Identity Audit
1) Purpose and result
The goal: to provide provable compliance with the principles of Zero Trust and least privileges through regular verification of who has what access where and why.
Result: a complete and up-to-date register of identities and rights with confirmed owners, eliminated "frozen" access, a formalized evidence base for internal control and regulators.
2) Scope
Internal users: staff, interns, supervisors, temporary roles.
Contractors/partners: game studios, PSP/KYC/AML providers, affiliates.
Service identities: bots, CI/CD, integrations, keys and API tokens.
Privileged roles: infrastructure/database admins, Payments, Risk, Trading.
Players (in the KYC context): correctness of the account bundle ↔ KYC profile ↔ RG/AML statuses (checking processes, not document content).
3) Terms and principles
Identity: a unique entity (person/service) with attributes.
Entitlement: a specific right/role for a resource.
JML: Joiner → Mover → Leaver - identity life cycle.
SoD: segregation of duties for high-risk operations.
Least Privilege & Just-in-Time (JIT): minimum set of rights granted for a limited time.
Accountability: each identity has an owner, each right has a business case and a term.
4) Sources of truth and data model
HRIS/HR system: primary source of employee status (hire/move/exit).
IdP/SSO: single authentication point (MFA/FIDO2), federation.
IAM/IGA: Catalog of recertification roles, policies, and processes.
CMDB/service catalog: ownership of systems and access loops.
Provider platforms: PSP/KYC/CDN/WAF/game providers - external access portals.
Модель: Identity → (belongs to) → Org Unit/Team → (has) → Roles → (expand via ABAC) → Entitlements → (apply) → Resources.
5) Controls audited
1. SSO and MFA everywhere (without local accounts and shared accounts).
2. RBAC/ABAC/PBAC: rights described by policies (policy-as-code), roles - typical and consistent.
3. SoD: incompatible roles and exceptions are formalized.
4. JIT/PAM: temporary promotions with ticket, session recording and auto-recall.
5. Secrets/Keys: Stored in the Secrets Manager, with rotation and lifetimes.
6. Logs and provability: tamper-evidence, coherent tracing who/what/where/when/why.
7. Data Access: PII masking, export - only by workflow with encryption and TTL.
6) Audit process (end-to-end)
1. Preparation: freezing a snapshot of rights (entitlements snapshot) by system; Download from IdP/IAM/providers
2. Normalization: mapping roles to a directory, deduplication, grouping by resource owners.
3. Risk categorization: P1/P2 (privileged and sensitive) → priority verification.
4. Rights recertification: system owners confirm/reject rights (access review campaigns).
5. Checking SoD for incompatibilities and temporary exceptions (with expiration date).
6. JML reconciliation: mapping hire/move/exit to actual rights (including external portals).
7. Service accounts: owner availability, short-lived tokens, no "god-scope."
8. Evidence base: the formation of a package of artifacts (reports, uploads, acts).
9. Remediation plan: tickets for recall/correction, deadlines and responsible persons.
10. Final Report: Risk Status, Cycle KPIs, Lessons Learned and Policy Improvements.
7) JML contours (which we check deeper)
Joiner: automatic assignment of basic roles, prohibition of manual "additions" outside the directory.
Mover: change of command/location → automatic replacement of roles, revocation of old privileges.
Leaver: revocation of all rights within X minutes/hours, closure of mail/VPN/provider portals, disabling keys and tokens.
8) External dependencies and portals
PSP/KYC/AML/CDN/WAF/game providers: each account has an owner, a goal, a deadline, an MFA, a ban on shared accounts.
Contractual SoD/SLA: availability of dual-control for P1 operations (changing payment routing, bonus limits, etc.).
Regular reconciliation: register of external portals ↔ list of current users ↔ recertification results.
9) Features of the iGaming domain
Payments & Risk: select SoD branches; updates on changes in limits/routing; audit of manual adjustments.
Trading/factors: sandboxes for modeling, individual publishing roles, quick rollback; change log.
Responsible Gaming/KYC/PII: strict export control, masking in BI, SLA processing of regulator requests.
Affiliates and streamers: limited portals with reporting capabilities without access to PII.
10) Policies as Code (PaC)
Policies in the repository (Rego/YAML), PR review, tests.
Dynamic context in allow/deny solutions: environment (prod), time, location, criticality of the operation, KRI signals (for example, surge of sensitive actions).
Mandatory binding to the ticket and goal for JIT promotions.
11) Journals and provability
Event chain: admin console/IdP → API → databases → external providers.
Tamper-evident: WORM/immutable-storages, signature of records, strict TTL.
Search and response: SLA of response to internal/external requests (audit, regulator, bank/partner).
12) Metrics and KPI/KRI
KPI:- Share of confirmed rights on time (recertification),% of overdue campaigns.
- Time from dismissal to complete revocation of rights (MTTR-leaver).
- Share of JIT increments vs persistent privileges.
- Number of resolved SoD conflicts per cycle.
- Completeness of covered systems and external portals.
- Sensitive action adhesions (PII export, PSP changes).
- Unused rights> N days.
- Break-glass without post-audit.
- Accounts without owner/purpose/term.
13) Implementation Roadmap (8-12 weeks)
Ned. 1-2: inventory of identities and systems (including external portals), role catalog and SoD matrix.
Ned. 3-4: SSO/MFA connection everywhere, a single collection of entitlements, the first snapshot reports.
Ned. 5-6: launch of IGA recertification campaigns (P1/P2 priority), automatic recall for Leaver.
Ned. 7-8: JIT/PAM for production circuits, recording sessions, banning shared accounts from providers.
Ned. 9-10: PaC: formalization of key policies (export PII, PSP routing, releases), unit tests of policies.
Ned. 11-12: KPI/KRI dashboards, quarterly cycle regulations, reporting for compliance/regulators.
14) Artifact patterns
Role Catalog: role, description, minimum privileges, owner, applicability (tenant/region/environment).
SoD Matrix - incompatible roles/operations, exceptions, exception term, and exception owner.
Access Review Pack: rights confirmation sheet, comments, result (approve/revoke/mitigate).
Service Account Register: purpose, owner, lifetime, scopes, storage location of secrets, rotation schedule.
External Portals Inventory: system, contacts, user list, MFA, last recertification date.
Evidence Checklist: what uploads/logs and in what format to store for audit.
15) Antipatterns
General accounts and "admin forever."
Manual issue of rights bypassing IdP/IGA.
No SoD or "temporary exceptions" tolerance with no expiration date.
Service tokens without rotation/owner.
Export PII "by letter" without workflow and encryption.
No audit of external portals (PSP/KYC/game providers).
16) Frequent audit finds and quick correction
Frozen access from dismissed/contractors: enable auto-feedback on HR events (Leaver).
Redundant roles: decompose to smaller roles and bind ABAC attributes.
Shared accounts with providers: migration to personal + MFA, issuance of temporary roles for rare tasks.
Long-lived secrets: switching to short-lived tokens/certificates and planned rotation.
17) Incident-management bunch
Any incident with the access component → mandatory update of the register of risks and policies, point recertification of affected roles, post-mortem with action items (and deadlines).
Total
Identity auditing is a repeatable, automated cycle: a complete register of identities and rights → risk-oriented recertification → hard JML and JIT/PAM → policies as code and provable audit → improve on the results of the cycle. This loop reduces the likelihood of abuse and errors, speeds up investigations, strengthens compliance and protects key business operations of iGaming platforms.