Identity Management Fundamentals: The Foundation of Who Gets Access to What

Title

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Identity Management Fundamentals: The Foundation of Who Gets Access to What

Hook / Why this matters

Every security decision about who can do what starts with identity. If your identity records are wrong, stale, or weakly verified, every downstream control becomes unreliable. Strong identity management turns a messy set of accounts into a trustworthy foundation for access control and auditing.

Core concept explained simply

Identity management is the set of processes and technologies that answer three basic questions:

1. Who are you really
2. What accounts represent you in our systems
3. When should those accounts be created, changed, or removed

At a practical level, identity management covers:

Identity lifecycle

Every digital identity follows a lifecycle:

• Provisioning: Creating accounts when someone joins, changes roles, or needs access
• Maintenance: Updating attributes, roles, group memberships, and entitlements as responsibilities change
• De provisioning: Disabling and eventually removing accounts when they are no longer needed

If any stage fails, you get problems like orphaned accounts, excessive access, or people blocked from doing their job.

Identity proofing and verification

Before you trust an identity, you must verify that the person is who they claim to be. This process is called identity proofing.

• For employees, proofing usually happens during hiring, background checks, and HR onboarding
• For customers, it might involve document checks, out of band verification, or trusted third party identity providers

Frameworks like NIST SP 800 63 describe identity assurance levels that match proofing strength to risk. Higher risk access requires stronger proofing.

Unique identifiers and avoiding shared accounts

Each person should have a unique identifier that never changes. That might be an employee ID or customer number. Systems use this identifier to tie together all of that person's accounts and access.

Shared accounts, for example a generic admin login used by several people, break this model. If multiple people use the same account, you lose accountability, and forensic investigations become guesswork.

Directory services and identity stores

Identity data needs a central source of truth. Common options include:

• LDAP directories such as OpenLDAP
• Microsoft Active Directory for Windows based enterprises
• Cloud identity providers such as Azure AD or Okta

These systems store attributes, group memberships, and authentication information, and they answer the basic question, "Who is this user" for many connected applications.

Identity as a Service and federation

Modern environments often use Identity as a Service (IDaaS) platforms that provide cloud based directories, authentication, and single sign on.

Federated identity extends this idea across organizations. Instead of creating local accounts for partners or external users, you trust their home identity provider through standards like SAML or OpenID Connect. The external IdP vouches for the user's identity, and your systems accept that assertion.

Service accounts and non human identities

Not all identities belong to humans. You also have:

• Service accounts for applications and batch jobs
• API clients and machine to machine identities
• Robotic process automation identities

These identities often have significant privileges but are easy to overlook. They require the same lifecycle management, proofing, and oversight as user accounts.

CISSP lens

From a CISSP perspective, identity management is foundational to Domain 5 and influences several other domains.

Key points through the exam lens:

• Identity lifecycle: You should know the stages and the security risks when provisioning, maintenance, or de provisioning are weak
• Identity proofing: For higher value or regulated systems, proofing strength must match risk
• Accountability: Unique identities and prohibition of shared accounts support logging, monitoring, and incident investigation
• Integration: Directories and IdPs provide central control for authentication and attribute management

On the exam, identity management questions often hide inside scenarios about access control failures, orphaned accounts, or audit findings. Look for root causes in weak lifecycle processes or lack of integration with HR.

Real world scenario

A mid sized company with 1,200 employees used manual email based processes for account changes. HR would email IT when someone joined or left. In practice, HR did not always send termination notices, and IT staff were busy enough that disabling accounts was not a priority.

An internal audit compared the HR employee roster with Active Directory and discovered that 80 former employees still had active accounts, including three former system administrators. One of those accounts was used to log into the VPN months after the employee left. The organization could not prove who used it.

To fix this, the company implemented:

• HR system integration with the identity management platform, so terminations automatically triggered account disablement
• A formal identity lifecycle policy that defined timelines for provisioning and de provisioning
• Unique, non shared accounts for all administrators, combined with privileged access management for elevated tasks
• Quarterly reconciling of HR records against identity stores to catch discrepancies

Within one cycle, orphaned accounts dropped from 80 to 3, and follow up investigations identified process gaps with contractors that were then addressed.

Common mistakes and misconceptions

• Relying on manual communication between HR and IT. Email or ticket based processes without automation almost always lead to delayed de provisioning and orphaned accounts.
• Allowing shared accounts for administrators or support teams. This saves time in the short term but destroys accountability and violates many compliance expectations.
• Ignoring non human identities. Service accounts, scripts, and integration accounts often have powerful privileges yet are rarely reviewed or tied to a clear owner.
• Treating identity once and done. Identities evolve as people change roles. Without ongoing maintenance and periodic reviews, privilege creep and inaccurate attributes accumulate.
• Having multiple conflicting sources of truth. When HR, the directory, and application databases all hold overlapping identity data, mismatches and stale records are inevitable.

Actionable checklist

• Compare your HR employee and contractor records against all major identity stores. Disable or investigate any accounts without a matching HR record.
• Document the identity lifecycle, including who approves provisioning, how changes are requested, and the maximum allowed time from termination to account disablement.
• Eliminate shared accounts wherever possible. Where technology constraints force shared use, implement strong compensating controls such as session recording and individual check out.
• Inventory all service and application accounts. Assign an accountable owner for each, define their purpose, and ensure they follow the same review schedule as user accounts.
• Centralize identity data into a directory or identity provider and integrate key applications to reduce local account silos.
• Define identity proofing requirements for employees, contractors, and external users based on risk and regulatory needs, then document how those requirements are met.
• Schedule regular reconciliations between HR systems, directories, and key applications to identify orphaned or mismatched accounts.

Key takeaways

• Identity management is the foundation of access control. If identities are inaccurate or weakly verified, authorization and auditing cannot be trusted.
• A clear, automated identity lifecycle linked to HR events greatly reduces orphaned accounts and privilege creep.
• Unique, individual accounts are essential for accountability; shared accounts should be eliminated or tightly controlled.
• Service accounts and other non human identities require the same rigor as user accounts.
• Periodic reconciliation across systems provides an important detective control to catch process failures.

Optional exam style reflection question

Question: An internal audit finds that 15 percent of active accounts in the directory do not match any current employee or contractor record. What is the most likely root cause, and what should the security team prioritize first

Answer: The most likely root cause is a failed or weak de provisioning process that is not reliably triggered by HR termination events. The security team should first disable or review the orphaned accounts, then work with HR and IT to integrate identity management with HR systems so that terminations immediately disable accounts. They should also establish periodic reconciliations to detect future gaps.