Control access. Reduce risk.

Identity & Access Management

Bring order to who can access what, across the whole identity lifecycle.

Why this matters

Most breaches start with an identity, not a firewall.

Getting access right, who can reach what, and when, removes a large share of the risk before an attacker ever gets near your data. It also makes joiners, movers and leavers far less painful for the business.

What we do

We bring order to the identity lifecycle, from onboarding to privileged access.

Our work includes

  • Identity lifecycle and joiner-mover-leaver process
  • Multi-factor authentication
  • Role-based access control
  • Privileged access management
  • Integration across HR and IT systems
The outcome

The right people with the right access, and no one else.

Book a health check
The architecture

Four layers, one identity decision.

Identity is not one product, it is four layers working together. Each layer answers a different question, and every layer feeds the others.

Authentication

Phishing-resistant by default.

Move past passwords. FIDO2 keys, Windows Hello and passkeys close the phishing path; Microsoft Authenticator covers the rest. SMS only as a stopgap, on the way out.

Delivered by

Microsoft Entra IDFIDO2 / PasskeysWindows Hello
Conditional Access & SSO

One sign-in, every decision.

Apps federate to Entra. Every access decision considers identity, device compliance, location and risk before allowing, challenging or blocking. SSO removes the password sprawl that breeds reuse.

Delivered by

Conditional AccessEntra SSORisk policies
Identity Threat Detection

See identity attacks. Stop them.

Detection for the things authentication alone misses: anomalous sign-in patterns, lateral movement, credential abuse, token theft. Risky-user signal feeds Conditional Access automatically.

Delivered by

CrowdStrike Falcon IdentityDefender for IdentityEntra ID Protection
Privileged Access

Admin power, vaulted and timed.

Domain admins, root, service accounts, cloud owners and trading-system credentials vaulted, rotated, brokered, recorded. Just-in-time elevation; no standing privilege.

Delivered by

Delinea Secret ServerDelinea Privilege Manager1Password Business
Passwordless authentication

Past the password, properly.

The password is the weakest link in identity. Passwordless does not strip security off, it strips off the bit that gets stolen. Same user, simpler sign-in, no credential for an attacker to harvest.

PasswordOnlyBEATEN BYPhishingReuse, brute force+ SMS MFABare minimumBEATEN BYSIM swapSS7 intercept+ App MFAAuthenticator pushBEATEN BYMFA fatiguePush bombing, AiTMPasswordlessPhishing-resistant by designPROTECTED FROMPhishing · reuseSIM swap · AiTMNo password to stealWEAKERSTRONGER & SIMPLER
Passkeys

The new standard, signed in with a biometric.

A cryptographic credential bound to the device and unlocked by Face ID, Touch ID or Windows Hello. Cannot be phished, cannot be reused, syncs through the user’s platform.

Best for

iOSmacOSAndroidWindowsBrowser SSO
Windows Hello for Business

Sign in to Windows without a password.

PIN or biometric, bound to the TPM on each laptop. Phishing-resistant, fast, and works for both the Entra cloud sign-in and the Windows desktop logon together.

Best for

Windows laptopWindows desktop
FIDO2 security keys

Hardware key, for the highest-privilege roles.

YubiKey-class hardware. Plug, tap, signed in. The right fit for admin accounts, treasury, trading, and break-glass. Phishing-resistant by design.

Best for

AdminsTreasuryBreak-glass
Authenticator phone sign-in

Passwordless on the Microsoft Authenticator app.

No password typed; the user approves the sign-in on their phone with biometric. A practical, low-friction passwordless option for everyday workforce sign-in.

Best for

WorkforceHybrid workers
Mac with JAMF Connect

Touch ID into your Mac, with Entra credentials.

JAMF Connect lets macOS users sign in with their Entra password or passwordless flow, including Touch ID. One identity across Windows and Mac, no Mac-only password to maintain.

Best for

macOSMixed fleets
Break-glass and recovery

A passwordless path even when the primary one fails.

Multiple registered methods, recovery codes vaulted in Delinea, and a documented break-glass account with FIDO2 keys held secure. Passwordless does not mean lockout.

Best for

RecoveryResilience
MFA, properly

MFA on every sign-in. Not just the cloud ones.

Entra MFA gates the cloud. But Windows desktop logon, Mac sign-in, RDP, legacy apps and lateral service-account access do not pass through Entra. CrowdStrike Falcon Identity Protection adds an MFA gate to those too, in real time.

