Identity & Access Management
Bring order to who can access what, across the whole identity lifecycle.
Most breaches start with an identity, not a firewall.
Getting access right, who can reach what, and when, removes a large share of the risk before an attacker ever gets near your data. It also makes joiners, movers and leavers far less painful for the business.
We bring order to the identity lifecycle, from onboarding to privileged access.
Our work includes
- ✓Identity lifecycle and joiner-mover-leaver process
- ✓Multi-factor authentication
- ✓Role-based access control
- ✓Privileged access management
- ✓Integration across HR and IT systems
Four layers, one identity decision.
Identity is not one product, it is four layers working together. Each layer answers a different question, and every layer feeds the others.
Phishing-resistant by default.
Move past passwords. FIDO2 keys, Windows Hello and passkeys close the phishing path; Microsoft Authenticator covers the rest. SMS only as a stopgap, on the way out.
Delivered by
One sign-in, every decision.
Apps federate to Entra. Every access decision considers identity, device compliance, location and risk before allowing, challenging or blocking. SSO removes the password sprawl that breeds reuse.
Delivered by
See identity attacks. Stop them.
Detection for the things authentication alone misses: anomalous sign-in patterns, lateral movement, credential abuse, token theft. Risky-user signal feeds Conditional Access automatically.
Delivered by
Admin power, vaulted and timed.
Domain admins, root, service accounts, cloud owners and trading-system credentials vaulted, rotated, brokered, recorded. Just-in-time elevation; no standing privilege.
Delivered by
Past the password, properly.
The password is the weakest link in identity. Passwordless does not strip security off, it strips off the bit that gets stolen. Same user, simpler sign-in, no credential for an attacker to harvest.
The new standard, signed in with a biometric.
A cryptographic credential bound to the device and unlocked by Face ID, Touch ID or Windows Hello. Cannot be phished, cannot be reused, syncs through the user’s platform.
Best for
Sign in to Windows without a password.
PIN or biometric, bound to the TPM on each laptop. Phishing-resistant, fast, and works for both the Entra cloud sign-in and the Windows desktop logon together.
Best for
Hardware key, for the highest-privilege roles.
YubiKey-class hardware. Plug, tap, signed in. The right fit for admin accounts, treasury, trading, and break-glass. Phishing-resistant by design.
Best for
Passwordless on the Microsoft Authenticator app.
No password typed; the user approves the sign-in on their phone with biometric. A practical, low-friction passwordless option for everyday workforce sign-in.
Best for
Touch ID into your Mac, with Entra credentials.
JAMF Connect lets macOS users sign in with their Entra password or passwordless flow, including Touch ID. One identity across Windows and Mac, no Mac-only password to maintain.
Best for
A passwordless path even when the primary one fails.
Multiple registered methods, recovery codes vaulted in Delinea, and a documented break-glass account with FIDO2 keys held secure. Passwordless does not mean lockout.
Best for
MFA on every sign-in. Not just the cloud ones.
Entra MFA gates the cloud. But Windows desktop logon, Mac sign-in, RDP, legacy apps and lateral service-account access do not pass through Entra. CrowdStrike Falcon Identity Protection adds an MFA gate to those too, in real time.
Workstation MFA at logon
Falcon Identity challenges users for MFA on Windows and Mac sign-in, including for local accounts the cloud cannot see.
RDP and legacy apps
Step-up MFA in front of Remote Desktop and legacy authentication (NTLM, Kerberos) without rewriting the app.
Service accounts that move
Catch lateral pivots in real time: anomalous service-account use triggers MFA challenge or block at the moment of attempt.
When the tools talk to each other, identity gets smarter.
Risk does not sit in one tool. CrowdStrike sees endpoint and identity threat. Netskope sees web, SaaS and AI behaviour. Mimecast Incydr sees data leaving. We wire those signals into Entra ID so identity decisions react automatically, in seconds, not in tickets.
Endpoint compromise → identity tightens
CrowdStrike detects credential theft on a device. The user is added to the risky-user group; Conditional Access forces step-up MFA on the next sign-in or blocks until compliant.
Anomalous AI behaviour → access narrows
Netskope sees a user pasting sensitive content into public AI. The risky-user signal lifts; Conditional Access narrows what they can reach until reviewed.
Insider risk → sensitive apps gated
Mimecast Incydr flags large outbound transfers. The same user can no longer reach sensitive SharePoint sites until HR reviews; sessions and refresh tokens revoked.
No more separate Mac password.
JAMF Connect lets Mac users sign in with their Entra ID credentials, just like a Windows user. One identity, MFA enforced, Conditional Access honoured, across the whole fleet.
Power, without the password problem.
Privileged accounts are the keys to the kingdom. The most reliable way to keep them safe is for the people using them to never actually see the password. Delinea makes that practical, including for the contractors you cannot put on a corporate device.
Passwords stored once, rotated every use
Every admin, service, cloud and treasury credential lives in Secret Server encrypted, with automatic rotation on check-in or schedule. No static passwords in spreadsheets, no shared notebook on a senior’s desk.
