Best Practices

Having a mature Identity and Access Management (IAM) program is not an absolute requirement for implementing an identity-centric approach to security, but it’s sure to improve the effectiveness. The following Best Practices, focused on IAM fundamentals, are recommended hygiene tips that focus on the people and process, as well as the technology, aspects of an IAM program.

Share your thoughts on these IAM Best Practices in our online community.

Best Practice


Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.) A uniquely identifiable catalogue of entities is important and a must.
Implement a directory group structure that fits the scope of your IAM program. This allows for a programmatic approach to managing access and entitlements to support policy enforcement during authentication and authorization.
Implement automated feeds of all users (employee and non-employee) into your identity store at a desired frequency (daily, hourly, etc). This allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture.
Whenever thinking about provisioning, deprovisioning must be considered at the same time. Ideally tied to HR events (termination, transfer) and typically not requiring approvals, separation events are vital to minimize unnecessary access and the associated security risks with orphaned accounts and entitlements.
Automated provisioning/de-provisioning should be implemented with the help of adjacent and applicable business processes. Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.
A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (add, change, terminate).
Establish governance and policy controls related to the scope and implementation of the IAM Program. Governance policies are inherently identity-centric. A successful governance program cannot be achieved without a common understanding of the scope and responsibility of your IAM Program.
For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and start with the higher priority applications. This allows focus for implementation efforts related to the applications that will provide the most benefit.
Access reviews should be practiced for any basic transfer where access change occurs. Implement a transitional rights model into the role framework. This will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer. Have user access reviewed by the old and new manager and agree on a transition plan to phase out access that is no longer needed.
Once user roles and entitlements are defined, high profile users and secure resources should require MFA. The level of assurance of authentication should match the value of the asset being protected. This can be expected to include risk scores from a variety of sources Fraud & Risk, device info, etc. At start it means “adaptive” authentication.
Start with a discovery process for both critical and non-critical assets. This can then prepare you for a PAM implementation and privilege account on-boarding. Once this is implemented, MFA and strong authentication become a must.
Establish an IAM Governance Committee – confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes.
Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This might seem trivial, but most organizations have a very poor record of this information. It provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program.
Business process review should be performed at the beginning of each phase for any in-scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies.
Make your IAM program an integral part of all application onboarding/major change discussions. Bridge the gap with application owners by considering the IAM implications in these discussions. This allows for a comprehensive assessment and reduces the risk of delays and violation of security policies.
Highly sensitive assets and keys should be stored in a hardware security module (HSM). It may also be possible to use a key management system (KMS) which will give you key rotation capability.
Seamless authentication regardless of cloud deployment model. Streamlines user access by providing a single point of access regardless of application deployment model.
All IAM/Security components should be integrated to feed event and transaction data into a SIEM for analysis and action. Enables behavioral/pattern analytics used to identify risky or anomalous activity.
For certifications, when using entitlements only, consider direct manager capability, such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly. Allows access to sensitive resources based on the risk status of the user at the point of accessing the resource, while providing for an automated response to the access decisions of an organizations management structure, by identifying sensitive access due to elevated permissions.
Where additional identities are required, for certain privileged roles, like DBA’s or test accounts, a PAM solution should be implemented to ensure the integrity and security of this access. Allows for higher assurance during an authentication event based on the current access profile of a user at the point of login by identifying sensitive resources due to elevated permissions.
Once roles are deployed for provisioning, they can be expanded to be used in certification of access as well. This has a benefit to all end users, but especially to certifying privileged user access that typically comes with large numbers of entitlements to certify. Be sure to certify the composition of the role at least yearly. Identifies sensitive access due to elevated permissions.