Cloud / SaaS sign-inM365, browser apps, federated SaaSWindows desktop logonLaptop, workstation, kioskMac sign-inmacOS, with Entra credentialsRDP / legacy appsServers, Kerberos, NTLM, on-premService & lateral accessService accounts, internal pivotsENTRA MFAPhishing-resistant, Conditional AccessCROWDSTRIKE FALCON IDENTITYMFA on Windows / Mac / RDP / legacyWhere Entra alone cannot reachMFA promptEVERY SIGN-IN GATED, NOT JUST THE EASY ONES
Use case 01

Workstation MFA at logon

Falcon Identity challenges users for MFA on Windows and Mac sign-in, including for local accounts the cloud cannot see.

Use case 02

RDP and legacy apps

Step-up MFA in front of Remote Desktop and legacy authentication (NTLM, Kerberos) without rewriting the app.

Use case 03

Service accounts that move

Catch lateral pivots in real time: anomalous service-account use triggers MFA challenge or block at the moment of attempt.

Signal sharing & automation

When the tools talk to each other, identity gets smarter.

Risk does not sit in one tool. CrowdStrike sees endpoint and identity threat. Netskope sees web, SaaS and AI behaviour. Mimecast Incydr sees data leaving. We wire those signals into Entra ID so identity decisions react automatically, in seconds, not in tickets.

CrowdStrike IdentityEndpoint & identity threatNetskope UEBAAnomalous web, SaaS, AI useMimecast IncydrInsider risk, data exfiltrationDefender XDREndpoint, email, identity signalRISK-AWARE IDENTITYEntra IDUser risk scoreRisky-user groupConditional Access policyAllowwith session controlsStep-up MFAphishing-resistant onlyBlock + revokesessions, refresh tokensRISK DECAYS WITH SAFE BEHAVIOUR, RE-ELEVATES WITH NEW SIGNAL
Closed loop 01

Endpoint compromise → identity tightens

CrowdStrike detects credential theft on a device. The user is added to the risky-user group; Conditional Access forces step-up MFA on the next sign-in or blocks until compliant.

Closed loop 02

Anomalous AI behaviour → access narrows

Netskope sees a user pasting sensitive content into public AI. The risky-user signal lifts; Conditional Access narrows what they can reach until reviewed.

Closed loop 03

Insider risk → sensitive apps gated

Mimecast Incydr flags large outbound transfers. The same user can no longer reach sensitive SharePoint sites until HR reviews; sessions and refresh tokens revoked.

Every device, one identity

No more separate Mac password.

JAMF Connect lets Mac users sign in with their Entra ID credentials, just like a Windows user. One identity, MFA enforced, Conditional Access honoured, across the whole fleet.

ONE IDENTITYEntra IDSSO, MFA, CAWindowsEntra-joined, Intune-managedMicrosoft IntuneMacSign in with Entra credentialsJAMF Connect + Jamf ProiOS / iPadOSEntra-enrolled, MAM or MDMIntune, optional JAMFAndroidWork profile, MAM or MDMMicrosoft Intune
Privileged access, in depth

Power, without the password problem.

Privileged accounts are the keys to the kingdom. The most reliable way to keep them safe is for the people using them to never actually see the password. Delinea makes that practical, including for the contractors you cannot put on a corporate device.

Admin orcontractorDELINEA SECRET SERVERVault & brokerPassword vaultEncrypted, auto-rotatedSession recordedKeystroke + videoDomain controllersAD, LDAP, on-prem identityServers & databasesProduction, finance, treasuryAVD jump sessionsContractor access without endpointCloud admin consolesAzure, AWS, GCP, SaaS adminREQUESTACCESS IS BROKERED, TIME-BOXED, AND AUTOMATICALLY REVOKED WHEN THE SESSION ENDS
Vault & rotate

Passwords stored once, rotated every use

Every admin, service, cloud and treasury credential lives in Secret Server encrypted, with automatic rotation on check-in or schedule. No static passwords in spreadsheets, no shared notebook on a senior’s desk.

Brokered access

Users never see the credential

Sessions are proxied through Delinea. The user clicks Connect; Delinea opens an RDP, SSH or SQL session with the credential it owns. The password is never displayed, copied or typed by a human.

Contractor pattern

Access without ever providing credentials

External counsel, vendors and short-term staff get a managed identity that brokers them straight into AVD or the target system. Time-boxed by ticket; revoked on a click; fully session-recorded for audit.

Just-in-time elevation

Local admin rights, only when justified

Delinea Privilege Manager elevates a single action on an endpoint, with reason captured, instead of standing local admin. The most common privilege escalation path closes overnight.

Session recording

Every privileged session, video and keystroke

RDP, SSH, browser admin sessions captured end-to-end. Searchable by action; reviewable by audit; the answer to "show me everything that happened during change weekend".

Everyone else, covered

1Password for the credentials PAM does not own

PAM is for privileged. 1Password Business is for everyone else: shared logins, vendor portals, dev secrets, anything not yet behind SSO. Tied into Entra via SCIM provisioning.

