
Home / IT Security / IAM
Identity is the control plane. Everything else is downstream.
Who can reach what, proven and enforced — designed to the assurance levels of NIST SP 800-63-4.
The perimeter moved. It is now an identity, and it is being phished.
Credential abuse is not an edge case. It is the front door.
Once network location stopped meaning anything, identity became the thing an attacker actually needs. Which is why identity is where the engineering effort belongs: strong authentication, minimal standing privilege, and access that disappears the day someone leaves.
We design to NIST SP 800-63-4, the current revision of the Digital Identity Guidelines, which superseded Revision 3 on 1 August 2025. It separates assurance into three axes, and being explicit about them is what turns "we have MFA" into a defensible design.
SP 800-63-4 splits identity into three independent questions.
- IAL — Identity
- How confident are you that the person is who they claim to be? Governs proofing and enrolment: evidence, validation, verification.
- AAL — Authentication
- How strong is the login itself? Under SP 800-63-4, SMS one-time passcodes no longer satisfy AAL2 — which retires a control a great many organizations still rely on.
- FAL — Federation
- How much do you trust an assertion arriving from another party? Governs SSO, federation, and the handling of assertions.
What we build.
- Authentication
- Phishing-resistant MFA using FIDO2/WebAuthn and platform authenticators; passwordless where the estate allows it. Deliberate retirement of SMS OTP.
- Single sign-on
- SAML 2.0 and OAuth 2.0 / OpenID Connect. One identity, one revocation point.
- Authorization
- RBAC where roles are stable, ABAC where they are not. Least privilege and segregation of duties enforced, not documented.
- Lifecycle (JML)
- Joiner-mover-leaver automated through SCIM provisioning. Access granted on day one and removed on the last day — the leaver step is the one that is usually broken.
- Privileged access
- PAM with just-in-time elevation, session recording, and credential vaulting. No permanent administrators.
- Directory services
- Active Directory, Microsoft Entra ID, LDAP. Hygiene, group sprawl, and stale-account cleanup.
- Governance
- Periodic access reviews and certification, with evidence an auditor accepts.
- Zero trust
- Continuous verification: device posture and context evaluated per request, not once at the VPN.
What this maps to.
Can you revoke every access a leaver had, today, from one place?
If not, that is the engagement. Tell us what your identity estate looks like now.
Contact us- info@bstedge.com
- Response
- Within one business day
- Engagement
- Project, managed retainer, or advisory