With the complexities of today’s networks, ensuring proper oversight of network identities and related assets is crucial. Just as perimeter security and patch management are critical components of a security program, identity and access management must also be mastered.
Implementing a successful IAM program is challenging because every organization has
unique needs and tolerances to risk.
However, there are a handful of fundamental steps security teams can take to master IAM at organizations of all sizes and industries.
Avoid identity and access oversight from becoming the network’s Achilles’ heel by adopting the following four identity and access management best practices.
Document expectations and responsibilities for
A successful IAM system is not complete unless and until the rules of engagement are
documented. While documentation is not everything — too many organizations rely on it too
much — it is a necessity. Infosec professionals must avoid an overreliance on documentation
and instead develop — and communicate — standards and policies in a balanced way.
Many organizations implement privileged account management, single sign-on and user
provisioning, and yet, these IAM controls are ineffective time and again. This is often a result
of communication breakdowns among IT and security teams, stakeholders, system analysts,
business unit leaders and HR managers. It is commonly the case that each individual is
looking at each other and assuming that everyone is doing their part. Troublingly, IAM
standards, policies and procedures hang in the balance as a result. It is important this
documentation is understood by and agreed upon by everyone across the organization to
implement the identity and access management best practices successfully.
Centralize security and critical systems around
Many organizations make the mistake of implementing expensive IAM systems on one part
of the network — typically with Windows Active Directory — while other critical systems fall
outside of such purview. This includes ERP and other web systems, mobile and cloud
environments, source code repositories and IoT. Adding to the disarray in these cases,
internal employee identities are governed, but external partners, contractors and customers
are often not subject to oversight.
IAM is not easy, and successfully implementing an IAM system enterprise-wide can take a
significant amount of time. An identity and access management best practice is to roll out
the program in phases to ensure secure adoption of policies and procedures. Make sure
short- and long-term plans expand the scope of IAM across all business-critical systems
where possible and reasonable.
Codify business processes to minimize risks
Often, day-to-day processes for identity management and account access are taken for
granted. For example, common roles needing access, anomalous access requests and
actual versus requested access rights must be considered.
These fundamental identity and access management best practices should not be glossed
over. If left unchecked, they perpetuate identity- and account-related oversights and what might be considered unnecessary security risks. For example, privilege creep and identity lifecycle mismanagement can occur, resulting in consequences both swift and steep.
Evaluate the efficacy of current IAM controls
Unfortunately, implementing the security controls in an IAM program can lull organizations
into a false sense of security. This phenomenon of taking security for granted may manifest
in security teams not measuring the IAM program’s progress over time.
In some cases, enterprise investments are made and controls are rolled out, yet the IAM
program is not effectively enforcing or governing identity authentication and access across
the network. The best way to avoid underimplementing IAM systems in this way is to
continually ask the question, “How is this program working for the organization?” Determine
specific benefits and drawbacks in the context of security oversight, and measure those
metrics. Use zero-based thinking to determine what the organization should do more of and
what it should do less of when it comes to IAM implementation. This exercise can go a long
way toward achieving and maintaining a truly effective IAM system.
8 additional IAM best practices to consider
Expensive investments in the latest cybersecurity tools and technology are no replacement
for the protection that IAM best practices can provide. Take these steps to securely manage
network identities and limit the risk of IAM-related security incidents:
- Reduce network complexity wherever possible.
- Improve audit trails to help with oversight and compliance.
- Implement separation of duties and principle of least privilege.
- Ensure users have the proper permissions they need to do their jobs.
- Ensure privileged accounts are properly managed.
- Use IAM products to fine-tune your environment.
- Minimize costs and maximize satisfaction by having users manage their own
accounts through customized IAM workflows.
- Focus on visibility and control.
Improperly secured and managed network identities are a tangible risk. The last thing a
security team should do is mismanage or undermanage these assets. Whether it’s
accounts that are stolen, orphaned or otherwise unknown, the keys to the kingdom should not be the low-hanging fruit that creates the next incident or breach.
IAM projects fail more often than you might think. There are many reasons for this.
Learn more about the Methodology of an IAM Introduction here: