The members of the Identity Defined Security Alliance (IDSA) work together to develop a standard set of integration patterns and use cases that describe the intersection points of the components defined in the integration framework. The use cases are collaboratively designed and based upon best practices and industry standards and trends.

The IDSA use cases are available to organizations – technology vendors, solution providers and end customers – to utilize in the development of roadmaps, service offerings and integrated architectures. Each use case addresses a specific user scenario and provides pre-conditions, workflows, post-conditions and success criteria and are organized by the focus area defined in the integration framework, Security Operations, Data Protection and Risk Management.

This is an evolving body of work.  Interested organizations are encouraged to comment on the existing use cases and submit use case suggestions for collaborative development by the IDSA.   

Security Operations

Access Management Utilization of Risk Data

Access Management has integration with fraud and risk system. This integration allows Access Management to determine the authentication flow based on a risk profile. If zero to small risk, let the user authenticate seamlessly, if larger risk make the authentication process more secure (MFA, potentially fail authentication all together)

IDSA Component

  • Access Management
  • Identity Administration
  • Security Information & Event Management (SIEM)
  • Fraud & Risk
  • Privileged Access Management (PAM)
MFA For Public / Private Cloud Application Consolidation

The integration between Access Management and Network Security allows users to authenticate web applications that exist in both the public and private cloud infrastructures used by organizations. The implementation of this integration allows users to access the applicable applications regardless of the deployment model.

IDSA Component

  • Access Management
  • Security Information & Event Management (SIEM)
  • Network Security (NetSec)
Step-up Authentication to the Privileged Access Management Application

Users needing access to Privileged Access Management application will be prompted with a step-up authentication challenge based on their risk score within the Identity Fraud & Risk application.

IDSA Component

  • Access Management
  • Fraud & Risk
  • Security Information & Event Management (SIEM)
  • Privileged Access Management (PAM)
User Authentication From Different Device Types

Access Management will be configured to detect user authentication from multiple device types within the same authentication session. If multiple authentications are identified, Access Management will force an MFA Challenge. If the MFA Challenge fails on a mobile device, the EMM application will lock the device as a possible compromised device.

IDSA Component

  • Access Management
  • Identity Administration
  • Security Information & Event Management (SIEM)
  • Fraud & Risk
  • Enterprise Mobility Management (EMM)
  • Cloud Access Security Broker (CASB)
 

Data Protection 

 
Access Management Checks Cloud Access Security Broker

Access Management has integration with Cloud Access Security Broker and its compromised credential database, it will utilize this integration to verify that the user attempting to authenticate has an uncompromised account. If this account is compromised, Access Management can react accordingly.

IDSA Component

  • Access Management
  • Identity Administration
  • Security Information & Event Management (SIEM)
  • Cloud Access Security Broker (CASB)
Access Management Verifies Enterprise Mobility Management Status of Mobile Device

A user’s mobile device can be managed by Enterprise Mobility Management and with this management is the ability to determine whether or not that device is in a compromised status.  Access Management will utilize the status to make a determination on whether or not to allow access to its portal.

IDSA Component

  • Access Management
  • Security Information & Event Management (SIEM)
  • Enterprise Mobility Management (EMM)
Compromised Enterprise Mobility Management Device Initiates Security Restrictions

Enterprise Mobility Management has integration with many IDSA applications so that it can share information when a user’s device has been compromised. These applications can then act on this information by disabling the end user’s access until the situation has been resolved

IDSA Component

  • Identity Governance
  • Identity Administration
  • Security Information & Event Management (SIEM)
  • Fraud & Risk
  • Enterprise Mobility Management (EMM)
Access Management Cloud Access Security Broker Security Policy Enforcement

Access Management can SSO using the Cloud Access Security Broker’s proxy server in order to provide robust auditing and policy enforcement that is seamless to the end user 

IDSA Component

  • Cloud Access Security Broker
  • Access Management
  • Security Information & Event Management
DAG Initiated Data Security Enforcement and Remediation

DAG applications have integration with Identity Governance applications for the purposes of remediation of inappropriate permissions on folders containing sensitive data   

IDSA Component

  • Data Access Governance
  • Identity Governance
  • Security Information & Event Management
DLP Initiated MFA Using Profile Attributes

DLP applications have integration with Access Management applications for the purposes of MFA enforcement. This enforcement will be accomplished during DLP detection event and based on the title of the end user’s identity  

IDSA Component

  • Data Loss Protection
  • Access Management
  • Identity Administration
  • Security Information & Event Management

Risk Management

 
Identity Governance Attestation of Privileged Access Management Accounts

Privileged Access Management has a list of all accounts that are considered privileged. Identity Governance can use this list of privileged accounts to provide scheduled compliance reviews.  

IDSA Component

  • Identity Governance
  • Security Information & Event Management (SIEM)
  • Privileged Access Management (PAM)
SIEM risk detection and notification to Service Management, Fraud & Risk

Security Information and Event Management (SIEM) is configured with the ability to detect configured events that are deemed suspicious in nature. Once these events have been identified, the Security Information and Event Management application will do the following:

  • Create a Service Management incident for investigation
  • Update the risk score of the Fraud & Risk application 
  • Calls Network Security Application to revoke user token, which results in user-based access modification to a more restricted set of applications

IDSA Component 

  • Security Information & Event Management (SIEM)
  • Service Management
  • Fraud & Risk
UEBA risk detection and Notification to Service Management, CASB, Fraud & Risk

User Entity and Behavior Analytics (UEBA) is configured with the ability to detect configured events that are deemed suspicious in nature. Once these events have been identified, the User Entity and Behavior Analytics application will do the following: 

  • Create a Service Management incident for investigation
  • Update the compromised credentials database of the Cloud Access and Security Broker
  • Update the risk score of the Fraud and Risk application  

IDSA Component

  • Security Information & Event Management (SIEM)
  • User Entity & Behavior Analytics (UEBA)
  • Service Management
  • Fraud & Risk
  • Cloud Access Security Broker (CASB)