Loading...
Identity
Three Tenets of IAM
January 2nd, 2025

The term "Identity and Access Management” (IAM) gained prominence in the late 1990s and early 2000s, around the time I was starting out as a programmer, helping companies build the first wave of web applications and driven by the proliferation of the internet.    

Nowadays, whether it be greenfield or digital transformation flavoured, most companies understand the importance of an effective IAM strategy.  Many of the IAM principles that emerged 20 years ago are now complemented by the emergence of Identity Security, in response to evolving technologies, the increasing complexity of threats, and the significant business impact of a breach.

While the planning, implementation, and rollout of an IAM solution will always be an ongoing function that varies based on organizational needs and use cases, it can be useful to organize your design into three main tenets. These tenets represent the evolution of IAM practices over time.

1. Identity Automation

Let’s call this the happy path!   This tenet contains your core IAM “building blocks”  and if you get it right then you have delivered improved user experience, reduced operational costs and better accountability.

Single Sign-On (SSO):

Enable users to access multiple applications with one set of credentials, reducing password fatigue and improving productivity.  Make sure to look beyond passwords too with passkeys.

Multi-Factor Authentication (MFA):

Add an extra layer of security while maintaining ease of access for users.

Lifecycle Management (LCM):

Automate onboarding, role changes, and offboarding processes to ensure timely and accurate access provisioning.

Identity Governance and Administration (IGA):

Centralize and standardize the management of identities, roles, and permissions while ensuring compliance through access reviews and certifications.


2. Proactive Identity Security

But we need to be prepared for bad actors and issues in our IAM processes.  This tenet emphasizes proactive planning, assessment and monitoring.

Proactive planning and monitoring reduce vulnerabilities, improve threat detection, and lay the groundwork for a resilient IAM framework.

Identity Security Posture Management (ISPM):

Continuously monitor and improve the security configuration of identities and access policies across environments.

Security Information and Event Management (SIEM):

Integrate IAM logs with SIEM tools to detect unusual access patterns and potential breaches in real-time.

Access Risk Assessment:

Identify and mitigate risks associated with privileged access or excessive permissions.


3. Sustaining an attack

Great planning is no guarantee against a breach!   Here is where we think about security measures to withstand and respond effectively to attacks.

ITDR and attack resilience strategies ensure that IAM systems are not only preventive but also adaptive, minimizing the impact of breaches.

Identity Threat Detection and Response (ITDR):

Detect and respond to identity-based attacks, such as credential theft, lateral movement, and privilege escalation, in real-time.

Incident Response Playbooks:

Prepare predefined response protocols for identity-related incidents to ensure swift action during an attack.

Just-In-Time Access:

Limit the duration of privileged access to reduce the attack surface.

Behavioural Analytics:

Use AI/ML models to identify anomalous user behaviour that could indicate compromised accounts.


What about choosing the right vendors?

There are a huge amount vendors out there right now which address one or more of the concepts listed above – arguably too many!  An effective IAM strategy should focus on principles and best practices rather than being tied to a specific vendor or platform. The core tenets of identity automation, security planning, and resilience apply universally across any technology stack.

It often makes sense to first assess your organization's existing investments in IAM solutions via a robust IAM Identity Assessment. This evaluation allows you to map the core tenets to your current infrastructure, ensuring that you're maximizing the value of the tools and platforms you’ve already deployed. By identifying gaps in automation, security, or resilience, you can prioritize adding targeted solutions where needed rather than starting from scratch.

Conclusion

There is no blueprint for an effective IAM solution.   Instead, it is better to adopt a security first mindset and the three tenets outlined here serve to help organise your thinking and solution design.    The concepts and components are not necessarily mapped to vendor or platform choices in each case, assess which processes and mechanisms are essential to meet each tenet.

About the Author

Martyn Roberts is an IAM Practitioner and Services Director at Distology.   Martyn consults major tech companies Consumer Identity, Workforce Identity and Innovation.