Identity and Access Management (IAM) Best Practices

Identity and Access Management (IAM) Best Practices

  • 12th Mar, 2022

IAM sits at the dead center of information security: an information system would be incomplete without Authentication and Authorization. You need to determine who accesses what piece of information and to what extent.  If IAM is governed appropriately, then organizations will reduce the risk of data breaches which comes with a myriad of consequences ranging from reputational damage, legal battles, and financial loss. The following are 6 IAM best practices that you can use as you develop your access management system:

Develop a Zero-trust Model

This model is founded on the belief that users and applications both within and outside your network should never be trusted unless proved to be genuine. Even after verification, users/applications will continually undergo a security examination, keeping a record of activities and measuring levels of risk while they’re within the network. This will help quick identification of unusual operations within the network and create an alert in cases where security safeguards have been violated.

Use of Multi-Factor Authentication (MFA) and Single Sign-On (SSO)

MFA adds an additional layer of security to the system by requiring a user to apply another authentication method in addition to username/password/PIN. This comes in the form of:

  • Something you have e.g. smartcard
  • Something you are e.g. fingerprint
  • Something you know  e.g. PIN

MFA makes sure that even if one layer of security is broken by a hacker, they will still have to break through another layer. This also helps in identity management, such that you can know for sure who the user is.

SSO comes in very handy as far IAM is concerned. A only needs to sign in once in order to access all resources within your platform. That means authentication is done once, hence no need to master many passwords and scribble them on pieces of paper. It also makes monitoring user activity much easier.

Implement Least Privilege Access Control

Strictly limit users to only access content that they need to in order to accomplish their duties. This can be done through the implementation of Role-Based Access Control (RBAC). Allowing everyone to access everything is a recipe for disaster.

Constant Reviews of User Accounts and Privileges

Conduct regular audits on user roles and privileges within your platforms. This will ensure that users who had access to certain privileged content but don’t need it anymore, such access is revoked. These regular audits will also help you ensure that users are not receiving more access than they are entitled to and in cases where users need additional access, this can always be done promptly.

Comply with the Compliance Requirements

You need to come up with cybersecurity rules and regulations requirements that will govern how data is handled at the organizational level. You also need to ensure that you stick to globally recognized compliance frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002 and The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)

Use of Strong Passwords

A strong password ought to be easy to recall but very difficult to guess. According to the National Institute for Standards and Technology (NIST), it is recommended that a good password has the following:

  • At least eight characters long;
  • Have special characters
  • Avoid using sequential or repetitive characters such as 1234 or aaaa
  • Avoid passwords that are specific a person’s situation/circumstance, such as a person’s name
  • Avoid common passwords such as P@ssw0rd
  • Restrict the use of old passwords to avoid using credentials that may have been exposed in a data breach
  • Have an expiry period for passwords where users will be required to update.


Also, Read:

How Managed Security Providers Help Organizations Achieve their Security/Business Objective

Cyber Security Best Practices for Law Firms

Log4j vulnerability and the impact

Cyber Security Compliance and Regulation in India

Top 10 Application Security Best Practices

Benefits of Having an Information Security Program in an Organization

Important facts about the updates in ISO 27001/ISO 27002

Our Top Services InfoSec Brigade Cyber Security Services Company Web Penetration Testing Web Application Security Testing Information Security Management Information Security Risk Management Vendor Risk Assessment IT Security Audit Managed Security Services Penetration Testing Services

At InfoSec Brigade, we believe in value addition. We are here to meet all cybersecurity needs at an affordable cost.