Just-in-time admin access

Cloud admin power, time-boxed by default.

Microsoft Entra Privileged Identity Management (PIM) converts permanent admin roles into time-boxed activations. Admins remain eligible; access only goes live with MFA, justification, and (where sensitive) approver sign-off. Standing global admins disappear.

STATE 01EligibleNo active admin rightsSTATE 02ActivateMFA challengeJustification & ticket refApprover sign-off (optional)Every activation, gatedSTATE 03ActiveRole granted for 1–8 hoursAUTO-EXPIRES · EVERY ACTIVATION LOGGED · ACCESS REVIEWED EVERY QUARTERREQUESTGRANTED
Eligible, not active

No standing admins. Anywhere.

Global Admin, Privileged Role Admin, Application Admin and every other sensitive role becomes eligible, not assigned. Standing admin power is the single biggest risk in a Microsoft tenant; PIM removes it.

Step-up MFA

Phishing-resistant MFA at activation

Every activation re-prompts for MFA, and policy can require phishing-resistant methods (FIDO2, Windows Hello) for the most sensitive roles. The credential alone never grants access.

Justification & ticket reference

Every activation has a paper trail

Activation requires a written reason and (optionally) a change-ticket reference. When something goes wrong, the audit answer is one query, not a forensics project.

Approval workflows

Sensitive roles require a second pair of eyes

Global Admin and Privileged Role Admin activations route to a designated approver. The activator never approves themselves; the approver never activates without justification.

Time-boxed windows

1, 2, 4 or 8 hours, then it ends

Activations are time-boxed. The role expires automatically; another activation, with fresh MFA and justification, is required to continue. No forgotten admin sessions left running for weeks.

Access reviews & alerts

Eligibility itself is reviewed every quarter

PIM access reviews surface who is still eligible for what, evidenced for audit. High-privilege activations alert the security team in real time, so the security team sees them as they happen.

How it fits together

Entra PIM and Delinea PAM cover different ground. We deploy both.

Entra PIM owns just-in-time activation for Microsoft cloud admin roles (Global Admin, Exchange Admin, SharePoint Admin and the rest). Delinea owns the credentials and brokered access for everything beyond the cloud: domain admins, service accounts, treasury and trading systems, network device logins, third-party SaaS admin consoles. Together, every privileged session, anywhere, is time-boxed and recorded.

Microsoft Entra PIMDelinea Secret ServerDelinea Privilege Manager
The lifecycle

Joiners, movers, leavers, automated.

Identity lifecycle is where audit findings live. HR signals drive group membership; group membership drives access. Reviews are quarterly, evidenced, and quick.

01
Joiner

Ready on day one

HR signal triggers Entra. Group membership applies the right access. Device shipped via Autopilot, signed in with Entra, MFA enforced on first sign-in.

02
Mover

Access changes when the role does

Role change in HR drives group changes. Old access lapses, new access appears. Quarterly access reviews evidence the change for audit and the regulator.

03
Leaver

Access ends the moment HR says so

HR triggers a leaver signal. Conditional Access blocks new sessions; refresh tokens revoked; mailbox and OneDrive preserved per policy. No orphan accounts.

Why Cornerstone?

We are not another managed service you cannot leave. We design, implement and hand over secure systems your team can run, with the documentation and clarity to stay in control. No lock-ins, just results.

Identity & access

Identity is the new perimeter. Here is how we secure it.

MFA, Conditional Access, least privilege, PAM.

What is identity security?

Making sure the right people, on the right devices, can reach the right things, and no one else can. It combines authentication (MFA), authorisation (Conditional Access), least-privilege role design, and privileged access management.

Do we need MFA on everything?

Yes. Every interactive sign-in, every privileged account, every external-facing application. Modern phishing-resistant methods (Microsoft Authenticator, FIDO2 keys) are the target; SMS is the bare minimum and is being deprecated.

What is Conditional Access?

Microsoft Entra Conditional Access evaluates every sign-in in real time (user, device, location, risk) and decides whether to allow, challenge, restrict or block. It is how you enforce "from a compliant device only" or "block sign-ins from outside Australia".

What is least privilege?

Everyone gets only the access they actually need to do their job, for only as long as they need it. Time-bound roles, just-in-time elevation, and regular access reviews are the mechanics.

What is PAM (privileged access management)?

Tools and process for managing admin and service accounts: vaulting passwords, rotating them automatically, time-limited elevation, full session recording. We use Delinea. Without PAM, your most powerful accounts are also your weakest controls.

Why is identity called the new perimeter?

Because people sign in from anywhere, on anything, into apps that live everywhere. The old network boundary is gone; identity is the only consistent control plane left.