Identity Management Best Practices
Best practices for identity management
For identity access management (IAM) to be effective, it is vital that the tools are correctly set up, and that processes and best practices are in place. Failure to be comprehensive when first implementing the system could leave significant gaps in your security.
This module will explain the importance of implementing identity management best practice measures to ensure that sensitive data can only be accessed by those that require it.
The following sections will identify essential best practice aspects of identity management to help bolster security across your organization.
Adhere to compliance regulations
Ensuring that a business complies with the regulations of their industry and region should be a major consideration when implementing best practices.
GDPR is the main data protection law in the UK and Europe, but in America, there is no single nationwide law. Instead, companies must comply with a range of federal and state laws in the regions they operate. IAM solutions should have granular control to ensure these regulations are adhered to.
Another element to consider for compliance is managing the IAM lifecycle. Over time, people will join, leave, or transfer between roles regularly. The IAM system should allow administrators to swiftly grant or revoke access based on these changes to ensure data privacy and security are not impacted.
Change your security focus
Traditionally, businesses have focused predominantly on network security, rather than identity management. However, the increasing adoption of cloud applications means that remote working and bring your own device (BYOD) endpoints that access company networks are more common – it has never been more important for businesses to apply best practices towards user and service identities as the primary element in a robust security strategy.
A good approach would be to adopt a cloud-based software solution that includes IAM services and would therefore make it easier to bring together key services, application access management, and identity protection.
Transform your onboarding capabilities
The onboarding process for staff has traditionally been a manual process for IT teams, which assess which privileges and access permissions are required for each employee. This process becomes increasingly laborious as businesses scale.
Identity management software can be used to automate onboarding and offboarding processes, saving resources and time. Based on a principle of least privilege (PoLP), the system can provide base-level access to new arrivals alongside additional department-focused permissions, so that they have access to everything required for their role and nothing more.
With a detailed record of which permissions have been applied, this process can inform offboarding and ensure that permissions are removed promptly. Time-limited permission could also be used to enhance permissions for short-term tasks or to reduce access during a notice or probationary period.
Onboarding is not limited to staff. Client and customer onboarding can help to improve the user experience and build trust with your brand. A common method is self-serve onboarding, which allows consumers to onboard themselves, using identity-based access control to register themselves to a business page and help businesses retain customers.
Users will be asked to verify their device and identity using measures such as strong passwords, 2FA, and biometrics. This process ensures they have strong security in place when accessing account information and transactions. As an automated process, it is efficient and resource-light.
Introduce an identity governance program
Identity governance administration (IGA) is a framework that is used to provide visibility across access privileges and controls, helping to quickly identify and block unauthorized users. An IGA program should also incorporate an Access Governance Committee. This is a group of people who are accountable for managing system or data access, which should allow for a better end-user experience and company-wide efficiencies long-term.
So, what is the difference between identity management and identity governance? IGA is intended to complement an existing identity management framework, helping to streamline processes and to review or audit the use of tools and functions to make improvements to security and performance.
The primary goal of IGA is to balance compliance with data and security regulations while improving customer experience and productivity.
Utilize a centralized identity management solution
With IAM operating over a range of applications and devices, users may require multiple credentials, which can be inconvenient for productivity and security, and complicate the implementation of effective identity management.
Replacing this decentralized system with a single, centralized authentication (Single Sign On) will make access simpler for employees. Rather than multiple sets of credentials, the authentication of a single set will provide relevant permissions across the company network and related tools.
Having just one identity per staff member simplifies onboarding and removing users, while also improving security. New users will be assigned the required permissions and the leaver’s access will be completely shut off automatically.
Many centralized systems share standards allowing for close integration between cloud-based tools and services and ensuring that efficiency and security are maintained at a high level. OAuth 2.0 is a commonly used system that allows an end user's account information to be used by third-party services without exposing the user's account credentials. For example, a sign-in page may have the option to “Sign in with Google” or “Sign in with Facebook.” Clicking these options authenticate the user via their existing Google or Facebook account, without having to share a password with a third party.
Implement a Zero Trust security model
Zero Trust security is increasingly popular. It’s a security model that requires all users and devices to be authenticated and authorized every time they request network access.
This approach removes implicit trust, closing a potential security loophole. For example, a system that allows implicit trust may not require validation for devices that exist inside the main office network. While this approach can be convenient for users, it is equivalent to leaving the keys in a locked door – access is simple for those who are determined.
More endpoints mean more risk. Modern corporate networks now have a complex infrastructure that consists of various technologies (cloud/mobile/IoT devices and BYOD) creating a combination of remote, cloud, and physical office landscapes to protect. With so much to manage, implicit trust does not offer enough security.
As an alternative, Zero Trust does not factor in perimeter security or any other user conditions. Instead, user access is universally limited to only what is required to do the job, and validation is required at every step – by every user and device.
While reducing the attack surface, Zero Trust solutions also provide control on a granular level, allowing for flexibility within increasingly hybrid work environments.
Reduce privileged accounts
The more accounts that have direct access to sensitive information, the greater the potential risk in the event of an account getting hacked. For this reason, the number of privileged accounts should be kept to a minimum.