Users never see the credential
Sessions are proxied through Delinea. The user clicks Connect; Delinea opens an RDP, SSH or SQL session with the credential it owns. The password is never displayed, copied or typed by a human.
Access without ever providing credentials
External counsel, vendors and short-term staff get a managed identity that brokers them straight into AVD or the target system. Time-boxed by ticket; revoked on a click; fully session-recorded for audit.
Local admin rights, only when justified
Delinea Privilege Manager elevates a single action on an endpoint, with reason captured, instead of standing local admin. The most common privilege escalation path closes overnight.
Every privileged session, video and keystroke
RDP, SSH, browser admin sessions captured end-to-end. Searchable by action; reviewable by audit; the answer to "show me everything that happened during change weekend".
1Password for the credentials PAM does not own
PAM is for privileged. 1Password Business is for everyone else: shared logins, vendor portals, dev secrets, anything not yet behind SSO. Tied into Entra via SCIM provisioning.
Cloud admin power, time-boxed by default.
Microsoft Entra Privileged Identity Management (PIM) converts permanent admin roles into time-boxed activations. Admins remain eligible; access only goes live with MFA, justification, and (where sensitive) approver sign-off. Standing global admins disappear.
No standing admins. Anywhere.
Global Admin, Privileged Role Admin, Application Admin and every other sensitive role becomes eligible, not assigned. Standing admin power is the single biggest risk in a Microsoft tenant; PIM removes it.
Phishing-resistant MFA at activation
Every activation re-prompts for MFA, and policy can require phishing-resistant methods (FIDO2, Windows Hello) for the most sensitive roles. The credential alone never grants access.
Every activation has a paper trail
Activation requires a written reason and (optionally) a change-ticket reference. When something goes wrong, the audit answer is one query, not a forensics project.
Sensitive roles require a second pair of eyes
Global Admin and Privileged Role Admin activations route to a designated approver. The activator never approves themselves; the approver never activates without justification.
1, 2, 4 or 8 hours, then it ends
Activations are time-boxed. The role expires automatically; another activation, with fresh MFA and justification, is required to continue. No forgotten admin sessions left running for weeks.
Eligibility itself is reviewed every quarter
PIM access reviews surface who is still eligible for what, evidenced for audit. High-privilege activations alert the security team in real time, so the security team sees them as they happen.
Entra PIM and Delinea PAM cover different ground. We deploy both.
Entra PIM owns just-in-time activation for Microsoft cloud admin roles (Global Admin, Exchange Admin, SharePoint Admin and the rest). Delinea owns the credentials and brokered access for everything beyond the cloud: domain admins, service accounts, treasury and trading systems, network device logins, third-party SaaS admin consoles. Together, every privileged session, anywhere, is time-boxed and recorded.
Joiners, movers, leavers, automated.
Identity lifecycle is where audit findings live. HR signals drive group membership; group membership drives access. Reviews are quarterly, evidenced, and quick.
Ready on day one
HR signal triggers Entra. Group membership applies the right access. Device shipped via Autopilot, signed in with Entra, MFA enforced on first sign-in.
Access changes when the role does
Role change in HR drives group changes. Old access lapses, new access appears. Quarterly access reviews evidence the change for audit and the regulator.
Access ends the moment HR says so
HR triggers a leaver signal. Conditional Access blocks new sessions; refresh tokens revoked; mailbox and OneDrive preserved per policy. No orphan accounts.
Why Cornerstone?
We are not another managed service you cannot leave. We design, implement and hand over secure systems your team can run, with the documentation and clarity to stay in control. No lock-ins, just results.
Identity is the new perimeter. Here is how we secure it.
MFA, Conditional Access, least privilege, PAM.
What is identity security?
Making sure the right people, on the right devices, can reach the right things, and no one else can. It combines authentication (MFA), authorisation (Conditional Access), least-privilege role design, and privileged access management.
Do we need MFA on everything?
Yes. Every interactive sign-in, every privileged account, every external-facing application. Modern phishing-resistant methods (Microsoft Authenticator, FIDO2 keys) are the target; SMS is the bare minimum and is being deprecated.
What is Conditional Access?
Microsoft Entra Conditional Access evaluates every sign-in in real time (user, device, location, risk) and decides whether to allow, challenge, restrict or block. It is how you enforce "from a compliant device only" or "block sign-ins from outside Australia".
What is least privilege?
Everyone gets only the access they actually need to do their job, for only as long as they need it. Time-bound roles, just-in-time elevation, and regular access reviews are the mechanics.
What is PAM (privileged access management)?
Tools and process for managing admin and service accounts: vaulting passwords, rotating them automatically, time-limited elevation, full session recording. We use Delinea. Without PAM, your most powerful accounts are also your weakest controls.
Why is identity called the new perimeter?
Because people sign in from anywhere, on anything, into apps that live everywhere. The old network boundary is gone; identity is the only consistent control plane left.