3. Identity Lifecycle

By Cyber Analyst • 08 Mar 2025

Identity is the foundation upon which all access control decisions are made. In cybersecurity, identity refers to the digital representation of a person, system, service, application, or device operating within an information environment. Traditional security models often treated identity as static: once an account was created, it simply existed. Modern systems, however, guided by standards such as NIST SP 800-63 (Digital Identity Guidelines), recognize identity as a dynamic asset that evolves over time.

 

The identity lifecycle encompasses every phase from initial identity creation (provisioning) to eventual account retirement (deprovisioning). Each stage must be controlled, auditable, and enforce policy-driven security to prevent unauthorized access, privilege misuse, and orphaned accounts. Security literature, including Schneier’s Applied Cryptography, emphasizes that digital identities underpin the integrity of secure communication, authentication protocols, and authorization decisions. A poorly managed identity lifecycle creates systemic vulnerabilities attackers routinely exploit in enterprise and cloud environments.

 

This chapter provides a complete exploration of each stage within the identity lifecycle, best practices for securing the process, and common threats and mitigation strategies relevant to modern infrastructure, including cloud, mobile (MASTG), and wireless systems (NIST SP 800-153).

 

Understanding the Identity Lifecycle

The identity lifecycle describes the progression of a digital identity through six primary phases:

  1. Creation / Provisioning
  2. Enrollment & Verification
  3. Authentication Binding
  4. Authorization Assignment
  5. Identity Maintenance & Governance
  6. Deactivation & Deprovisioning

 

Each phase introduces unique risks, requirements, and technical controls. Attackers often target weak points in the lifecycle, for example, mismanaged privileges, stale accounts, or insecure enrollment processes, illustrated extensively in penetration testing literature such as The Web Application Hacker’s Handbook. A secure identity lifecycle ensures that only the correct individuals or systems maintain access, and only for the appropriate duration.

 

 

Identity Provisioning: Creation of a Digital Identity

Provisioning is the initial stage where an identity is officially created within a system. This typically occurs when:

  • A new employee joins an organization
  • A contractor or vendor is onboarded
  • A service account is created for applications or automation
  • A device or IoT asset needs network identity
  • A user registers for an online application

 

Data Requirements

Identity data may include:

  • Legal name or unique identifier (username, ID number)
  • Contact information
  • Organizational attributes (department, role, division)
  • Device identifiers (MAC address, certificate fingerprint)

NIST SP 800-63 distinguishes among different assurance levels (IAL, Identity Assurance Levels) depending on the confidence required in identity validity.

 

Risks During Provisioning

  • Incorrect or duplicate entries
  • Overprivileged baseline access
  • Lack of verification controls
  • Automated provisioning without governance
  • Service accounts created without owners

Enterprise breaches often trace back to mis-provisioned accounts or service identities that never underwent proper review.

 

 

Identity Enrollment & Verification

Provisioning creates the record; enrollment establishes trust.

Enrollment involves verifying the attributes of the identity and ensuring that the person or system claiming the identity is legitimate. For human identities, verification may include:

  • Government ID checks
  • HR verification
  • Secure enrollment portals
  • Identity document validation
  • Multi-factor enrollment

NIST SP 800-63 outlines requirements for ensuring identity proofing aligns with the intended security level. Organizations may require higher assurance levels for access to sensitive or regulated data.

 

Binding Identity to Credentials

Once verified, the identity must be paired with credentials such as:

  • Password(s)
  • OTP tokens
  • Cryptographic key pairs (Schneier emphasizes secure key generation and storage)
  • Biometric templates
  • Mobile-device-based authenticators (as emphasized in MASTG)
  • Hardware tokens (FIDO2, smart cards)

Binding is a critical moment, if an attacker compromises a credential during enrollment, they may gain full, legitimate access.

 

Threats During Enrollment

  • Credential interception
  • SIM swap attacks (for mobile OTP delivery)
  • Device enrollment attacks (unenrolled or insecure devices)
  • Fake or forged identity documents
  • Insecure wireless onboarding (NIST SP 800-153 warnings)

Secure channels, strong cryptography, and multi-step verification are essential countermeasures.

 

 

Authorization Assignment: Granting Access Rights

Once authenticated identities exist, the next step is defining what those identities can do.

 

Authorization Models

Organizations often use one or a combination of:

  • RBAC: roles assigned based on job function
  • ABAC: permissions based on attributes
  • PBAC: policies evaluated dynamically

This aligns with least privilege and zero trust principles, ensuring identities do not receive unnecessary access.

 

Privilege Lifecycle

Authorization changes are common throughout employment or service usage. Common events include:

  • Promotions or department changes
  • Project assignments
  • Temporary elevation (privileged access management)
  • System migrations

Authorization management must be traceable, auditable, and governed.

 

Risks in Authorization Assignment

  • Privilege creep (gradual accumulation of permissions)
  • Excessive administrator-level rights
  • Misaligned permissions after organizational changes
  • Role explosion in large enterprises
  • Untracked service account privileges

Attackers frequently exploit excessive or stale permissions to escalate access.

