Identity & Access Logic
Purpose
This page describes how identities, authentication, and access control are structured within the Scheol Security Lab.
The objective is to:
- define how access to systems is controlled
- highlight trust levels associated with identities
- document current limitations and target improvements
This section reflects a transitional model, evolving toward a more centralized and controlled identity architecture.
Identity Model
Current State
Identity management is currently decentralized but disciplined:
- Separate identities are used for different services
- Strong passwords are enforced
- A secure vault is used for credential storage
- MFA is not yet consistently enforced
Key Characteristics
- No centralized identity provider yet
- Limited identity federation between systems
- Identity lifecycle (creation, modification, revocation) is manual
Risks
- Inconsistent authentication policies
- Credential sprawl across services
- Limited visibility over access and usage
Target Model
The target state aims for a centralized identity architecture:
- Central identity provider (LDAP / AD)
- Systematic MFA enforcement for sensitive access
- Role-Based Access Control (RBAC)
- Clear separation between administrative and standard identities
Access Control Principles
Least Privilege
Access rights are limited to what is strictly necessary for each role.
Separation of Duties
Roles are logically separated:
- Sec - governance, risk, monitoring
- Ops - infrastructure management
- Dev - automation and deployment
Controlled Entry Points
Sensitive access must be:
- centralized
- authenticated
- traceable
Administrative Access Model
Current State
- Administrative access is performed from a personal workstation
- Direct access to systems is still possible
- No enforced bastion
Risks
- Weak isolation between personal and administrative environments
- Increased exposure of credentials
- Lack of centralized access logging
Target Model
Administrative access will follow a controlled path:
Admin Workstation → Bastion → Target Systems
Expected Controls
- SSH key-based authentication
- Mandatory MFA
- Session logging and auditability
- Restricted access paths
Secrets Management
Current State
- Credentials are stored in a secure vault
- Unique credentials are used per service
- Management is manual
Risks
- No formal rotation policy
- Inconsistent secret usage practices
- Limited auditability
Target Model
- Centralized secrets management
- Automated rotation where possible
- Strict access control on sensitive credentials
- Integration with automation workflows
Trust Levels
Identity types are associated with different trust levels:
| Identity Type | Trust Level |
|---|---|
| Public users | Low |
| Service accounts | Medium |
| Standard users | Medium |
| Administrative accounts | High |
| Security / privileged roles | Very High |
Access control mechanisms must align with these levels.
Identity & Risk Alignment
Identity and access management are central to multiple risk scenarios:
- unauthorized access to systems
- credential compromise
- privilege escalation
- lateral movement across infrastructure
Access control decisions must therefore be directly linked to:
- risk scenarios
- control definitions
- validation mechanisms
Evolution
Identity and access management is one of the main improvement areas in the lab.
Planned evolutions include:
- deployment of centralized identity services
- consistent MFA enforcement
- bastion-based administrative access
- improved access traceability and auditing
Current Maturity
At the current stage, identity and access management is considered partially established.
Established
- use of unique identities per service
- secure credential storage practices
- basic access control discipline
- initial separation of roles (Sec / Ops / Dev)
In Progress
- consistent MFA deployment across sensitive systems
- definition of centralized identity architecture
- improved separation between personal and administrative environments
- formalization of access control policies
Planned / Next Phase
- deployment of centralized identity provider (LDAP / AD)
- enforcement of bastion-based administrative access
- implementation of RBAC across systems
- improved traceability and audit of access activities
This section reflects a transitional state and will evolve as identity controls are strengthened.