Identity Lifecycle through a cybersecurity lens

1. Provisioning (Birth of Identity)

What it is:Creation of a new identity (user, service account, API key, IoT device cert, etc.) in systems like AD, IAM, or IDP.

Security focus:

• Enforce identity proofing (verify the person or service origin).
• Apply least privilege from the start (RBAC/ABAC).
• Tag and classify the identity (human/non-human, internal/external).
• Generate unique credentials — no shared accounts.
• Use secure enrollment (MFA on first login, verified email/SMS, hardware token delivery tracking).

2. Authorization & Access Assignment

What it is:Assigning roles, policies, or permissions that define what resources this identity can access.

Security focus:

• Enforce Zero Trust — every access decision must be context-aware.
• Use role engineering: roles mapped to business functions, not people.
• Avoid privilege creep by validating toxic combinations (e.g., same person can't approve and pay invoices).
• Log who approved what access, and when.

3. Authentication (Identity Validation)

What it is:Verifying that the claimed identity is legitimate each time it interacts with the system.

Security focus:

• Use MFA (not just passwords).
• Prefer passwordless methods (FIDO2, WebAuthn).
• Protect session tokens and cookies against replay and theft.
• Centralize auth via SSO / IDP to control from one place.
• Continuously monitor risk: impossible travel, device posture, etc.

4. Usage & Monitoring

What it is:The identity actively interacts with systems — logging in, making API calls, accessing data.

Security focus:

• Correlate identity behavior (UEBA – User and Entity Behavior Analytics).
• Track entitlement drift and shadow access across cloud accounts.
• Detect credential misuse or lateral movement attempts.
• Log every privilege escalation or access anomaly.
• Integrate with SIEM/SOAR for automated response.

5. Review & Recertification

What it is:Periodic review of accounts, privileges, and roles.

Security focus:

• Conduct access reviews quarterly or risk-based (especially high-privilege accounts).
• Use automated certification campaigns (identity governance tools like SailPoint or Saviynt).
• Identify and eliminate orphaned and stale identities.
• Validate service accounts still in use.

6. De-Provisioning (Identity Departure)

What it is:Termination, contract end, service retirement, or credential expiration.

Security focus:

• Immediate revocation of access upon HR or system trigger.
• Revoke tokens, API keys, sessions, and certificates.
• Archive logs for audit but delete credentials securely.
• If it's a shared system, trigger access re-certification for remaining identities.

7. Post-Lifecycle Forensics

What it is:After deactivation, ensure there are no backdoors left.

Security focus:

• Verify no active sessions remain.
• Audit access logs for post-termination activity.
• If insider risk suspected — preserve identity artifacts for investigation.
• Feed lessons learned back into identity governance policies.

Summary View (Cyber Defense Focus)

If you're designing for enterprise: tie this lifecycle to Identity Governance (IGA) + Access Management (IAM) + Privileged Access Management (PAM).Together, they enforce the entire loop from creation → control → cleanup.

Would you like me to map these lifecycle phases to actual AWS services (IAM, SSO, CloudTrail, GuardDuty, etc.) next?