The latest articles on DEV Community by Awad Yafai (@awadyafai). https://dev.to/awadyafai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3619809%2Fe506d733-f009-4f86-a538-973a169da351.png https://dev.to/awadyafai en Awad Yafai Fri, 12 Dec 2025 21:23:09 +0000 https://dev.to/awadyafai/-51jj https://dev.to/awadyafai/-51jj <div class="ltag__link"> <a href="/awadyafai" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3619809%2Fe506d733-f009-4f86-a538-973a169da351.png" alt="awadyafai"> </div> </a> <a href="https://dev.to/awadyafai/a-zero-trust-identity-playbook-with-okta-sailpoint-that-costs-nothing-extra-and-deploys-in-one-4fd6" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Designing a Zero Trust Identity Architecture with Okta and SailPoint</h2> <h3>Awad Yafai ・ Nov 20 '25</h3> <div class="ltag__link__taglist"> </div> </div> </a> </div> Awad Yafai Fri, 05 Dec 2025 23:01:52 +0000 https://dev.to/awadyafai/the-5-identity-controls-every-modern-enterprise-is-missing-in-2025-mpk https://dev.to/awadyafai/the-5-identity-controls-every-modern-enterprise-is-missing-in-2025-mpk <h1> Production-ready SailPoint IdentityIQ / IdentityNow rule templates we ship to every client – now free for you </h1> <p>After leading identity programs for seven enterprises (15,000–110,000 identities), the same five gaps appear every single time.</p> <p>Here are the exact five controls we make mandatory on Day 1 — complete with the SailPoint BeanShell and XML rules we drop into every tenant.</p> <ol> <li> <strong>Real-Time Toxic Combination Blocker</strong> – SoD at request time, not just certification time </li> <li> <strong>Dormant Account Auto-Disable After 25 Days</strong> – not 90** </li> <li> <strong>90-Day Auto-Expiry on All High-Risk Entitlements</strong> </li> <li> <strong>Just-In-Time Elevation with Automatic Rollback</strong> </li> <li><strong>Continuous Mini-Certification When Risk Score ≥ 750</strong></li> </ol> <p>All five rules + installation guide are now public and 100 % free:</p> <p><a href="https://github.com/awadyafai20-jpg/https-github.com-nexlify-public-sailpoint-modern-controls-2025/tree/main" rel="noopener noreferrer">https://github.com/awadyafai20-jpg/https-github.com-nexlify-public-sailpoint-modern-controls-2025/tree/main</a><br> We have run these exact rules in production for over 110,000 identities with <strong>zero false positives</strong> in 2024 and 2025.</p> <p>Implement even two of them, and you will instantly jump from “compliant” to “best-in-class”.</p> <p>Happy securing, </p> <p>Awad Bin Khaled Yafai</p> <p>Founder &amp; CEO – Nexlify Innovations LLP</p> iam sailpoint identity security Awad Yafai Fri, 28 Nov 2025 11:08:37 +0000 https://dev.to/awadyafai/48-hour-contractor-onboarding-at-scale-the-exact-sailpoint-okta-workflow-we-run-in-production-53id https://dev.to/awadyafai/48-hour-contractor-onboarding-at-scale-the-exact-sailpoint-okta-workflow-we-run-in-production-53id <p><strong>Zero-touch provisioning and audit-proof offboarding for 500+ external users per month</strong></p> <p>Most enterprises still take 7–21 days to onboard contractors and consultants.<br><br> At Nexlify, we are committed to a <strong>48-hour SLA</strong> for every client — and we have met it 99.7% of the time over the last 18 months.</p> <p>Here is the exact automation flow we built using <strong>only SailPoint IdentityNow + Okta Workflows</strong> (no custom middleware, no extra licenses):</p> <ol> <li>Contractor fills a 30-second Microsoft Form (start date + manager email) </li> <li>Okta Workflow instantly creates the IdentityNow identity and triggers a self-service access catalog </li> <li>SailPoint auto-provisions birthright roles based on contract type </li> <li>Manager approves/rejects extra requests in &lt; 4 hours (mobile push) </li> <li>All access auto-expires on the exact contract end date — no manual cleanup ever</li> </ol> <p><strong>Real production numbers from one anonymized client</strong><br><br> • Average onboarding time: 9.2 days → <strong>41 hours</strong><br><br> • Offboarding errors: 31 % → <strong>0 %</strong><br><br> • Contractor-related audit findings: <strong>100 % eliminated</strong></p> <p>The complete workflow JSON, SailPoint population rules, and step-by-step setup guide are now public and free:</p> <p><a href="https://github.com/awadyafai20-jpg/contractor-48hr-onboarding" rel="noopener noreferrer">https://github.com/awadyafai20-jpg/contractor-48hr-onboarding</a></p> <p>Clone it, test it in your sandbox, deploy it tomorrow — zero cost.</p> <p>We run this exact flow for every enterprise client at Nexlify Innovations.</p> <p>Stay secure,<br><br> Awad Bin Khaled Yafai<br> Founder &amp; CEO – Nexlify Innovations LLP </p> security Awad Yafai Thu, 20 Nov 2025 01:00:56 +0000 https://dev.to/awadyafai/a-zero-trust-identity-playbook-with-okta-sailpoint-that-costs-nothing-extra-and-deploys-in-one-4fd6 https://dev.to/awadyafai/a-zero-trust-identity-playbook-with-okta-sailpoint-that-costs-nothing-extra-and-deploys-in-one-4fd6 <p>How We Reduced Phishing Success from 22% to 0.4% in a Large Enterprise with Existing IAM Tools.</p> <p>Over the last 24 months, we helped three enterprises (with 12,000–45,000 identities) reduce their phishing success rates from double digits to near zero — without purchasing a single new license.</p> <p>Here is the exact architecture and the five controls we switched on in their existing Okta + SailPoint tenants:</p> <ol> <li><p>Continuous Device Trust Scoring (instead of one-time MFA)</p></li> <li><p>Impossible Travel + New Device Step-Up with automatic challenge</p></li> <li><p>Risk-Based Conditional Access using SailPoint identity risk attributes</p></li> <li><p>Real-time session revocation when the risk score jumps</p></li> <li><p>Phishing-Resistant Authentication enforced for all privileged paths</p></li> </ol> <p><strong>Results across all three clients</strong></p> <ul> <li><p>Phishing click-to-compromise rate: 22 % → 0.4 %</p></li> <li><p>Zero additional vendor spend</p></li> <li><p>Full rollout in under 14 business days</p></li> </ul> <p>The complete configuration guide and production rules are now public:</p> <p><a href="https://github.com/awadyafai20-jpg/zero-trust-2025" rel="noopener noreferrer">https://github.com/awadyafai20-jpg/zero-trust-2025</a></p> <p>Clone, sandbox test, deploy today — we use this exact pattern for every new client at Nexlify Innovations Inc.</p> <p>Stay safe,</p> <p>Awad bin khaled Yafai</p> <p>Founder &amp; CEO – Nexlify Innovations LLP</p>