Identity Security Breach Management

Accelerate your IAM projects with a proven process framework

A breach is something that no security leader likes to think about, nevermind deal with in real-time. Breaches can be particularly damaging when they are identity-related, both in terms of how long it takes to identify that a breach has occurred and in overall economic damage.

As part of Omada IdentityPROCESS+, an identity governance framework focusing on best practice processes, there are several key components to Identity Security Breach Management. These are critical to follow best practices, to ensure that business efficiency is optimized, security is tight, and compliance is met.

In the event of an incident where an organization suspects a breach, the security team may want to suspend access to one or more identities immediately to prevent the lateral spreading of the breach.

The identity security breach processes in IdentityPROCESS+ provide an emergency lockout description which enables the administrator to disable a user’s access to all on-premises and cloud-based systems.

This cross-system access suspension limits the company’s exposure to further breaches while an investigation is carried out and the user’s passwords are reset. An emergency lockout can be triggered using the automatic incident response process or manually carried out by an administrator.

Having a defined procedure for when an identity security breach occurs can limit the loss or corruption of sensitive data, limit lateral movement, and enable automation of emergency lockout. If not planned out in advance, the process to secure data can be incredibly lengthy. Identity Security Breach Management processes outlined in Omada’s IdentityPROCESS+ provide administrators with the ability to suspend all accounts associated with an identity that is suspected to be breached. This allows the administrator to reactivate access once the situation is under control.


Identity Security Breach Management Statistics for 2022:

  1. 83% of organizations had more than one data breach in the last year
  2. The cost of a data breach averaged USD 4.35 million
  3. Cyberattacks caused 90% of all data breaches
  4. The number of publicly reported data compromises in the U.S. totaled 1,802 in 2022

Source: Cost of Data Breach Report, Identity Theft Resource Center


Identity Security Breach Process

When an organization suspects that a user’s identity has been compromised, it is important to act quickly to limit any damage. If the company has not automated its identity security breach process, the IT department may spend valuable time creating an overview of which access the identity has and locking these down individually in the relevant business system. To address this, the following processes are included in the identity security breach management processes:

  1. Give administrators the ability to suspend all accounts associated with an identity
  2. Allow the administrator to reactivate the access once the situation is under control

The first step quickly stops an attacker from continuing to perform any network reconnaissance, stealing confidential or sensitive data, or causing disruption to operations by corrupting data or making critical business systems unusable. In addition, suspending breached accounts gives the company time to perform a technical investigation and to deal with the non-technical aspects of critical security incidents such as internal and external communications management, protecting the company’s reputation and brand, and fielding external calls from customers and the press.

The second step ensures that once investigations have established the causes of the breach and the security administrators have taken the necessary steps to ensure the breach will not reoccur, the locked identities can be quickly reactivated so that business operations can continue.

The IdentityPROCESS+ framework allows the identity security breach processes to be initiated manually. In addition, companies can also implement more advanced solutions by having the emergency lockout triggered by an external security solution, such as a security information and event management (SIEM) system, a user and entity behavior analytics (UEBA) system, or a threat analytics solution. As this process is automated, the emergency lockout takes place quicker, resulting in greater protection of the organization’s infrastructure.


Why Identity Security Breach Management is important

Why identity security breach management is important


The Identity Security Breach process area includes the following process groups and sub-processes:

  1. Suspend or Reactivate Access
    • Emergency lockout
    • Revoke emergency lockout

These sub-processes are further explained below.

Process Group: Suspend or Reactive Access

Enables administrators to quickly disable user accounts that they suspect have been breached and to re-enable accounts once investigations are complete and remedial actions have been implemented to prevent a repeat of the incident.

Emergency Lockout

Organizations need to be able to quickly disable user accounts belonging to an individual if they suspect that one or more of them have been compromised to prevent attackers from continuing to perform network reconnaissance, steal confidential or sensitive data, or cause disruption to operations by corrupting data or making critical business systems unusable.

Process description. In the event a user account is compromised, the emergency lockout process is used to set an identity to “locked” which disables access to all systems for that identity. To reduce the time to implement the lockout, this process shortcuts the need for permission from the employee’s manager which would be the normal procedure. As a result, it should only be used in emergency cases or if requested by authorities. Therefore, a process should be defined in written documentation for the company.

Best practice IGA system functionality. A manager or operation administrator starts the emergency lockout process in the IGA system and selects the identity they want to lock. For auditing purposes, they must input a reason why the identity is being blocked. The IGA system sets the identity to “locked,” and the assignment is set to “disabled.” While an identity is set to “locked,” the status cannot be overwritten by any external interface.

Technical process flow: 

1.  A suspected security breach means that immediate action is required.
2.  A manager or operation administrator starts the emergency lockout process.
3.  Managers can block any of their managed identities and must input a reason for auditing purposes.
4.  Operation administrators can block any identities and must input a reason for auditing purposes.
5.  The chosen identity is set to “locked” and assignment is set to “disabled”


Revoke Emergency Lockout

When an emergency lockout for an identity is no longer needed, managers and operation administrators need to quickly unlock the identities, so users can access their systems to continue working.