 

 

Identity Maintenance & Governance

Once established, digital identities require continuous oversight. Identity maintenance includes:

 

Recertification & Access Reviews

Regular periodic reviews ensure:

  • Users still require their permissions
  • Accounts remain active and associated with legitimate users
  • Sensitive privileges undergo multi-level approval

 

Password & Credential Management

Credentials must be updated or rotated based on corporate policies and risk assessments. For example:

  • Password expiration (when appropriate)
  • MFA re-enrollment
  • Certificate renewal
  • Key rotation (emphasized in Schneier’s cryptographic principles)

 

Monitoring Identity Activity

Security teams should track:

  • Login patterns
  • Privileged account behavior
  • Impossible travel anomalies
  • Device posture changes
  • Wireless authentication changes (NIST SP 800-153)

Identity activity monitoring contributes to zero trust architecture by enforcing continuous verification.

 

Lifecycle Touchpoints in Mobile and Cloud

According to MASTG and modern cloud IAM practices:

  • Mobile apps must securely store authentication tokens
  • Backend identity verification must not rely on client-side logic
  • Cloud platforms should maintain identity federation and SSO integrity
  • APIs must validate identity tokens securely

Identity governance in complex hybrid environments requires centralized management supported by automated workflows.

 

 

Deactivation & Deprovisioning

The final stage of the identity lifecycle, often the most neglected, is deactivation. When accounts are not properly deprovisioned, “orphaned accounts” remain active long after they are needed.

 

Events Triggering Deprovisioning

  • Employee departure
  • Project completion
  • Vendor contract termination
  • Device replacement
  • Service account retirement
  • Application uninstallation

 

Requirements for Secure Deprovisioning

  • Immediate disabling of access
  • Revocation of credentials and tokens
  • Certificate invalidation
  • MFA token removal
  • Removal from groups, roles, and policies
  • Deleting or archiving identity data as required by regulations

This stage directly aligns with principles from penetration testing literature: attackers commonly target old accounts that remain active in systems or directories.

 

Risks of Poor Deprovisioning

  • Active accounts belonging to former employees
  • Forgotten admin accounts
  • Persistent access tokens on mobile devices
  • Stale wireless authentication credentials

Deprovisioning must be automated, documented, and integrated with HR and system workflows.

 

 

Threats and Attack Vectors Targeting the Identity Lifecycle

Across each lifecycle phase, attackers attempt to exploit weaknesses. Common threats include:

 

During Provisioning

  • Fake identity creation
  • Duplicate account registration
  • Service accounts with weak controls

 

During Enrollment

  • Credential theft
  • Social engineering during identity proofing
  • Insecure mobile enrollment channels

 

During Maintenance

  • Session hijacking
  • Token replay attacks
  • Privilege escalation
  • Mobile app token extraction (MASTG-relevant)
  • Wireless credential interception (NIST SP 800-153 concerns)

 

During Deprovisioning

  • Orphaned accounts exploited for stealthy access
  • External user accounts not removed after project end
  • API keys never revoked

Identity lifecycle security is a continuous battle requiring layered defenses and constant monitoring.

 

Best Practices for Identity Lifecycle Management

Governance and Automation

  • Centralized Identity Governance and Administration (IGA)
  • Automated provisioning and deprovisioning
  • Integration with HRIS systems

 

Strong Authentication (NIST SP 800-63 compliant)

  • MFA everywhere
  • Cryptographically secure enrollment
  • Continuous authentication (risk adaptive)

 

Principle of Least Privilege

  • Role hygiene
  • Privileged access management (PAM)
  • Time-bound privileges

 

Secure Mobile Identity Handling (MASTG)

  • Hardware-backed key storage
  • Secure token lifecycle management
  • No sensitive logic or secrets stored client-side

 

Wireless Identity Security (NIST SP 800-153)

  • Use of WPA3 and strong EAP methods
  • Device posture validation
  • Credential rotation for wireless authentication

 

Continuous Monitoring & Zero Trust Alignment

  • Behavioral analytics
  • Device trust scoring
  • Identity-first security operations

 

The identity lifecycle is far more than account creation and deletion, it is a structured, continuously managed process essential to modern cybersecurity. With digital systems increasingly interconnected, distributed, and cloud-driven, identity has become the new security perimeter. Standards like NIST SP 800-63 help organizations adopt secure practices, while practical insights from offensive testing literature teach defenders how attackers exploit gaps in identity management.

 

Understanding and mastering the identity lifecycle enables cybersecurity practitioners to design resilient, scalable, and secure environments where identities are verified, governed, monitored, and eventually retired with precision. A mature identity lifecycle is one of the strongest defenses an organization can have against modern cyber threats.

 

 

Category: CS05 - Access Control, Physical and Environmental Security

Tags: cybersecurity authentication authorization identify lifecycle