Revocation Automation (Process - IAM)

Parent Process	Revocation (Process - IAM)
Title	Revocation Automation
Version	1.0 Ready for peer review
Domain	IAM
Goals	Process Automation (IAM Goal) +++ Productivity Gains (IAM Goal) +++ ++ ++ ++
Objective	Streamlined revocation
Inputs	Revocation triggers (cf.)
Activities	Design, implement, monitor and maintain revocation automation mechanisms Automatically invalidate (e.g. by deactivation, cancellation or removal) IAM artifacts (i.e. identity, principal, credential, authorization) in compliance with and within the delays set by policies Implement and optimize account lockout policies Keep audit logs in compliance with policies Manage the risk of automation failure Optimize / extend the scope and reliability of revocation automation
Outputs	Revoked IAM artifacts (i.e. identities, principals, credentials, authorizations) Audit logs Revocation automation mechanisms Automation failure alerts Enforced account lockout policies
Indicators
Scopes	In order to adopt a risk-based approach, organizations may define in their policies a mandatory scope and a discretionary scope for revocation automation. For instance, the mandatory scope may comprise sensitive systems, internet-facing systems, systems accessed by external partners, etc. Automation would be deployed in the discretionary scope on a best-effort basis. See for general revocation scope dimensions.
Risks	Augment the security attack surface with insecure automation mechanisms Automation failure without an effective “plan b” Silent automation errors leading to a false sense of security See for general revocation risks.
Sources
See Also