Best Practices

Having a mature Identity and Access Management (IAM) program is not an absolute requirement for implementing an identity-centric approach to security, but it's sure to improve the effectiveness.  The following Best Practices, focused on IAM fundamentals, are recommended hygiene tips that focus on the people and process, as well as the technology, aspects of an IAM program.  

Share your thoughts on these IAM Best Practices in our on-line community.

Best Practice


Identity and Directory

Ensure uniqueness of every human and non-human identity in your directory.

This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.)  A uniquely identifiable catalogue of entities is important and a must.

Implement a directory group structure that fits the scope of your IAM program.

This allows for a programmatic approach to managing access and entitlements to support policy enforcement during authentication and authorization.

Identity Lifecycle

Implement automated feeds of all users (employee and non-employee) into your identity store at a desired frequency (daily, hourly, etc).

This allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture.

Whenever thinking about provisioning, deprovisioning must be considered at the same time.

Ideally tied to HR events (termination, transfer) and typically not requiring approvals, separation events are vital to minimize unnecessary access and the associated security risks with orphaned accounts and entitlements.

Automated provisioning/de-provisioning should be implemented with the help of adjacent and applicable business processes.

Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.

A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications.

This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (add, change, terminate).

Identity Governance

Establish governance and policy controls related to the scope and implementation of the IAM Program.

Governance policies are inherently identity centric.  A successful governance program cannot be achieved without a common understanding of the scope and responsibility of your IAM Program.

For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc.

Perform an assessment and start with the higher priority applications.  This allows focus for implementation efforts related to the applications that will provide the most benefit.

Access reviews should be practiced for any basic transfer where access change occurs.  Implement a transitional rights model into the role framework

This will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.  Have user access reviewed by the old and new manager and agree on a transition plan to phase out access that is no longer needed.

Privileged Access Management

Once user roles and entitlements are defined, high profile users and secure resources should require MFA. The level of assurance of authentication should match the value of asset being protected.

This can be expected to include risk scores from a variety of sources Fraud & Risk, device info, etc. At start it means "adaptive" authentication.

Start with a discovery process for both critical and non-critical assets. This can then prepare you for a PAM implementation and privilege account on-boarding.

Once this is implemented, MFA and strong authentication become a must.


Establish an IAM Governance Committee - confirming that IAM policies are followed. 

Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes.

Maintain current application information related to version, priority, business impact, user community, and supported integration methods.

This might seem trivial, but most organizations have a very poor record of this information.  It provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program.

Business process review should be performed at the beginning of each phase for any in-scope applications.

To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies.

Make your IAM program an integral part of all application onboarding/major change discussions.

Bridging the gap with application owners by considering the IAM implications in these discussions.  This allows for a comprehensive assessment and reduces the risk of delays and violation of security policies.

Highly sensitive assets and keys should be stored in a hardware security module (HSM).

It may also be possible to use a key management system (KMS) which will give us key rotation capability.