Fix Identity and Access Management

The topic of “best practices in IAM” is complex due to the intricacies of Identity and Access Management (IAM) and the unique policies, processes, and procedures of each organisation. Therefore, a one-size-fits-all approach does not work.

That said, here are key elements of IAM I always consider when helping organisations strengthen their security maturity:

1. Single Source of Truth for Accounts and Their Access Privileges

One of the toughest questions an auditor can ask a business about their IAM processes is: “Show me why this user account exists, what level of access they have to your systems, and why (e.g., who requested it, who approved it, what ticket number).” At this point, panic ensues, with people frantically searching through Excel files, Jira tickets, email messages, and Slack for answers. To an experienced auditor, this signals control failures.

My advice, when designing your IAM processes to create IAM entities (such as user accounts, computer accounts, groups, service accounts, etc.) and assign privileges, always remember that the process should be reversible and result in audit trail evidence.

To achieve this, the information about accounts and their privileges must be stored in a way that allows for reverse querying. Standard IAM systems like Active Directory, Entra ID, or AWS IAM do not facilitate easy reverse querying of account privileges. I recommend using a ticketing system and adding the ticket number to the comment field in the entity object.

This approach works well for managing the entities themselves, but not for reviewing their privileges, such as what resources they have access to, why they have access, who approved it, and until when. For this, a relatively simple database—such as a Microsoft List or Excel sheet—can suffice. Alternatively, you can invest in specialised tools that provide these capabilities and more. Just be sure to implement them with the auditor’s question in mind, perhaps even on a sticky note on your monitor!

Review Accounts and Privileges on a Quarterly Basis

The next best practice is to regularly review the data recorded in your system. If you’ve done a good job, it should be easy to create a procedure that asks the original approvers whether the entity and its permissions are still necessary. For small companies, a workflow in Microsoft Power Automate linked to SharePoint may be sufficient. For larger organisations, enterprise tools often have this capability built in.

2. Secure the Usage of Identities

Identities are protected by various security factors. You are familiar with passwords and multi-factor authentication. Best practices in this area evolve as technology advances bring more seamless and secure authentication methods.

The strength of the authentication method should be directly related to the risk level assigned to the identity, location, method of access, and the security importance of the resources being accessed, among other factors.

However, I recommend not confusing people with multiple authentication methods. Instead, choose the strongest and most seamless option that your systems can support. Today, this means using FIDO Alliance Passkeys stored on hardware devices, such as smartphones, which prevent export from their secure chips.

3. Monitor and React to Abnormalities in Identity Usage

The SIEM and SOAR vendors will love me for this: monitoring for abnormalities is the best use case for utilising machine learning and AI. No security team, regardless of size, can manually review all access attempts (successful or not) and accurately detect attacks while eliminating false negatives and false positives with six-sigma precision.

I’m not going to suggest any particular vendor here. Do your research, speak to your colleagues, or contact me to hear my opinion.

Conclusion

Implementing, managing, and monitoring these suggested approaches represent crucial steps toward reducing the risk of significant cyber events in your organisation.