from the MITRE ATT&CK® framework
Output
- Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
Materials
- Laptop
- MITRE ATT&CK® framework
Participants
- Security team
2.2.1 Review and assess identity-based MITRE ATT&CK® threats
For each identity-specific threat technique from the MITRE ATT&CK® framework, assess the likelihood that your organization may experience that threat. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the repository being more or less likely to experience the threat being considered.

Probability
Is there a zero, low, medium, or high probability that this threat could be experienced at the organization?
Repositories
For each known identity repository, is there a higher or lower probability of a threat being experienced?
In Info-Tech’s Identity Security Architecture Tool, assess the threats listed on tab 4, Threats.
2.2.2 Review and assess identity-based MITRE ATT&CK® mitigations
For each identity-specific threat mitigation from the MITRE ATT&CK® framework, assess the strength of that mitigation within your organization. This score will be applied to each identity repository identified in step 2.1.1. Consider if any of the identity repositories should be given a higher or lower score, based on the mitigation being considered having a higher or lower strength for that repository.
Strength
For applicable mitigations, is the mitigation’s strength low, medium, or high?
Repositories
For each known identity repository, is the strength of the mitigation being considered higher or lower?
In Info-Tech’s Identity Security Architecture Tool, assess the mitigations listed on tab 5. Mitigations.
2.3 Build the identity security architecture
Estimated Time: 1-2 hours
2.1.1 Document identity repositories: Identify and document your existing identity repositories or directories. For each repository, document its location, description, and owner.
2.3.1 Assess architecture controls: Once you have completed tabs 2 to 5 of the Identity Security Architecture Tool, the tool will produce an architecture diagram on tab 6. The architecture diagram also functions as a risk heat map, allowing you to quickly identify areas of high risk or weak controls. As you review the diagram, consider the following:
- Reducing risks associated with identity types – for instance, by implementing role-based access control – can be effective but is often very difficult.
- Concentrate most of your efforts on improving mitigations because these tend to be the architectural components that you have the most control over.
- Use a copy of the tool to experiment with how improvements to mitigations might affect overall repository risk. You can do this by making incremental changes to the mitigation strengths and then seeing how that impacts your repository risks.
- Mitigation improvements that show significant risk reduction should be prioritized for implementation.
Download the Identity Security Architecture Tool
Input
- Identity inventory
- Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
Output
- An identity security architecture with prioritized controls
Materials
- Laptop
- Identity Security Architecture Tool
Participants
- Security team
- IT leadership
2.3 Review the identity security architecture
When you have completed the data entry for the architecture tool, you can review tab 6, which presents a heat map architecture of risks and mitigations across your identity stores. The architecture can be used to identify areas for improvement.

If you are using Info-Tech’s Identity Security Architecture Tool, review the architecture on tab 6, Architecture.
Summary of accomplishment
Problem Solved
By following Info-Tech’s methodology for assessing and governing identity security, you will have:
- Developed a common terminology and understanding of identity concepts.
- Identified the roles and responsibilities within your organization for the governance of identity security.
- Inventoried your identity types and identity repositories.
- Identified security threats against your identities.
- Assessed your identity security mitigations.
- Developed an identity security architecture to understand and mitigate weaknesses.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop
Contact your account representative for more information
workshops@infotech.com
1-888-670-8889
Additional Support
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
The following are sample activities that will be conducted by Info-Tech analysts with your team: | |
---|---|
![]() |
![]() |
RACI Matrix Capture roles and responsibilities using the Identity Security RACI Chart. |
Architecture Tool Complete the Identity Security Architecture Tool. |
Related Info-Tech Research
Simplify Identity and Access Management
- Our research will help organizations take back control of their IAM environment by creating and implementing an RBAC model.
- The tools included in this research help create a repeatable, simplified auditing process and minimize the amount of entitlement sprawl.
- This research will educate readers on selecting and implementing IAM vendors. It will assist in producing vendor RFPs and shortlisting vendors to ensure that selected vendor solutions offer capabilities required by the organization (e.g. MFA) based on business goals, compliance, and other gaps, and offer integration functionality with the different cloud vendors used by the organization.
Mature Your Identity and Access Management Program
- Info-Tech provides a high-level framework that helps organizations ensure they are following best practice at all stages of an identity's lifecycle.
- Identify the drivers behind improving your IAM practices.
- Develop best-practice processes for each section of the identity lifecycle.
- Understand the benefits of using IAM software.
- Use our research to start your journey to mature the IAM program at your organization.
Build an Information Security Strategy
- Info-Tech has developed a highly effective approach to building an information security strategy, an approach that has been successfully tested and refined for more than seven years with hundreds of different organizations:
- This approach includes tools for:
- Ensuring alignment with business objectives.
- Assessing organizational risk and stakeholder expectations.
- Enabling a comprehensive current-state assessment.
- Prioritizing initiatives and building out a security roadmap.
Research Contributors
Brian Michell
Chief Information Officer
Effort Trust
Don Davidson
Enterprise Security Architect
Canada Life
Eric Galis
VP Compliance and Security
Engage
Keith Scarbeau
Cyber Security Architect
St. Luke’s Health System Ltd.
Marc Mazur
Senior Consultant
KPMG
Mark Galloway
Associate Partner
IAMConcepts Security Solutions Inc.
Luc Gagne
Senior Vice President
IAMConcepts Security Solutions Inc.
Fabrizio Ienna
IAM Solutioning/Project Manager
IAMConcepts Security Solutions Inc.
