Revocation Automation (Process - IAM)

Owned by David Doret
Last updated: 19-44-2020
1 min read

Parent Process

https://open-measure.atlassian.net/wiki/spaces/PROC/pages/67698695

Title

Revocation Automation

Version

1.0 Ready for peer review

Domain

IAM

Goals

Objective

Streamlined revocation

Inputs

Activities

  • Design, implement, monitor and maintain revocation automation mechanisms

  • Automatically invalidate (e.g. by deactivation, cancellation or removal) IAM artifacts (i.e. identity, principal, credential, authorization) in compliance with and within the delays set by policies

  • Implement and optimize account lockout policies

  • Keep audit logs in compliance with policies

  • Manage the risk of automation failure

  • Optimize / extend the scope and reliability of revocation automation

Outputs

  • Revoked IAM artifacts (i.e. identities, principals, credentials, authorizations)

  • Audit logs

  • Revocation automation mechanisms

  • Automation failure alerts

  • Enforced account lockout policies

Indicators

Scopes

In order to adopt a risk-based approach, organizations may define in their policies a mandatory scope and a discretionary scope for revocation automation. For instance, the mandatory scope may comprise sensitive systems, internet-facing systems, systems accessed by external partners, etc. Automation would be deployed in the discretionary scope on a best-effort basis.

See https://open-measure.atlassian.net/wiki/spaces/PROC/pages/67698695 for general revocation scope dimensions.

Risks

  • Augment the security attack surface with insecure automation mechanisms

  • Automation failure without an effective “plan b”

  • Silent automation errors leading to a false sense of security

See https://open-measure.atlassian.net/wiki/spaces/PROC/pages/67698695 for general revocation risks.

Sources

See Also

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.