Description

This curriculum spans the design, implementation, and operational oversight of identity protection measures across an enterprise, comparable to a multi-phase internal capability program addressing identity theft risks in complex hybrid environments.

Module 1: Threat Landscape and Identity Theft Vectors

Selecting telemetry sources to detect credential harvesting via phishing, including email gateway logs and endpoint detection alerts.
Mapping common attack paths such as SIM swapping and business email compromise to internal identity systems.
Configuring network sensors to flag anomalous geolocation patterns in authentication attempts across cloud applications.
Integrating dark web monitoring feeds to identify employee credentials exposed in third-party breaches.
Assessing risk exposure from legacy systems that store plaintext credentials or use outdated authentication protocols.
Documenting adversary tactics from incident reports to update threat models used in identity risk assessments.

Module 2: Identity and Access Management (IAM) Architecture

Designing role-based access control (RBAC) hierarchies to minimize standing privileges across hybrid environments.
Implementing just-in-time (JIT) access for administrative accounts using identity governance platforms.
Choosing between on-premises Active Directory and cloud identity providers based on compliance and integration requirements.
Enforcing attribute-based access control (ABAC) policies for sensitive data repositories using dynamic claims.
Configuring federation trust relationships between identity providers and SaaS applications using SAML or OIDC.
Deploying service accounts with non-human identity lifecycle management to prevent misuse and privilege accumulation.

Module 3: Authentication Mechanisms and Credential Protection

Rolling out FIDO2 security keys for high-risk user groups while maintaining fallback mechanisms for legacy systems.
Disabling legacy authentication protocols (e.g., SMTP, IMAP) to eliminate password-based attacks on email accounts.
Implementing passwordless authentication workflows using Windows Hello for Business or passkeys.
Configuring conditional access policies to require MFA based on sign-in risk, location, and device compliance.
Enforcing password rotation and complexity policies only where technical constraints prevent modern authentication.
Monitoring for credential stuffing by analyzing failed login spikes across user populations and source IPs.

Module 4: Identity Lifecycle and Provisioning Governance

Automating deprovisioning workflows for terminated employees across cloud and on-prem systems using HRIS integration.
Conducting quarterly access reviews for privileged roles with documented approval trails and remediation timelines.
Establishing onboarding workflows that assign role-based access based on job function and manager approval.
Managing contractor access with time-bound entitlements and segregated network zones.
Auditing orphaned accounts in directory services and disabling those without activity for 90+ days.
Integrating identity governance tools with ticketing systems to enforce access request justification and approvals.

Module 5: Detection and Monitoring of Identity Anomalies

Deploying user and entity behavior analytics (UEBA) to baseline normal login patterns and flag deviations.
Creating SIEM correlation rules to detect impossible travel between geographic locations within short timeframes.
Validating detection efficacy by simulating lateral movement using controlled red team exercises.
Reducing false positives in anomaly detection by tuning risk scoring thresholds based on user role and device posture.
Integrating identity logs from cloud providers, on-prem directories, and SaaS apps into a centralized logging platform.
Configuring real-time alerts for multiple failed MFA attempts followed by a successful login from a new device.

Module 6: Incident Response and Forensic Investigation

Isolating compromised accounts by disabling authentication methods and terminating active sessions remotely.
Preserving identity-related logs (e.g., Azure AD sign-in logs, ADFS audit logs) for forensic chain-of-custody.
Reconstructing attack timelines using correlated timestamps from identity providers, endpoints, and network devices.
Coordinating with legal and communications teams when identity theft involves executive or customer accounts.
Engaging external credential reset procedures with third-party service providers after cross-organization breaches.
Documenting root cause analysis findings to update identity protection controls and prevent recurrence.

Module 7: Regulatory Compliance and Identity Audits

Mapping access control policies to GDPR, HIPAA, or SOX requirements for data subject access and segregation of duties.
Generating audit reports for privileged access usage to satisfy internal and external compliance reviews.
Responding to data subject access requests (DSARs) by retrieving identity and activity logs within statutory timelines.
Configuring logging retention policies to meet regulatory requirements without exceeding storage budgets.
Preparing for third-party audits by validating that access certifications are completed and documented.
Aligning identity management practices with NIST 800-63 or ISO/IEC 27001 controls for authentication and lifecycle management.

Module 8: Third-Party Risk and Identity Supply Chain

Assessing identity security practices of vendors before granting federated access to internal systems.
Limiting third-party application permissions in cloud environments using least privilege consent policies.
Monitoring API key usage from partner integrations for abnormal data extraction volumes.
Requiring identity proofing standards for contractors accessing customer-facing systems.
Enforcing MFA for all external users accessing partner portals or extranet applications.
Conducting penetration tests on identity federation endpoints to validate configuration security and error handling.