Phase 2 · Phase 2 Capstone: Identity Architecture Design · Lesson 1 of 1
Capstone: Design an Identity Architecture
Exercise
·
60 min
·
+75 pts
This is the capstone for Phase 2. You will design a complete identity architecture for a mid-size SaaS company, bringing together everything from IAM fundamentals through Zero Trust. Every module you have completed — identity providers, SSO protocols, MFA factors, AWS IAM, GCP and Azure IAM, and access governance — feeds into this exercise.
The deliverable is a comprehensive design document covering IdP selection, SSO protocol choices, MFA strategy, cloud IAM architecture, service account governance, privileged access management, and access reviews. You are making the same decisions a GRC Engineer makes when building an identity program from scratch for a company preparing for its first SOC 2 audit.
There are many valid approaches. The reference solution is one example of an architecture that would satisfy auditor scrutiny and hold up in production — it is not the only correct answer. What matters is that your decisions are specific, justified, and internally consistent. Vague answers like "use best practices" or "implement MFA" will not pass an audit and will not pass here.
Walking into your capstone presentation
Capstone project
This is a portfolio-worthy deliverable. A well-completed identity architecture design demonstrates the exact skill set that hiring managers look for in GRC Engineering candidates: translating compliance requirements into concrete technical decisions. Save your completed version — it is a real work product you can reference in interviews and use as a template for future engagements.
Exercise
~30 min
Translate this audit finding into a technical remediation plan
SOC 2 Type II + ISO 27001 + NIST CSF Finding
Identity Architecture Design for CloudReach Analytics
ID:
CAPSTONE-IAM-2026
Criterion:
Identity & Access Management — Full Architecture
Severity:
N/A — Capstone Design Exercise
Design the complete identity architecture for CloudReach Analytics, a Series B SaaS company.
Auditor Notes
CloudReach Analytics is a Series B data analytics SaaS company with 200 employees (80 engineering, 40 sales, 30 customer success, 20 G&A, 15 product, 15 data science). They run on AWS (primary) and GCP (data pipeline). The product is a multi-tenant analytics platform where customers upload sensitive data. Key systems: AWS (production infrastructure), GCP BigQuery (data pipeline), GitHub (source code), Jira (project management), Salesforce (CRM), Slack (communications), Snowflake (data warehouse), Datadog (monitoring). They currently have no centralized IdP — each system has local accounts. They have no MFA policy. Three founders have root AWS access. There is no offboarding process — a former employee's GitHub access was discovered 3 months after departure. They are preparing for their first SOC 2 Type II audit in 6 months.
Write your remediation plan in YAML below. Fill in every field — replace all placeholder comments.
What's next
You have completed Phase 2: Identity and Access Management. The architecture you just designed is not a classroom exercise — it is the same deliverable a GRC Engineer produces when onboarding a new client or joining a company preparing for its first compliance audit. You now have a portfolio-ready identity architecture document that demonstrates IdP selection, SSO strategy, MFA policy, cloud IAM design, privileged access management, and compliance mapping. Phase 3 builds on this foundation with endpoint security and device trust — the next layer of the Zero Trust model you started here.