Raj Sookha
Manager IT Architecture
Toronto Community Housing
Ron Pirau
Chief Information Officer
Archdiocese of Indianapolis
Sumit Jain
Chief Information Security Officer
Louisiana State University
Bibliography
"2021 ForgeRock Consumer Identity Breach Report" ForgeRock, 2021. Accessed 3 March 2021.
Ashford Warwick. “How to modernise identity governance and administration.” Computer Weekly, 27 Nov. 2020. Accessed July 9, 2021.
Bender, Lara. “Data-centric security vs. identity-centric security: Which is better?” Microfocus, 5 July 2019. Accessed 3 March 2021.
Blum, Dan. “Control Access with Minimal Drag on the Business.” Rational Cybersecurity for Business, 13 Aug. 2020. Accessed 12 Aug. 2021.
Chik, Joy. “Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work.” Microsoft, 2 March 2021. Accessed 12 April 2021.
Cooper, Zach. “What is Identity management and what role does it play in a security strategy?” ITPro, 20 July 2021. Accessed 9 Sept. 2021.
“Data Mapping for Identity Management.” Idenhaus, Feb. 2018. Accessed 1 Sept. 2021.
de Kerckhove, Derrick, and Cristina de Almeida. “What is a digital persona?” ResearchGate, Dec. 2013. Accessed 28 April 2021.
Department of Computer Science. “Cybersecurity Roles and Job Titles.” The George Washington University, n.d. Accessed Sept. 2021.
Ferrill, Tim. “The Best Identity Management Solutions” PC Mag, 27 Dec. 2019. Accessed 13 April 2021.
Fulton III, Scott. “Identity management 101: How digital identity works in 2020.” ZDNet, 10 March 2020. Accessed 29 March 2021.
Goodell, Geoff, and Tomaso Aste. “A Decentralized Digital Identity Architecture.” Frontiers in Blockchain, 5 Nov. 2019. Accessed 14 April 2021.
Grassi, Paul et. al. “NIST Special Publication 800-63-3: Digital Identity Guidelines.” National Institute of Standards and Technology, June 2017. Accessed 3 March 2021.
Haber, Morey, and Darran Rolls. Identity Attack Vectors. Apress, 2020.
“Identity for the CISO not yet paying attention to identity.” Health Information Sharing and Analysis Center (H-ISAC), n.d. Accessed 3 March 2021.
Hopkins, Nick. “Deloitte hit by cyber-attack revealing clients’ secret emails.” The Guardian, 25 Sept. 2017. Accessed 20 June 2021.
“How to Build an Identity and Access Management Architecture.” RSI Security, 6 Aug. 2020. Accessed 30 May 2021.
“IBM Cost of a Data Breach Report 2021” IBM, 2021. Accessed 3 March 2021.
“Identity Defined Security Framework.” Identity Defined Security Alliance (IDSA), 2020. Accessed 3 March 2021.
Identity Management Institute. “Identity and Access Management Jobs.” Identity Management Institute; Center for Identity Governance, 2019. Accessed 5 May 2020.
“Identity Security + CIEM; Eliminate All identity Risks. Get to Least Privilege and Stay There.” Sonrai Security, 2021. Accessed 6 Sept. 2021.
IDSA. “IDSA Integration Framework; Identity Governance.” IDAP, 18 June 2018. Accessed 13 July 2021.
“Information Security Roles and Responsibilities.” Michigan Tech, 20 Sept. 2016. Accessed 10 July 2021.
Kantor, Bob. “The RACI matrix: Your Blueprint for project success.” CIO, 30 Jan. 2018. Accessed 14 Sept. 2021.
Lee, Stephen. “How to adopt an Identity-Centric Security approach.” Infosecurity Magazine, 9 November 2020. Accessed 3 March 2021.
Metcalfe, Keith. “The Digital Identity: What It Is + Why It's Valuable.” Learning Hub, 30 July 2019. Web. 28 April 2021.
Milică, Lucia. “Successfully Navigating Identity Management Strategies.” Risk Management Monitor, 11 June 2021. Accessed 14 June 2021.
MITRE. “ATT&CK Matrix for Enterprise.” MITRE ATT&CK®, 2021. Web.
Rose, Scott, et. al. “NIST Special Publication 800-207: Zero Trust Architecture.” National Institute of Standards and Technology, August 2020. Accessed 3 March 2021.
“Security Roles and Responsibilities.” British Columbia, n.d. Accessed 2 Aug. 2021.
Shea, Sharon. “Identity Governance.” TechTarget, Aug. 2014. Accessed 15 Aug. 2021.
Simons, Alex. “Decentralized digital identities and blockchain: The future as we see it.” Microsoft Azure Active Directory Identity Blog, 12 Feb. 2018. Accessed 12 April 2021.
Smith, Michael L., and James Erwin. “Role & Responsibility Charting (RACI).” Project Management Institute California Inland Empire, n.d. Accessed 2 July 2021.
“The State of Identity: How Security Teams are Addressing Risk.” IDSA, Dec. 2019. Accessed 3 March 2021.
Tsing, William. “Deloitte breached by hackers for months.” Malwarebytes Labs, 28 Sept. 2017. Accessed 17 Aug. 2021.
Wende, Kristin, "A Model for Data Governance – Organising Accountabilities for Data Quality Management." ACIS 2007 Proceedings, 2007.
“What’s the Difference Between IAM, IGA, and PAM.” Core Security, HelpSystems, n.d. Accessed 12 June 2021.
“What is Identity Governance | Azure Active Directory.” Microsoft Azure Active Directory, 11 Nov. 2019. Accessed 10 Aug. 2021.