Best Practices

Having a mature Identity and Access Management (IAM) program is not an absolute requirement for implementing an identity-centric approach to security, but it’s sure to improve the effectiveness. The following Best Practices, focused on IAM fundamentals, are recommended hygiene tips that focus on the people and process, as well as the technology, aspects of an IAM program.


Best Practice


Ensure uniqueness of every human and non-human identity in your directory.

This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.)for on-prem (mainframe, AD, etc.) as well as all cloud providers (SaaS, CSP’s). A uniquely identifiable catalogue of entities is important and a must. If you are just starting your identity program, this is the best place to start. If you consider yourself advanced, but cannot account for every identity and associate it with an owner, this is a critical gap.

Read the blog to learn more
Proactively maintain current and accurate authoritative data for identities in accessible source repositories.

Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access. Proper maintenance of this authoritative data requires defined lifecycle management processes for both employees and non-employees, regular validation and update of identity information, and storage of accurate data within a repository. The authoritative source can then be linked to automation, for example birthright provisioning/de-provisioning and attribute-based access control mechanisms.

Read the blog to learn more
Implement a directory group structure that fits the scope of your IAM program.

This allows for a programmatic approach to managing access and entitlements to support policy enforcement during authentication and authorization. Utilizing AD/LDAP and the concept of security groups, can be a huge advantage to efficiently granting and removing access.

Minimize Active Directory’s attack surface.

Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.

Read the blog to learn more
Monitor Active Directory for signs of compromise and roll back unauthorized changes.

Enable both basic and advanced auditing and periodically review key events via a centralized console. Monitor object and attribute changes at the directory level and changes shared across domain controllers. Mature organizations should look for risk signals across basic access types that violate security policies, for example segregation of duty rules.

Read the blog to learn more
Implement a scorched-earth recovery strategy in the event of a large-scale compromise.

Widespread encryption of your network, including Active Directory, requires a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components as well as the ability to restore those backups without reintroducing any malware that might be on them.

Read the blog to learn more

Best Practice


Implement automated feeds of all users (employee and non-employee) into your identity store at a desired frequency (daily, hourly, etc).

Automated feeds allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture. Consider utilizing batch, instead of real-time syncs, of your HR data. Adding a predecessor job that verifes the feed is within normal ranges of expected terminations, protects against the possibility of your HR system sending incorrect data possibly disabling a large number of personnel and disrupting the business.

Provisioning and de-provisioning should be evaluated at the same time.

Ideally tied to lifecycle events (move, join, leaves) provisioning provides a smooth on-boarding for new employees and transition for existing employees. However, de-provisioning is the easier solution to implement, as it does not require any approvals. Once you are connected to your authoritative HR source, you can process all separation events without any discrimination or further validation and is vital to minimize unnecessary access and the associated security risks with orphaned accounts and entitlements.

Read the blog to learn more
Automated provisioning and de-provisioning should be implemented with the help of adjacent and applicable business processes.

Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.

Read the blog to learn more

Best Practice


Create an Access Governance Committee that fosters collaboration between managers of system and/or data access across the organization

Fostering collaboration and consistency between all those who manage system or data access in the organization will lead to a better end-user experience, identification of potentials for organization-wide efficiencies (automation, process improvements, etc.), while also reducing the risk of audit findings. Once established, moving to a combined coarse grained and fine grained model can reduce the focus of governance oversight to exception-based access.

Read the blog to learn more
Establish governance and policy controls related to the scope and implementation of the IAM Program.

Governance policies are inherently identity-centric. A successful governance program cannot be achieved without a common understanding of the scope and responsibility of your IAM Program.

For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPAA, money moving, etc.

Perform an assessment and start with the higher priority applications and those that present the most risk if compromised. This allows focus for implementation efforts related to the applications that will provide the most benefit.

Access reviews should be practiced for any basic transfer where access change occurs. Implement a transitional rights model into the role framework.

This will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer. Have user access reviewed by the old and new manager and agree on a transition plan to phase out access that is no longer needed.


Best Practice


Once user roles and entitlements are defined, high profile users and secure resources should require MFA. The level of assurance of authentication should match the value of the asset being protected.

In addition to MFA, the level of assurance of authentication should match the value of the asset being protected and should include risk scores from a variety of sources Fraud & Risk, device info, etc. Advanced organizations are looking to standards-based, frictionless solutions.

Start with a discovery process for both critical and non-critical assets. This can then prepare you for a PAM implementation and privilege account on-boarding.

Ensure that third party access to critical assets is included. Once this is complete, implement a tool to keep up with the changes introduced into the environment, embedding this process into the asset and services lifecycle management.

Read the blog to learn more

Best Practice


Establish an IAM Governance Committee – confirming that IAM policies are followed.

Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes.

Read the blog to learn more
Maintain current application information related to version, priority, business impact, user community, and supported integration methods.

A configuration management database is critical to any successful IAM program. It provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program.

Business process review should be performed at the beginning of each phase for any in-scope applications.

To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies.

Make your IAM program an integral part of all application on-boarding/major change discussions, with the goal of embedding IAM practices in the software development lifecycle.

Bridge the gap with application owners by considering the IAM implications in these discussions. This allows for a comprehensive assessment and reduces the risk of delays and violation of security policies.