Privileged accounts give higher levels of access to users that require them to perform their job function – such as staff in IT departments having administrative network access. However, managers and higher-level staff may have been given permissions based on seniority rather than what they require for their role, creating unnecessary security vulnerabilities. Even IT staff may not all require universal admin access, depending on their daily duties.
By assessing the needs of each individual's job role and minimizing the number of privileged accounts, businesses can increase the security of data and assets simply by reducing the number of potential access points.
Best practices involve managing, controlling, and monitoring access to these accounts through a combination of solutions, detailed below, including adopting a password-less policy, implementing MFA, or the use of Role-Based Access Control (RBAC).
Methods to improve sign-in security
Single Sign On (SSO)
Single Sign On (SSO) only requires the user to authenticate themselves once, providing access to software, systems, cloud-based applications, and data without having to log into networks and tools individually, reducing password fatigue.
Based on their role and required group access, an individual’s permissions can easily be reviewed, amended, and revoked, depending on their circumstances and need for access.
Implementing SSO across a company will reduce the frequency of unsecured logins and ensure close control of every individual’s access permission. It will also provide a better login experience and reduce staff access issues.
Negatives to consider with SSO include:
- Cost of implementation
- Solutions that are not cloud-based may still require their own separate password (VPN physical devices, file servers)
- SSO needs very secure passwords to protect identity security
Adopt a robust password policy
IAM allows users to create their own passwords, but to make sure they remain secure and are not reused, a custom password policy should be implemented that only allows strong passwords. Users should also be encouraged to regularly update their passwords.
- A password should be between eight to 16 characters. Best practice suggests that 16 characters would provide sufficient protection, but up to 64 characters should be allowed so that users are not restricted in their password choice.
- Special characters should be used
- Avoid repetitive characters (e.g., 12345 or zzz)
- A password expiration policy should be set
With multiple complex passwords to remember, staff should be provided with a password manager tool. This will remember and fill in passwords for users. Many password manager tools can also generate new passwords, keeping accounts secure and making staff access simpler, as they will only need to remember one password to access the manager.
Multi-factor authentication (MFA) provides a layer of protection added to a password to help authenticate users across a network and reduce the risk of bad actors gaining access, for example, using a brute force attack. It requires additional physical credentials, which could include:
- Biometrics (fingerprint, face scanning)
- Code via text or email
- Approval via an authenticator app
With MFA enabled, a compromised password will not be enough to gain access to data, as the physical credential will still be required for authentication.
As businesses evolve, many are turning towards passwordless identity management solutions to authenticate consumers and provide additional security, reducing the threat of certain cybersecurity threats such as brute force attacks. Without passwords, this information can’t be stolen for social engineering or phishing purposes, and concerns over insider threats resulting from reused or weak passwords no longer exist.
Rather than authenticating with something they know, users are instead asked to use something they possess, making it much harder to steal. Passwordless login can provide access using the following methods:
- SMS-based login: A one-time code is sent via mobile to enable login
- Email-based login: A unique code is sent to the chosen email ID (known as Magic Links or One-Time Passcodes)
- Authenticator Apps: Sending codes to dedicated authenticator apps to verify identity
- Biometrics-based login: Biometric technologies, such as facial ID, retina scanning, or fingerprints
Implementing a new passwordless system could prove to be time-consuming and expensive if done in-house. Instead, many opt to introduce this when establishing a centralized identity management solution because many cloud-based services operate using similar standards of authentication, such as OAuth, allowing for easy integration with existing tools.
Role-Based Access Control (RBAC) is an identity and access management strategy. It is a key element of a Zero Trust model and makes implementation of the principle of least privilege (PoLP) easier. This is because RBAC assigns access based on the needs of specific roles rather than on individual users, ensuring that only the essential permissions are granted.
As staff move roles, their permissions can simply switch to those assigned to their new role. Complications only arise with projects that require a user to access resources normally reserved for a different role. In this case, either a new policy must be created, or the original must be amended. Without careful monitoring, this could lead to unnecessary permissions remaining in place when a project is completed, undermining the benefits of the RBAC system.
Recovery best practice
Complete regular audits
Audits should be conducted regularly to review the access rights of individuals, user activity, and use of resources to ensure that permissions are only assigned to those that require them.
Procedures should be developed and regularly reviewed to ensure that IAM processes are clearly established and reviewed. Documentation should be clear, identifying the people involved in implementing IAM and their specific responsibilities.
User access reviews should be conducted every six to eight weeks to ensure that:
- appropriate privileges are assigned correctly
- special or temporary privileges are revoked once no longer required
- dormant accounts and groups are deleted
Adopt a recovery strategy
Effective identity management has significant benefits, but it does not entirely prevent an attack. A single point of failure could have a devastating impact without a disaster recovery strategy, which is critical for protecting an IAM system in the event of a large-scale compromise.
The longer it takes to react and respond, the greater the operational recovery cost could be, so having a disaster recovery plan will minimize disruption and help the business resume operations quickly. A recovery strategy should include:
- Assets list – record all hardware, software, cloud, data, and locations
- Impact review – categorize assets into high, medium, and low impact to determine where the most business disruption is likely to come from
- Backups – detail where offline backups are stored and how to access them
- Costs – estimate the costs of different types of attack
- Disaster recovery approach – identify the software and tools that will be used to keep the business operating if primary tools are unavailable.