Centralized IAM Best Practices

Organizations making significant investments in cloud services should consider a plan to build a centralized IAM function and focus on a few key principles. This piece explains best practices to follow and as well as pitfalls to avoid when moving to centralized IAM. 

Centralized IAM: Getting Started 

Most organizations should consider starting with the existing internal IAM team, if one exists. These teams are often focused primarily on directory services like Active Directory (AD), federation and SSO, as well as provisioning and deprovisioning users. These are all critical elements of a cloud IAM strategy, but additional IAM expertise and skills will be needed to adapt Windows and Unix privileges and permissions to cloud-based images and deployments, as well as to configure and manage cloud provider policy syntax and roles. 

A cloud-focused IAM team should bring together a variety of skills and disciplines, including: 

• Directory services configuration and management. Domain administrators and architects are usually good candidates. 
  
• Those with experience in building federation policies and integrating SSO with SAML and OAuth or Open ID methods. 
  
• Any cloud engineers with expertise in cloud provider IAM frameworks, such as Google Cloud Platform (GCP) IAM, Amazon Web Services (AWS) IAM and Microsoft Azure role-based access control (RBAC). 
  

Ideally, these teams should be built from existing internal groups that already understand the business and goals of the organization, but sometimes cloud-specific IAM expertise will require recruiting from outside the organization. 

Centralized IAM Key Principles 

Once a central team is built, organizations should focus on the following five key principles and practices for mature IAM security and governance: 

1. Creating a centralized directory service: Plan to facilitate all accounts and identities from there. For most organizations, this will be AD or another LDAP-based identity store, but some on-prem or cloud-based central store is critical to long-term IAM success. 
   
2. Establishing centralized identity provisioning/lifecycle: All provisioning and deprovisioning of accounts and identities should be done via the central identity store, and specific types of identities should be defined and categorized to ensure appropriate naming conventions are established, as well as appropriate identity lifecycles. A good starting point of delineation is to focus on human identities (end users and admins) versus machine identities (service accounts and roles). 
   
3. Implementing SSO for all access to cloud services (and potentially on-prem services, too). Ensure it facilitates a unified portal for access, with support for strong authentication, e.g., MFA, along with any federation standards such as OAuth, SAML and others. All types of users should ideally access services and resources via the SSO portal, with exceptions only being made potentially for high-velocity automation practices where SSO doesn’t work optimally. 
   
4. Deploying centralized monitoring: Security operations teams should align with IAM team members to implement a centralized monitoring function for all IAM activity, particularly creation, deletion and modification of policies and role assignments, as well as unusual or suspect behaviors related to IAM. This requires centralized logging from SSO and federation services, cloud service provider environments and any additional brokering capabilities that may be in place for user access to cloud services – for example, a cloud access security broker (CASB). 
   
5. Actively scan to routinely review accounts. Centralized IAM teams should consider proactively scanning cloud environments and identity stores on a regular basis to review the accounts, machine identities and roles/policies in place. Emphasis should be on unexpected changes, excessive privileges and accounts/identities that don’t have proper or expected lifecycle alignment. 
   

Centralized IAM Pitfalls 

Moving to a central IAM function can be slowed by a range of stumbling blocks, such as: 

• Lack of executive support: Executives and senior leadership must endorse a central IAM function, regardless of team composition. 
• Lack of defined identity and permissions standards: A collaborative approach to defining and documenting expected and acceptable identities and permissions used in cloud deployments is critical to ensuring long-term success and minimization of political battles. 
• Lack of commitment to centralized tools and services: Central identity directories, SSO, federation and oversight are critical to successful IAM governance. Maintaining a fragmented toolset or set of processes can easily derail efforts to improve IAM security and overall effectiveness. 
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.