AlvorAdvisory

Assess + Architect · Identity

Identity and access, from current state to target state.

Identity is the perimeter now, and most teams cannot say cleanly who and what can reach their systems. We map the current state, surface the standing and privileged access that should not exist, then design the target identity and Zero Trust model you build toward. One engagement reads where you are; the next decides what good looks like.

Book a consultation All engagements

Scope agreed in writing before any work. No obligation.

Architect · The keystone

01Zero Trust · NIST SP 800-207

02Essential Eight · APRA CPS 234 · ISO 27001

03Human and machine identity in one model

Three positions identity tends to be in.

Access has outrun governance

Years of joiners, movers, and leavers, contractors, and acquisitions have left entitlements no one fully understands. Standing access accumulates because removing it feels risky and nobody owns the call. You need the real picture before you can tighten it.

Privileged access is the open question

Administrative rights, service accounts, and secrets are scattered across cloud and on-premise, and a single over-privileged account is the path most incidents actually take. The Essential Eight and APRA both put this at the centre, and so do we.

Modernising onto Zero Trust

You are moving off a flat network and a trusted perimeter toward identity-based access, and you want the target architecture decided deliberately rather than assembled one tool at a time.

The method

How we take identity from sprawl to design.

The real access picture, not the org chart

We inventory human and machine identity as it actually is: privileged accounts, service accounts, dormant and orphaned access, and the standing entitlements least privilege would never grant. The map reflects what your systems permit today, not what a policy says they should.

Measured against the controls that bind you

Posture is scored against the access controls you actually answer to: the Essential Eight strategies for restricting administrative privileges and enforcing multi-factor authentication, APRA CPS 234's access-management expectations, and the identity controls in ISO 27001 Annex A. One review, mapped to each.

Human and machine identity in one model

Workforce identity, customer identity where it touches your estate, and the workload identity, service accounts, and secrets that machines use are designed as one fabric on a Zero Trust footing (NIST SP 800-207), not as separate projects that never quite meet.

A target state with a path to it

The architecture defines the access model, segmentation, privileged-access management, and identity threat detection, then sequences a migration from where your estate is today. You leave knowing both the destination and the order of the moves.

What you are commissioning

Two engagements, current state to target state.

This page is backed by two named engagements: the assessment that maps your real identity and access posture, and the architecture that designs the target state and the path to it. Each is scoped on its own, and each stands alone.

Assess trackTypically 2–4 weeks

Identity and Access Management Assessment

Map who and what can reach your systems, and where that access goes wrong.

Best for teams where identity has sprawled faster than anyone has governed it.

Includes

Current-state review of human and machine identity: joiners, movers, and leavers, privileged access, service accounts, and standing entitlements
Access read against least privilege and segregation of duties, with the dormant, excess, and orphaned accounts surfaced
Posture measured against the controls that bind you: the Essential Eight strategies for restricting admin privileges and enforcing MFA, APRA CPS 234 access management, and ISO 27001 Annex A identity controls
A prioritised view of the gap between today's access model and the target state

Deliverables

Identity and access current-state reportPrivileged-access and entitlement findingsPrioritised IAM gap register

Architect trackTypically 4–6 weeks

Identity and Zero Trust Architecture

A focused design for identity, access, and Zero Trust.

Best for teams modernising identity as the new perimeter.

Includes

IAM and PAM design on a Zero Trust footing (NIST SP 800-207)
Human and machine identity in one model: workload identity, service accounts, and secrets governance
Identity threat detection and response built into the identity fabric
Access model, segmentation, and a migration path from where your estate is today

Deliverables

Identity and access reference designZero Trust target architectureSecrets governance model

The sequence

Assess what is, then architect what should be.

The two engagements run best in sequence, and the gate between them is a decision that stays yours.

1The assessment maps current-state access and privileged exposure, typically in two to four weeks
2The architecture designs the target identity and Zero Trust model, with a clear migration path
3Both resolve into the same gap register and unified control set as the wider program

Questions

What teams ask about this engagement.

Where does the assessment look first?

Privileged access, because that is where the exposure concentrates and where the Essential Eight and APRA both focus. From there we cover the joiner-mover-leaver lifecycle, service and machine accounts, dormant and orphaned entitlements, and how access is granted, reviewed, and removed across your cloud and on-premise estate.

Do you cover machine and workload identity, not just people?

Yes. Service accounts, workload identity, API credentials, and secrets are where modern access risk increasingly sits, and they are designed into the same model as workforce identity rather than left as an afterthought.

How does this relate to the Essential Eight and APRA CPS 234?

Both put identity at the centre: the Essential Eight through restricting administrative privileges and enforcing multi-factor authentication, CPS 234 through its access-management and accountability expectations. We assess against them directly and map every finding back, so the same work serves your Australian obligations and your ISO 27001 or SOC 2 program at once.

Do we have to take the architecture after the assessment?

No. The assessment stands on its own and ends in a prioritised gap register that is yours to act on. Many teams then commission the target-state architecture; others close the immediate gaps first and design later. The gate is a decision you control.

Is this a tool, or a design?

A design. We are independent of any identity vendor, our own platform included, so the target state is decided on your needs and only then matched to tooling, whether that is your existing identity provider extended properly or a consolidation onto one.