pr-aa-1 critical Protect / Identity Management, Authentication, and Access Control

Identities and credentials are managed for authorized users and devices

Every account that can access your systems is a potential entry point. Managing identities centrally, with a single source of truth for who has access to what, lets you grant access consistently, revoke it immediately when someone leaves, and audit access decisions over time.

Estimated effort: 4h

identityaccess-controliamprovisioningoffboarding

Implementation steps

1

Centralize identity in a single IdP

Route all application access through one identity provider. Every SaaS tool, cloud console, and internal service should authenticate via your IdP, not via shared passwords or per-app local accounts.

oktagoogle-workspacemicrosoft-entrajumpcloud
2

Enforce unique accounts per person

No shared accounts. Every user has exactly one identity tied to their work email. Shared credentials make attribution impossible and cannot be revoked individually.
3

Implement a joiner-mover-leaver process

Define a documented procedure for provisioning access on day one, adjusting it when roles change, and fully revoking it within 24 hours of departure. Automate where possible via your IdP's lifecycle management.

oktaripplingworkday
4

Review active accounts quarterly

Run an access review every quarter. For each system, verify that every account with access still needs it. Revoke stale accounts. Document the review.