IAM brings together a whole host of acronyms and technical terms, but what are the best IAM practices?
We'll look at some of the main points, but please note that not all of them are equally important, depending on the size of your company, your staff turnover and the risk sensitivity of your sector.
A company with very low turnover will pose a low risk in terms of orphan accounts if they are properly managed, whereas a company with high turnover will find it very difficult to manage them without errors.
A 50-strong company can manage its own IT authorizations, whereas a 3,000-strong company will find it very difficult to orchestrate its IT onboarding and offboarding without the help of a specialist.
A bank, a hospital or a dog food company will not have the same cybersecurity challenges. Certain sectors are prime targets for hackers.
💡: it's possible to listen to this article! Find the audio at the bottom of the page 🎧
Here are 7 IAM best practices:
1. Define your identity and access management roadmap
Put your finger on the trigger for your search.
Why do you want to know more?
It's crucial to define this element precisely, as it will be your key metric to track and guide your research.
The most frequent cases are :
- you're overwhelmed by onboarding, and manual processes just don't cut it anymore,
- you have a technical support team swamped with requests, and you need a solution to relieve them,
- you have to carry out compliance audits, and you realize that this takes an enormous amount of time and resources, and produces unreliable results,
- you want to obtain ISO 27001 certification, but have no way of tracing all your provisioning actions,
- you don't carry out offboarding at the time of departure, but rather through major work sessions with HR every 3 months (or more),
- you've carried out an audit and found that your users often had too many access rights.
This is not an exhaustive list: there are many other reasons, and I've only mentioned the main ones here.
Don't then get lost in 'gimmicky' features (at this stage) that you wouldn't have considered, and which may disrupt your decision. Stay focused on your main objective.
2. Determine who needs to be involved in managing your IAM
The first to be affected are 🔹the IT department🔹. These are the people who are going to be on the front line of support, requests, more or less complex processes, the fallout in the event of a 'miss'.
Involving the team is therefore an important criterion and is clearly proving to be good practice in managing its IAM to ensure that the project works in the long term.
The 🔹ressources humaines🔹 are one of the key players impacted in user management. HR is the source of knowledge of entries and departures, and is therefore called upon by the IT department.
HR is often obliged to enter information twice:
- for HRIS or HR files,
- for IT, via a ticketing system, a shared Excel file with IT or e-mails.
But, as you can see, this system is a source of error, since it's managed by humans in the background, and there's a risk of forgetting.
Involving human resources from the outset is clearly a good practice for your IAM, as the time saved and the reliability of information will be much appreciated.
HR will have access to a unique user repository that will be invaluable to them.
🔹The managers🔹 are the only ones who know which interns of less than 2 months, contractors and temps are present in their department at any given moment. This data is crucial, as external account management is often the weak point in IT departments and becomes a prime target during cyberattacks.
They will need to be involved in filling in the user addition or modification forms, which will be an important building block in the unique user repository.
They will also be asked to validate the access and rights granted to each member of their team.
In some companies, we may find 🔹application managers🔹.
They will be responsible for managing a fleet of applications, ensuring that orphaned accounts are removed, that rights are assigned to each user, and that accounts are allocated.
Project validators: 🔹la direction🔹.
They won't be involved in the various stages of identity and access management, but they will be the financial backers of the project. You need to make sure they understand the cybersecurity, time-saving and process-optimization issues at stake.
3. Tidy up and eliminate orphan and duplicate accounts
Throughout a user's lifecycle, accounts are created and rights granted until the user leaves.
It's crucial to keep track of these accounts, so that no unused active account becomes an orphan account. Such an account would become a potential vulnerability and hamper the company's security. Not to be taken lightly.
The account is compromised, no one notices it, it sends e-mails, interacts,identity is not what it used to be, but no one knows. By then, it's too late.
Identify them and eliminate them regularly to avoid a cyber attack.
The same applies to duplicate accounts. You see, when you create accounts by hand, sometimes Matthieu Grignon ends up with a mathieu.grignon account. On the big day, it's impossible to find the account, so we recreate another matthieu.grignon, except that the first one exists!
These duplicates are also orphan accounts, which are security breaches. They should be highlighted and deleted, or merged with another account.
4. Apply the principle of least privilege
In order to strengthen corporate security, it is important to grant only the bare minimum of user rights. If a user needs a temporary increase in rights, this should be monitored over time, and the initial right adjusted at the end of the period.
To do this, you can define a basic application package for each department, with associated rights. In this way, you can regularly check whether a person's access and rights correlate with his or her position, and if not, readjust them.
This is called the principle of least privilege.
Some accounts need more rights, such as management, IT and supervisors, and are therefore more sensitive.
These are called privileged accounts. Privileged accounts must be closely controlled and continually audited.
By monitoring and auditing these accesses, we can detect suspicious activity and react rapidly in the event of a security incident.
5. Automate your IT account provisioning processes
Managing IT onboarding and offboarding, cleaning up unused accounts, granting the right rights to the right people, carrying out audits - none of this can be done by hand.
Automation is becoming a necessity. It is the basis of IAM, because it ensures the reliability of information.
Provisioning is any action to create, modify, suspend or delete an account.
Over and above good practice, automating your provisioning enables you to :
- reduce human error,
- easily scale processes according to user movements,
- provide a rapid response to users and be highly responsive to events
- comply with directives, regulations and certifications, thanks in particular to provisioning traceability,
- reduce labor costs by eliminating repetitive tasks (account creation, password resets, etc.),
- audit with ease, answering the big question: who to what and why,
- detect anomalies such as orphaned accounts, duplicates, access and rights discrepancies VS current position.
Would you like to receive our white paper on identity and access management?
6. Set up MFA and SSO and make it mandatory
Now that we've looked at the management side of IAM, another technical area comes into play, with SSO(single sign-on) and MFA(multi-factor authentication).
A good practice in identity and access management is to reinforce users' means of connection as much as possible.
SSO enables users to log on to a system once to access multiple applications and resources. This simplifies password management for users and reduces the risk of using weak or reused passwords.
MFA is your ally in preventing intrusions. It adds a layer of security by requiring more than just a password and double-checking your identity.
When your users log on and say 'I'm so-and-so', the MFA checks by another means that yes, it really is so-and-so.
7. Think compatibility in IAM
Your organization may use a variety of systems, applications and platforms. Make sure your IAM is designed to handle this heterogeneity.
You have Active Directory, Azure AD or any other directory of user accounts, you have an HRIS or HR file, HR sources in Excel, you also have SaaS and On-premise applications.
Your IAM must be compatible with all your tools, and be able to interface with all of them in order to create links between them and set up automation.
If your IAM doesn't take one link in the chain into account, the whole process falls apart.
In conclusion
IAM best practices are based on two essential elements:
- simplification and clarification of internal processes
- secure user accounts
For good Identity and Access Management practices to have an impact, you need to be convinced internally. You can set up the best IAM solution on the market and preach the best procedures, but if no one follows them, it's all in vain.
The most important practice will therefore be to involve the various stakeholders, including users, to ensure that safety measures are adopted.
By following these recommendations, you'll be able to better control your users' identities and accesses, and thus preserve your company's security and efficiency in an ever-changing digital environment.
Companies that are ready to adopt these IAM practices will be better prepared to face tomorrow's challenges.