8 best practices for a bulletproof IAM strategy

1. Adopt a zero-trust architecture

The concept of implied trust, in which users are trusted because they have logged in, isn't going to work well over the long run. The zero-trust security model is based on the basic idea that all access should be continuously verified. It validates every access request through multiple security checkpoints, including identity verification, device validation and policy enforcement.

To implement zero trust, consider the following recommendations:

• Create a complete inventory of resources, users, devices and data flows.
• Use microsegmentation techniques to clearly define security boundaries and trust zones.
• Set up real-time alerting systems to quickly identify errors and outliers.

2. Deploy strong multifactor authentication (MFA)

Using a simple username and password in an IAM deployment isn't enough. Attackers can compromise passwords through phishing, social engineering and other methods. MFA adds another layer of security by requiring users to provide multiple forms of verification to prove their identity before gaining access to resources, typically combining something they know, something they have and/or something they are.

To implement MFA, consider these recommendations:

• Use phishing-resistant authentication methods.
• Use hardware security keys for privileged accounts.
• Deploy biometric authentication where appropriate.
• Avoid SMS-based authentication when possible.

3. Enforce strong password policies

While inadequate by themselves, passwords remain part of the security effort. That makes it critical to enforce strong password policies. Effective policies impose requirements for password creation, management and maintenance to ensure accounts are not easily compromised. The security team can set specific requirements for credential creation and management, including minimum length, complexity and checks against known compromised passwords. An IAM system should automatically validate all new passwords against these policies while managing the full password lifecycle.

Recommendations for password policies include the following:

• Set a minimum length (NIST recommends 12-plus characters).
• Implement complexity requirements.
• Check against compromised password databases.
• Define password expiration policies based on risk.

4. Limit access permissions

The principle of least privilege, or POLP, is a security policy that limits user account permissions to only those resources and actions absolutely necessary for a worker's job functions. By provisioning account access in a precise way, an organization can minimize its attack surface. POLP works by granting access rights to minimum required levels and is commonly deployed and enforced with role-based access control (RBAC).

To implement POLP, conder the following recommendations:

• Document required access for each role.
• Consider attribute-based access control as well as RBAC for different types of environments.
• Adopt privileged access management to ensure that only the right accounts get privileged access.

5. Monitor and audit

No security system ever works effectively with a simple set-it-and-forget-it approach. What's needed for an IAM system is continuous monitoring and auditing. These practices not only ensure things work as expected, but they are typically necessary elements of meeting compliance requirements as well. Security events and access activities are continuously collected and analyzed in real time, with automated systems detecting anomalies and potential incidents. The system maintains detailed audit trails and generates alerts based on predefined security rules, behavioral analysis and compliance rules.

Monitoring and auditing recommendations include the following:

• Configure comprehensive logging across all systems.
• Implement security information and event management and user behavior analytics technologies.
• Schedule regular compliance reviews.

6. Promote security awareness and training

Organizations should make a point to conduct security awareness training. Instruction, simulations and assessments can help staff and users understand their role in maintaining organizational security. Training can involve interactive modules, simulated attacks and real-world scenarios. The effectiveness of such training is measured through assessments, behavioral changes and security metrics.

To implement security training, consider the following recommendations:

• Implement gamification elements to make the training more interesting and engaging.
• While general security awareness is great, be sure to create IAM-specific training materials.
• Monitor training effectiveness over time and gather user feedback to help improve the training program.

7. Harden the IAM environment

If IAM components are at risk, an entire cybersecurity program can collapse. Security teams need to be diligent about digital authentication and keeping bad actors away from valuable data.

To harden your IAM defenses, consider the following recommendations:

• Configure firewalls to protect access.
• Deploy encryption for data.
• Conduct security scans to look for known software misconfigurations.
• Ensure systems are updated with the latest software patches.

8. Conduct pen testing

It's a good idea to conduct regular penetration, or pen, tests against your IAM infrastructure. This method, which can be done using internal resources or through a third party, applies an adversarial approach to try to identify a system's weaknesses. Results feed into a continuous improvement cycle for security controls and configurations.

To benefit from pen testing, consider the following recommendations:

• Schedule regular tests so it's not a one-time exercise.
• Prioritize your findings to address critical issues.
• Track the remediation process and validate fixes.

These best practices will strengthen your IAM architecture and help the organization reap the benefits of effective access management.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.