Identity Defined Security Alliance

Putting Identity at the Center of Security

2020 Identity Defined Security Outcomes - Draft

The list below represents the initial library of outcomes that will be defined. For each Security Outcome, the vendor-neutral implementation approaches will be defined, as described in the Framework definition.

The first 6 Outcomes below, have been defined and published for community review. Please respond to this topic with questions and comments regarding this initial list and additional Security Outcomes your organization is working to achieve.

Security Outcome Description

  1. All privileged access requires MFA
  2. All privileged access rights are continuously discovered
  3. All privileged access is periodically attested
  4. Privileged accounts and entitlements are granted through governance-driven provisioning
  5. User accounts and entitlements are granted through governance-driven provisioning
  6. Access is revoked upon detection of high risk event associated with that identity
  7. Access to sensitive data is periodically attested
  8. All user access rights are continuously discovered
  9. Privileged access rights are granted according to the Principle of Least Privilege
  10. Application access is transparently audited and enforced
  11. Device characteristics are used for authentication
  12. Expected user behavior is used for authentication
  13. User accounts and entitlements are removed through governance-driven de-provisioning
  14. Privileged accounts and entitlements are removed through governance-driven de-provisioning
  15. Re-attestation is triggered based on a high risk event
  16. User access rights are granted according to the Principle of Least Privilege