Five steps to mastering identity and access management

As the workforce becomes increasingly mobile and dispersed, identity and access management becomes more important in ensuring organisational security. While managing user identities and controlling access are separate tasks, they are closely related. Identity and access management (IAM) needs to be a key part of business security strategy, particularly as organisations grow and IT architectures become more complex. Here are five things to consider when planning your IAM strategy.

1. Identity data infrastructure

It is not possible to manage user identities without having an appropriate data infrastructure in place to store user information. This generally involves the use of directory and metadirectory systems, usually based on lightweight directory access protocol (LDAP), industry standard for accessing directory data.

Decision makers should consider federated identity as part of the underlying data structure. This allows systems to automatically grant access to users of other systems. Federated identity systems assign permissions to each other, creating a secure web of trusted applications. However, enterprises need to tread carefully when designing these systems—complexity can create more headaches than necessary and increase management overhead, while also limiting the flexibility to change application specifications or relationships.

While federated identity can be used to integrate disparate systems together (including those inside a single organisation), it is also necessary to assign the appropriate level of expertise to the design and maintenance of such a solution.

2. Define roles and entitlements

Two important, but still nascent, techniques that have a significant effect on access control are entitlement management and role-based access control. Systems that carry out these functions allow administrators to define multiple roles in an organisation, along with a granular set of entitlements to allow system access. When combined, they allow for very tight control of user access. For example, someone in a junior accounting role could access a particular database, but only until 6pm.

Defining and maintaining these roles and entitlements requires significant input from business management, which can potentially lead to complications if organisational requirements change. Business management needs to carefully monitor entitlements and roles in order to ensure operational security.

3. Automate the provisioning process

Identity management helps improve company-wide productivity and security, while also lowering the cost of managing users and their identities, attributes and credentials. This requires automation, but it also contains hidden challenges, as just setting up a user name and a password is often simply not enough. Instead, multiple steps must be included in the provisioning process. For example, users might be assigned a sales region, enrolled into a different number of organisational teams or given a list of company resources to which they have access.

4. Simplify access control

Controlling access to systems is a separate but related task to managing identity. The user can only be authenticated if their identity is in the system, but the task of authentication poses another challenge. Users must be able to access the system relatively easily to avoid illicit circumvention of security settings, and yet their credentials must be secure enough to stop attackers simply waltzing through the gate. Enterprise sign-on systems can provide users with access to multiple enterprise applications using just one set of credentials. For added security, hardware-based tokens can also be issued as part of a two-step authentication process.

5. Audit

Any identity and access management system is not complete without a robust reporting capability to meet the needs of auditors facing compliance regulations. Organisations should be able to provide audit trails showing which users had access to what resources, and what was done with those resources. With increasing levels of compliance required from organisations, it is wise to ensure that evidence can be provided when needed.


Any comprehensive IAM effort is complex, but cloud-based services can help to reduce deployment times. A competent and experienced IT operator can not only host the infrastructure necessary for managing both identity and access control, but can also provide consulting services to help integrate it effectively into a customer’s existing IT architecture. When the time and due consideration is taken, IAM can prove to be a valuable asset to any organisation.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gordon Makryllos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts