IAM, or identity and access management, encompasses a whole host of acronyms and technical terms, but beneath this vast subject, what are the best practices of IAM?
We will discuss major points, but be aware that not all of them have the same importance depending on the size of your company, your turnover, and the risk sensitivity of your sector.
A company with very low turnover will pose a low risk in terms of orphan accounts if they are properly managed, whereas a company with high turnover will have great difficulty managing them without errors.
A company of 50 people will be able to manage its own IT entitlements, whereas a company of 3,000 people will have great difficulty orchestrating its IT onboarding and offboarding without the help of a specialist.
A bank, a hospital, or a dog food company will not have the same cybersecurity challenges. Some sectors are prime targets for hackers.
💡 : It is possible to listen to this article! Find the audio at the bottom of the page 🎧
Here are 7 IAM best practices:
1. Define the roadmap for your identity and access management
Pinpoint the trigger for your search.
What prompts you to seek information?
It is crucial to precisely define this element, as it will be your key metric to follow and should guide your research.
The most frequent cases are:
- You are overwhelmed by onboarding and manual processes are no longer working at all.
- You have a technical support team that is overwhelmed with requests, and you need a solution to alleviate the burden.
- You need to perform compliance audits and you realize that it takes an enormous amount of time and resources, with unreliable results.
- you want to be certified of the type ISO 27001 and you have no way to trace all your provisioning actions,
- You don't perform offboarding at the time of departure, but rather through large work sessions with HR every 3 months (or more).
- You've conducted an audit and it revealed that your users often have excessive access rights.
This is not an exhaustive list; there are other reasons, I have only mentioned the main ones here.
Do not get lost in 'gadget' features (at this stage) that you had not considered and that disrupt your decision. Stay focused on your primary objective.
2. Determine who should be involved in managing your IAM

The primary stakeholders are 🔹the IT department🔹. They are on the front line for support, requests, complex processes, and repercussions in case of a 'mishap'.
Involving the team is therefore an important criterion and clearly proves to be a good practice in managing your IAM to ensure the project's long-term success.
🔹Human resources🔹 are one of the key players impacted in user management. HR is the source of knowledge for entries and exits and is therefore solicited by the IT department.
HR is often required to enter information twice:
- for the HRIS or the HR file,
- for IT through a ticketing system, a shared Excel file with IT, or emails.
However, as you can see, this system is prone to errors since it is managed in the background by humans who may forget.
Involving human resources from the outset is clearly a good practice for its IAM because the gain in time and reliability of information will be highly appreciated.
HR will have access to a single user repository that will be valuable to them.
🔹Managers🔹 are the only ones who know which interns (with less than 2 months of service), contractors, and temporary staff are present in their department at any given time. This data is crucial because the management of external accounts is often the weak point in IT departments and becomes a prime target during cyberattacks.
It will be necessary to involve them so that they fill in the user addition or modification forms, which will be an important component of the single user repository.
They will also be involved in validating the access and rights granted to each member of their team.
We may find 🔹application managers🔹 in some companies.
The latter will be in charge of managing a range of applications for which they will have to ensure the deletion of orphaned accounts, the rights assigned to each user, and the allocation of accounts.
Project approvers: 🔹management🔹.
While not involved in the various stages of identity and access management, this role provides the financial approval for the project. It is important to clearly communicate the cybersecurity stakes, time savings, and process optimization benefits.
3. Clean up and eliminate orphan accounts and duplicates

Throughout the lifecycle of a user, accounts are created, rights are granted until the user leaves.
It is crucial to monitor these accounts in order to avoid leaving any unused active accounts that become orphan accounts. This account could become a potential vulnerability and hinder the company's security. It should not be taken lightly.
The account is compromised, but no one notices. It sends emails and interacts normally. The identity is no longer what it was initially, but no one is aware. At that point, it is too late.
Identify and eliminate them regularly to prevent a cyberattack.
The same goes for a duplicate. You know, when you create accounts manually, Matthieu Grignon sometimes ends up with a mathieu.grignon account. On the D-day, it's impossible to find the account, so we recreate another matthieu.grignon, except that the first one exists!
These duplicates are also orphaned accounts that are security vulnerabilities. They should be identified and deleted or merged with another account.
4. Apply the principle of least privilege
To strengthen company security, it is important to grant only the bare minimum for user rights. If a user needs a temporary increase in their rights, this right must be monitored over time and the initial right readjusted at the end of the period.
For this, you can define a basic application package for each department with the associated rights. You will then be able to regularly check whether a person's access and rights are correlated with their position and, if not, readjust.
This is called the principle of least privilege.
Some accounts require more privileges, such as management, the IT department, and managers; these accounts are therefore more sensitive.
These are called privileged accounts. Privileged accounts must be closely controlled and continually audited.
The monitoring and auditing of these accesses will make it possible to detect suspicious activities and react quickly in the event of a security incident.

5. Automate your IT account provisioning processes
Managing IT onboarding and offboarding, cleaning up unused accounts, granting the right permissions to the right people, performing audits – all of this cannot be done manually.
Automation is becoming a necessity. It is the foundation of IAM because it provides reliable information.
Provisioning includes all actions to create, modify, suspend, or delete an account.
Automating provisioning, beyond best practices, allows you to:
- Reduce human errors
- easily scale processes based on your user movements,
- provide a quick response to users, and be highly responsive to events
- comply with directives, regulations, and certifications, thanks in particular to traceability of provisionings (actions),
- Reduce labor costs by eliminating repetitive tasks (account creation, password resets, etc.).
- perform audits with great ease in order to answer the big question: who has what and why,
- detect anomalies such as orphaned accounts, duplicates, misalignments in access and rights versus current position.
6. Implement MFA and SSO and make it mandatory

We have seen the 'management' part of IAM so far; another technical part comes into play with SSO, single sign-on, and MFA, multifactor authentication.
A good practice in identity and access management is to strengthen user connection methods as much as possible.
SSO allows users to log in to a system once to access multiple applications and resources. This simplifies password management for users and reduces the risk of using weak or reused passwords.
MFA is your ally in preventing intrusions. It adds a layer of security by requiring more than just a password and performing double verification of your identity.
When your users log in and say 'I am so-and-so', MFA verifies by another means that yes, it really is so-and-so.
7. Consider compatibility in IAM
Your organization may use various systems, applications, and platforms. Ensure that your IAM is designed to manage this heterogeneity.
You have Active Directory, Azure AD, or any other user account directory, you have an HRIS or HR file, HR sources in Excel, and you also have applications in SaaS and on-premise environments.
Your IAM must be compatible with all your tools and be able to interface with all of them in order to create links between them and thus implement automation.
If your IAM does not take into account one of the links in the chain, the entire process collapses.

In conclusion
IAM best practices are based on two essential elements:
- Simplification and clarification of internal processes
- Securing user accounts
For best practices in Identity and Access Management to have an impact, internal buy-in is essential. You can implement the best IAM solution on the market and advocate optimal procedures, but if no one follows them, it will be in vain.
The most important practice will therefore be to involve the various stakeholders, including users, so that security measures are adopted.
By following these recommendations, you can better manage your users' identities and access, thereby preserving your company's security and efficiency in a constantly evolving digital environment.
Companies that are ready to adopt these IAM practices will be better prepared to face the challenges of tomorrow.