5 Identity and Access Management Best Practices
Stolen credentials are among the biggest threats to data security across industries, accounting for around 90% of data breaches. The identity and access management market — consisting of expertise, identity access management tools, and software, and training — is predicted to grow from about $10 billion in 2019 to over $22 billion by 2024. Here’s what you need to know about this increasingly important aspect of data security.
What is identity and access management?
Identity and access management (IAM) is the practice of defining and managing user roles and access for individuals within an organization. IAM involves both tools and policies to make sure the right people can access the right resources at the right time, and for the right reasons, according to Gartner’s definition.
Identity and access management is a broad area that involves authenticating and authorizing users across the organization to access certain platforms, applications, folders, documents, and data. IAM requires a system to govern employees, vendors, contractors, partners, and even customers for Customer Identity and Access Management (CIAM). In addition, IAM addresses access to everything from applications to on-premise devices to cloud platforms and more.
In addition to identity and access management, there is the idea of “privileged” users — those within the organization who have elevated access privileges. This is the next level of data security and user access management that involves two key principles: PIM and PAM. Often, these principles overlap — for instance, Gartner refers to “managing and securing privilege” as PAM and the Forrester Wave refers to it as PIM.
PIM is an acronym for privileged identity management. “Privileged Identity Management (PIM) is a capability within identity management focused on the special requirements of managing highly privileged access,” explained Oxford Computer Training. “PIM is an information security and governance tool to help companies meet compliance regulations and to prevent system and data breaches through the improper use of privileged accounts.”
PAM stands for privileged access management. It follows the same basic practices as PIM:
- Advanced privileges must be requested and approved on a case-by-case basis;
- Administrators should have their privileged permissions for the minimum time possible;
- Administrators should only have the permissions required to complete a specific task;
- Membership in administrative groups must be reviewed regularly;
- Enforce multi-factor authentication;
- Keep access logs, audits, and set-up real-time notifications when access is activated.
The bottom line? Sound data security suggests the use of both privileged access and IAM using what’s known as “the principle of least privilege.”
Identity and access management best practices
Perhaps the most important of all identity and access management best practices is the principle of least privilege, or PoLP. As a best practice for managing applications, PoLP gives minimal access to any user or component, and only increases those privileges when explicitly instructed to do so by an administrator.
With PoLP as your guiding principle, here are some other identity and access management best practices to implement for your company.
Create individual users
Some organizations find it easier to create one username and password per platform or vendor. A marketing team, for instance, will share credentials to the company’s social media accounts with the advertising agency so that everyone working on the campaign can access analytics and results. This dilutes an administrator’s ability to manage security protocols and keep information safe. Instead, create individual credentials and manage user access on a granular level to prevent the risk of insider threat.
Require strong passwords
- Be at least eight characters but no more than 64 characters;
- Be able — but not required to — use all special characters;
- Avoid using sequential or repetitive characters (e.g., 1234 or aaaa);
- Restrict context-specific passwords, such as the name of the business;
- Avoid commonly used passwords (e.g., P@ssw0rd);
- Restrict the use of old passwords to avoid using credentials that may have been exposed in a data breach.
In addition, institute a policy that requires users in your organization to update their passwords regularly — every 90 days is a good rule of thumb.
Use multifactor authentication
Multi-factor authentication or two-factor authentication is when a user needs to provide more than a single factor, such as a username and password, to access a platform, system, or network. This could take the form of sending a single secure sign-in code to a separate device, or asking users to provide a thumbprint or another biometric authentication factor in addition to a password.
Regularly review identities, access and user privileges
Set up a regular cadence for auditing user roles and privileges across your platforms. Schedule time monthly or bi-monthly to review who has access to your Google Workspace, Slack channels, cloud storage, and platforms such as AWS. Restrict access from those who no longer use certain applications or services. Review your system and network frequently to make sure you’re never granting privileges beyond the minimum required for a person to do their job.
If this process sounds time-consuming, it is: but identity management software and identity access management tools can help.
Identity access management tools
There are a number of identity management systems and identity access management tools that can help you keep track of user roles and access. Forrester Research recommends implementing six types of IAM technology to build a comprehensive IAM approach. These are:
- API security: Specifically for organizations working in B2B commerce, API security can be used with single secure sign-on to manage device authorization and PII security.
- Customer identity and access management (CIAM): Do you provide your customers a self-service tool to manage securely maintain their usernames and passwords? Does it integrate with a CRM?
- Identity analytics (IA): Tools that allow administrators to detect risky behavior using machine learning.
- Identity as a service (IDaaS): Defined by Forrester as “software-as-a-service (SaaS) solutions that offer SSO from a portal to web applications and native mobile applications as well as some level of user account provisioning and access request management.”
- Identity management and governance (IMG): Tools that govern the overall “identity lifecycle.”
- Risk-based authentication (RBA): These IAM tools assess how “risky” a user’s activity is, and then triggers additional security measures like 2FA for those deemed high-risk.
There are dozens of IAM vendors that fall into these six categories. Depending on the size of your business and the type of information you wish to protect, you may be able to use one tool to meet the goal of multiple types of IAM software. For instance, Nightfall is a cloud data loss prevention solution that leverages machine learning to scan your IaaS and SaaS environment using over 150+ detectors. Administrators can set up notifications to let users know when they’ve shared data in risky ways within your cloud applications. Set up granular user access rules with our detection engine, and you can also use our developer platform to set up custom scans for any cloud SaaS or IaaS platform. Any piece of data that needs protecting from insider threat is covered with Nightfall.
This guide covers the basics of identity access management. For more, and to learn how IAM fits into other security protocols, read our complete 2021 Security Playbook for Remote-first Organizations.
Learn more about Nightfall by scheduling a demo at the link below.