Survey: IAM experts share best practices and lessons learned

“No man is an island / Entire of itself.”

This line, gifted to us by the English poet and cleric John Donne, still resonates centuries later in a digital economy where identity is everything — the key to the office, the password to an employee’s computer, or the credentials to access sensitive corporate data. 

In this economy, no one is an isolated unit. Every identity is a “piece of the continent,” to use Donne’s words, which means that if any single user is compromised, that puts the greater body in danger as well. 

Despite initiatives to protect digital identity from misuse through a discipline known as IAM (identity and access management), a January 2024 survey fielded by CyberRisk Alliance (CRA) finds that IT security professionals aren’t satisfied with current levels of protection. 

Seventy-four percent of respondents are now more concerned about their organization’s ability to detect unauthorized access than they were twelve months ago. Moreover, thirty percent describe their organization’s proficiency in managing IAM as less than competent.

Perhaps most alarmingly, just 27% report high levels of confidence that their organization provides users with the minimum level of access to perform their job. What is this group doing differently than the rest? Can we pinpoint the source of this high confidence?

Fortunately, the 27% were all too happy to share essential tips and recommendations when setting out to implement IAM. Here’s a sampling of their suggestions, provided to us by CRA Business Intelligence.

Best practices and lessons learned for IAM implementation

Build a roadmap and define objectives

“You need to build out a roadmap of the most important to least important. There is a lot that goes into the planning and you can't do everything at once. But I would start with user provisioning and user removal when they leave the company.”

“Begin with a comprehensive assessment of existing systems and involve stakeholders from various departments to ensure a collaborative and inclusive approach. Clearly define objectives and scope to avoid project scope creep and delays.”

Address questions of governance

“An IAM project should align to an organization's information governance strategy in order to be deemed a success. This includes factors such as regulatory compliance, business continuity planning, operational security (e.g. key management, vulnerability scanning etc.) and should consider integration with such dependent IT systems when delivering any IAM project.”

“Before assigning any IAM roles, take the time to review business workflows and map all required user access. Then build appropriate user groups based on workflows. Use this mapping as the guide to architect IAM setup, then apply and stick to the plan.”

Over-communicate changes and impacts to users, and exercise patience

“Create your plan, pilot the processes and then over communicate with your end users.”

“It may seem difficult upfront and your users are going to complain about a change coming, but you have to educate them on the whys – why it is so important for organizations to use this technology and how it can and will help to secure the data that you are trying to protect.”

“Be patient with the integration and implementation. There will likely be new tools and processes that the end users do not like. Slowly implement learning sessions and walk-throughs to make sure the transition to something new is easy to learn.”

Convince management that IAM is a critical priority

“It's important to think about management's perspective when planning for IAM solutions. Oftentimes, management may not be as security focused so it's critical to help them understand the risks associated with any decisions you're intending on making for IAM so that they can support your program.”

Partner up with industry veterans and experts

“It is very helpful to develop a partnership with your IAM provider and to dedicate budget dollars and IT time to ensure a successful deployment of your IAM program. Don't try to cut corners and don't try to go it alone.”

“Get beyond the sales pitch with potential IAM vendors. Ask the difficult questions. You will be hit with, "That's proprietary information" quite a bit but if you have a solid NDC on file, you can use that as leverage. If they truly want your business, they will respond accordingly.”

Enforce least privileged access without exception

Least privilege must be enforced. Ease of use as having multiple accounts will end up people either using same password or write them down insecure ways

“A clear strategy that satisfies the least-privilege principle is very important and this will help you in compliance, technical and insider threats at the same time.”

“Stick to the least privilege principle as best you can.”

Adopt more robust IAM tools and policies 

In addition to the best practices mentioned above, CRA finds that those with high confidence in their organization’s IAM abilities are more likely to incorporate methods and tools associated with advanced IAM competency – such as advanced analytics (using AI or ML), automation, and a zero trust architecture – compared to their less confident peers.

For example, among those who lack confidence in their organization’s ability to allocate least privilege, just 25% acknowledge the use of zero trust architecture and only six percent benefit from advanced analytics powered by AI or machine learning. Among those with high confidence in least privileged enforcement, 42% acknowledge zero trust architecture and 31% benefit from advanced analytics.  

As one respondent writes, “the most important advice that I have learned through experience with IAM is that AI/ML, automation and integration are the most important elements to be included in planning an IAM in the future.”

For more insights from CRA’s survey on how organizations are addressing questions of identity and access management, click here to download the full report.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.