Some concepts to assist with improving security of an identity and access management fabric:
- IAM risk must focus on the end to end life cycle of the identity
- Identities for people, software and hardware must be considered
- Every digital identity (human and non-human) must resolve to a carbon physical person who is accountable for it
- Vulnerability analysis must cover both identity data and identity behaviour
- A human readable description must be present for all permissions, policies, scopes and claims
- For humans, authentication events must bind to a validated and verified biometric profile
- Session material and access tokens should be bound to the requesting context. IE device or process
- Authorization enforcement should validate previously captured context
- Native identity and permissions changes should be prohibited by default
- Changes to policy must be related to runtime risk
Further Reading:
- Identity Security: What Next?
- What Identity Security Isn’t
- Hardware, Software & People: Why All Identities Need a Life Cycle
Last Updated: Jan 2025