Notifications
Clear all
Topic starter
27/06/2026 1:29 pm
TL;DR: A state government IT agency modernized identity for more than 145,000 users by extending RSA into a cloud-first Microsoft environment, adding phishing-resistant authentication, self-service, and help desk verification controls, according to RSA Security. The case shows that zero trust programs at public-sector scale depend on hybrid coverage, not cloud-only identity assumptions.
NHIMG editorial — based on content published by RSA Security: Modernizing Identity at Scale
Questions worth separating out
A: They should preserve a single policy and audit model while extending authentication to the environments that Entra or similar cloud tools do not fully cover.
Q: Why does help desk identity verification belong in IAM governance?
A: Because support staff can become an attack path when recovery and reset workflows rely on weak proofing.
Q: What do teams get wrong about phishing-resistant MFA programmes?
A: They often focus on the factor type and ignore deployment coverage, recovery design, and operational consistency.
Practitioner guidance
- Map the hybrid control boundary Document which applications, authentication methods, and recovery workflows sit outside your cloud IAM control plane.
- Treat help desk recovery as a privileged workflow Require stronger identity assurance for resets, enrollment, and account recovery than for routine sign-in.
- Preserve existing tokens while adding phishing resistance Plan a transition path that keeps hardware and software tokens working while introducing FIDO2, biometrics, QR, and passwordless options.
What's in the full article
RSA Security's full case study covers the operational detail this post intentionally leaves for the source:
- How the hybrid deployment used Identity Routers to preserve existing token estates without re-enrollment
- The exact self-service and help desk workflow changes that reduced manual identity support load
- The Microsoft Entra integration pattern across SAML, OIDC, and external authentication methods
- The compliance and hardware assurance details behind CJIS, FedRAMP, and FIPS-aligned authentication
👉 Read RSA Security's case study on modernizing identity at state government scale →
State government identity modernization at scale: what it changes?
Explore further
27/06/2026 2:51 pm
Hybrid identity is now a governance problem, not just an integration problem. The article shows that the agency could not rely on a cloud-only or on-prem-only model because different assurance requirements existed in parallel. That is a classic identity governance split: policy consistency, auditability, and recovery need to follow the user across domains. Practitioners should treat hybrid coverage as a control objective, not a migration phase.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes still fail when governance depends on incomplete inventories.
A question worth separating out:
Q: How do you know if identity modernization is actually improving governance?
A: Look for fewer manual resets, better audit visibility, and a consistent authentication experience across cloud, hybrid, and on-premises systems. If reporting still depends on spreadsheets or if support remains a major trust boundary, governance has not materially improved. Real improvement shows up in evidence, not just in user-facing convenience.
👉 Read our full editorial: Zero trust identity modernization in state government at scale