Read the blog to learn more
Highly sensitive assets and keys should be stored in a hardware security module (HSM).

It may also be possible to use a key management system (KMS) which will give you key rotation capability.

Implement SSO authentication regardless of deployment model.

Streamlines user access by providing a single point of access regardless of application deployment model, and reduces the number of credentials that are at risk of being compromised.

All IAM/Security components should be integrated to feed event and transaction data into a SIEM for analysis and action.

Enables behavioral/pattern analytics used to identify risky or anomalous activity.

For certifications, when using entitlements only, consider direct manager capability, such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly.

Allows access to sensitive resources based on the risk status of the user at the point of accessing the resource, while providing for an automated response to the access decisions of an organizations management structure, by identifying sensitive access due to elevated permissions.

Where additional identities are required, for certain privileged roles, like DBA’s or test accounts, a PAM solution should be implemented to ensure the integrity and security of this access.

Allows for higher assurance during an authentication event based on the current access profile of a user at the point of login by identifying sensitive resources due to elevated permissions.

Entitlement assigned to roles (role based access control) should be used for both provisioning and certification.

Role and entitlements should be reviewed on a regular basis and most frequently for privileged access. Leveraging role mining solutions can identify excessive privileges.


Best Practice


List and track all identity relationships in your cloud infrastructure.

Establishing visibility is the initial step in practicing Cloud Identity Infrastructure Entitlement Management (CIEM). Achieving visibility through the following steps allows you to effectively manage entitlements, reducing access risk in cloud infrastructure: create a categorized list of inventory resources, list human and service identities, list third-party access, classify privileged permissions, create two-way full permissions mapping, discover admins, discover privileged identities, monitor continuously.

Read the blog to learn more
Track activities to monitor access events and perform analysis of those events to determine the validity of permissions granted to identities.

Reviewing and analyzing the activity logs for all identities (including federated) enables insight into the permissions that identities in cloud environments are actually using. This best practice achieves several goals:

Determines which permissions are actually necessary for each identity’s business function and, by understanding which are granted but not required, detects over-privileged identities.

Determines which identities are completely not in use and can be retired.

Process logs to profile the activity of identities and detect anomalous behavior patterns.

Activity tracking also enables the profiling of the baseline behavior of each identity in the environment.

Such profiling can in turn be useful in detecting certain behavior patterns used by malicious actors as part of the cyber “kill chain” (e.g. persisting in an environment, performing reconnaissance or escalating privileges) by being anomalous to the identity’s ordinary behavior profiled in the baseline.

This type of anomaly is a crucial trigger/alert that needs investigating to reduce the potential impact from breaches and a malicious actor’s ability to carry out attacks using privileges provided within a cloud environment.

Generate least-privilege permission configurations to replace over-permissive ones.

By using information gathered from the environment, it is possible to gain visibility into granted permissions and the permissions actually needed, deduce the gap between them and get a recommendation for a least-privileged configuration.

This process should automatically create the artifacts, such as policy documents and infrastructure as code snippets, necessary for applying the recommendation according to the cloud platform’s specifications. These artifacts can be for manual use or applied through infrastructure as code utilities.

Integrate the remediation of excessive permissions to existing workflows.

The remediation process of excessive permissions findings should be integrated into well defined organizational workflows. The CIEM implementation should support the following features:
Notifies the appropriate stakeholders of newly detected over-privileged identities.
Generates tickets to assign and track the responsibility for approving and/or applying the remediation for identities with excessive permissions.
Automates the remediation process when applicable based on the organization’s policy

In addition, a CIEM solution should have readily available reports that can be collected and analyzed, as well as a programmatic interface (API) that allows outside platforms to query and trigger it so its analysis is as accessible as possible to other tools that are part of the organization’s workflow.

Generate least-privilege policies on-demand as part of the CI/CD pipeline.

Reviewing workload activity in the early stages of the pipeline (testing and/or staging) enables assessment of the permissions required for the workloads to perform their business function and enforcement of the minimum permissions needed as soon as possible (“shifting left”).

This enforcement can then be embedded into the CI/CD pipeline by requiring permissions assigned to workloads in later stages (mainly production) to be first validated at an earlier stage.

Manage Just-in-Time access to reduce standing privileges.

To truly achieve least privilege, the time factor must also be taken into account. A CIEM implementation should enable organizations to provide privileged permissions only at the time they are required, based on business justification and approved by an authorized person.

Secure the posture of identities to reduce their chance of being breached.

A CIEM solution should be able to detect and allow the easy remediation of configuration findings that show identities as vulnerable to being compromised.

The detection should include findings such as static credentials that have not been rotated for a significant period of time, credentials such as keys or passwords that haven’t been used for a while, privileged users for which MFA is not enforced and/or a password that doesn’t meet a certain level of complexity.

Manage permissions versioning.

Keeping track of versions of permissions to be able to revert to previous versions on demand is an important requirement for a CIEM solution.

Given that they are a complex component of managing cloud infrastructure, changing permissions can easily lead to services not being available to identities that legitimately need access to them. Security and DevOps professionals may understandably lack the confidence and willingness to limit permissions to achieve least privilege.



Let's work together to help everyone become more secure.