Process description. Once the situation causing an organization to lock out an account has been resolved, managers and operation administrators can reactivate the locked identities. This will reenable previous access to all target systems for the identity.

Best practice IGA system functionality. A manager or operation administrator starts the revoke emergency lockout process in the
IGA system and selects the identity they want to unlock. For audit auditing purposes, they must input a reason why the identity is to be unblocked. The IGA system then sets the identity “unlocked” and the assignment parameter is set back to “active.”

Technical Process Flow:

1.  The suspected breach is either discounted or the security situation resolved.
2.  A manager unblocks the identities that he / she manages, or an operation administrator unblocks any locked identity.
3.  A reason for the unblocking is given for auditing purposes.
4.  The identity is set to “unlocked,” and assignments are set to “active.”


Process Stakeholders

The identity security breach processes are started by the IGA team as they are trained to understand the implications of the emergency lockout procedures. Due to the nature of the potential incidents that could trigger the processes (e.g., employees misusing computer resources), HR needs to ensure that there are policies in place and that they are followed during any suspected incident.

Stakeholders in the identity security breach management process

  1. Human Resources (HR)
    • Need to ensure that HR policies are being followed
  2. IGA Team
    • The IGA team will start the emergency lockout process when a security breach or computer misuse internally is suspected.


Key Best Practice Recommendations

Create a Written Policy for the Security Breach Process

The use of the security breach process must be considered carefully as it involves removing access from individuals. The possible negative implications of using this process include unnecessarily restricting a user’s access to critical business systems or resources due to a suspected external or internal security breach, thus preventing users from carrying out their job.

However, as there are instances when disabling a user’s access is legitimate – such as when a security breach is detected or when inappropriate use of the systems is evident – there are times when this process needs to be used. Therefore, it is important for the organization to have a formal policy governing how this process should be used and what should be taken into consideration.

Ensure Limited Exposure to the Emergency Lockout

As the reasons for performing an emergency lockout can be sensitive – such as a security breach or a dishonest employee – organizations should put measures in place to limit the number of people who knows about the incident. If the suspicion turns out to be incorrect, then this will limit internal speculations as well as any breach of personal confidentiality. If the reasons for the emergency lockout turn out to be correct, then any necessary actions, such as internal disciplinary procedures or criminal investigations, will not be influenced by speculations.


Potential Insider Threat Indicators

Understanding potential insider threats enhances the cyber awareness of any organization. Do you know how to recognize potential insider threat indicators? Read our blog to learn common indicators and how to stop insider threats.

Read blog


The Identity Security Breach processes make it easy for administrators to temporarily disable user access when they suspect that the accounts are being used for malicious purposes either by the users themselves or by an external attacker. As this is a powerful process, it needs to be handled carefully, and the implications of using it need to be documented and understood by anyone who could use it.

Identity Security Breach Management Solution Brief Cover

Get a summary of Identity Security Breach Management

Having a defined procedure for when an Identity Security breach occurs can limit the loss or corruption of sensitive data, limit lateral movement, and enable automation of emergency lockout. Identity Security Breach Management processes outlined here provide administrators with a proven best-practice framework.


Download PDF

Frequently Asked Questions

What is an identity security breach?

An identity security breach occurs when someone or something gains unauthorized access to the data associated with a person’s identity. This could be a malicious attack or accidental, like leaving confidential data on an unsecured server. In either case, it’s important to have processes and policies in place to protect identity information from being accessed by unauthorized parties. Without proper guidance and support, organizations may find themselves vulnerable to ongoing breaches.

What are the most common steps in an identity security breach process?

The first step is to identify and isolate the compromised data. This can be done through intrusion detection systems or manual investigation. Next, a detailed assessment should be conducted to determine how the breach occurred and what data was exposed. After that, the affected individuals should be notified of the breach and appropriate steps taken to protect their identity information. Finally, the organization needs to take measures to prevent similar breach events in the future.

What are some best practices for preventing identity security breaches?

Organizations should have robust identity management solutions in place, such as access controls, identity access management systems, and encryption protocols. They should also have comprehensive identity security breach policies that outline processes for detecting, responding to, and preventing breaches. Finally, organizations should perform regular audits of their identity security systems to ensure they are up-to-date with the latest security practices.

What are some common mistakes organizations make when it comes to identity security breach management?

One of the most common mistakes is failing to recognize signs of a potential breach. Organizations should proactively monitor unusual activity, such as sudden spikes in login attempts or unexpected access requests. Another mistake is not taking appropriate measures once a breach has been identified. Organizations should have an established program in place for responding to a breach. In addition, they should ensure that all affected individuals are notified in a timely manner to mitigate any further security risks.

What else should organizations be aware of when it comes to identity security breaches?

Organizations should be aware of the legal implications of a data breach. Depending on the type of data exposed, additional compliance requirements like reporting to regulators or providing affected individuals with credit monitoring services may exist. Organizations should also ensure that they have adequate insurance coverage in the event of a data breach.

Let's Get

Let us show you how Omada can enable your business.