Identity is the new security perimeter. With cloud adoption, remote work, and SaaS proliferation, controlling who can access what and verifying that continuously forms the foundation of modern security architecture.
IAM Fundamentals
Identity and Access Management encompasses four core functions:
- Identification establishes who a user or system claims to be (username, email, service account name)
- Authentication verifies that claim (password, MFA, certificate, biometric)
- Authorization determines what the verified identity is permitted to do
- Accountability covers logging and auditing all access decisions
Authentication Best Practices
Multi-Factor Authentication (MFA)
MFA is the single most effective control against credential-based attacks. Enforce it everywhere.
MFA methods ranked by strength:
| Method | Phishing Resistant | Recommended Use |
|---|---|---|
| FIDO2/WebAuthn (hardware keys) | Yes | Privileged accounts, high-value systems |
| Platform authenticators (Touch ID, Windows Hello) | Yes | Standard workforce authentication |
| Authenticator apps (TOTP) | No | Acceptable for standard accounts |
| Push notifications | No (vulnerable to fatigue attacks) | Use only with number matching |
| SMS/voice OTP | No | Avoid due to SIM swapping vulnerability |
Enforce MFA on all remote access (VPN, cloud console, email). Require phishing-resistant MFA for administrative and privileged accounts. Implement number matching for push-based MFA to prevent fatigue attacks. Monitor for MFA bypass attempts and anomalous authentication patterns.
Password Policy
If passwords are still in use alongside MFA, require a minimum of 12 characters with no complexity requirements (per NIST SP 800-63B). Screen passwords against breach databases (Have I Been Pwned API). Do not require periodic password rotation per NIST guidance; rotate only on evidence of compromise. Support passphrases and password managers. Never store passwords in plaintext or reversible encryption. Use bcrypt, scrypt, or Argon2.
Passwordless Authentication
Where possible, eliminate passwords entirely using FIDO2/WebAuthn with platform or roaming authenticators, certificate-based authentication for devices and services, or passkeys synced across devices via platform ecosystems. Passwordless reduces phishing risk, eliminates credential stuffing, and improves user experience.
Authorization Models
Role-Based Access Control (RBAC)
Assign permissions to roles, then assign users to roles.
Define roles based on job functions, not individual users. Keep the number of roles manageable since role explosion defeats the purpose. Review role definitions annually. No user should have a role that combines request and approval authority (separation of duties).
Attribute-Based Access Control (ABAC)
Access decisions based on attributes of the user, resource, action, and environment.
Use ABAC when you have complex authorization requirements that RBAC cannot express cleanly, context-dependent access (time of day, location, device posture), or fine-grained data access policies (row-level or field-level).
Policy-Based Access Control
Externalize authorization decisions to a policy engine (Open Policy Agent, Cedar, AWS Verified Permissions).
This approach decouples authorization logic from application code. Policies can be version-controlled, tested, and audited. It also enables consistent enforcement across services.
Privileged Access Management (PAM)
Privileged accounts (domain admins, root, database admins, cloud IAM admins) are the highest-value targets for attackers.
Core PAM Controls
Store privileged passwords and keys in a PAM vault (CyberArk, Delinea, HashiCorp Vault) and rotate credentials automatically. Grant elevated privileges only when needed through just-in-time access, for a defined duration, with an approval workflow. Record all privileged sessions for forensic review and compliance. Enforce least privilege so there is no standing admin access; administrators request elevation for specific tasks. Document emergency access through break-glass procedures with post-use review.
Service Account Management
Service accounts are frequently overlooked and over-privileged.
Inventory all service accounts with documented owners and purposes. Rotate service account credentials automatically. Use managed identities or workload identity federation where cloud platforms support them (AWS IAM Roles, Azure Managed Identities, GCP Workload Identity). Alert on interactive logins to service accounts. Apply the same least-privilege principles as human accounts.
Identity Lifecycle Management
Joiner-Mover-Leaver Process
| Event | Action |
|---|---|
| Joiner (new hire) | Provision accounts based on role and department; assign baseline access |
| Mover (role change) | Revoke old role access, provision new role access; do not accumulate |
| Leaver (departure) | Disable accounts within 24 hours; revoke all access; transfer ownership of shared resources |
Automated Provisioning
Integrate IAM with HR systems (Workday, BambooHR) as the authoritative source for employment status. Use SCIM (System for Cross-domain Identity Management) for automated SaaS provisioning. Automate deprovisioning since a manual offboarding process will eventually miss someone.
Access Reviews and Certification
Conduct quarterly access reviews for privileged access and semi-annual reviews for standard access. Managers must certify that each of their reports’ access is still required. Automatically revoke access that is not recertified within the review window. Track review completion rates and escalate non-compliance.
Identity in Cloud Environments
Cloud IAM Principles
Use separate accounts/subscriptions/projects to isolate workloads (AWS Organizations, Azure Management Groups, GCP folders). Enforce identity federation to centralize authentication through your IdP rather than creating cloud-native users. Apply least privilege policies by starting with no permissions and adding only what is needed. Use service control policies (AWS SCPs) or organization policies (GCP) to set permission guardrails. Enable CloudTrail/Activity Log/Audit Log for all identity-related events.
Cross-Cloud Identity
For multi-cloud environments, use a single IdP (Okta, Microsoft Entra ID, Ping Identity) as the identity authority. Federate into each cloud provider via SAML 2.0 or OIDC. Standardize role naming conventions across providers. Aggregate cloud identity logs into a central SIEM.
Zero Trust Identity Principles
Identity is the cornerstone of Zero Trust architecture:
- Continuous verification: Re-evaluate trust on every request, not just at login
- Device posture: Factor device health (patch level, EDR status, encryption) into access decisions
- Conditional access: Require step-up authentication for sensitive operations or anomalous contexts
- Session management: Use short-lived sessions with re-authentication for privilege escalation
- Assume breach: Design authorization assuming the network is already compromised
Metrics and Monitoring
Key IAM Metrics
MFA adoption rate tracks the percentage of accounts with MFA enabled (target: 100%). Orphaned accounts are accounts with no corresponding active employee. Privileged account count is the total number of accounts with elevated privileges (should decrease over time). Access review completion rate shows the percentage of reviews completed on schedule. Mean time to deprovision measures time from employment termination to full access revocation. Failed authentication rate establishes baseline normal rates and alerts on anomalies.
Identity Threat Detection
Monitor for impossible travel (logins from geographically distant locations in short timeframes), credential stuffing patterns (high-volume failed logins across many accounts), privilege escalation (accounts gaining administrative roles outside normal workflows), dormant account activation (inactive accounts suddenly used), MFA fatigue attempts (repeated push notifications to a single user), and token theft indicators (session reuse from new devices or IPs).
Implementation Roadmap
Phase 1: Foundation
- Deploy a centralized IdP with SSO for all critical applications
- Enforce MFA on all remote access and administrative accounts
- Inventory all privileged and service accounts
- Establish joiner-mover-leaver automation
Phase 2: Strengthening
- Implement PAM with vaulting and just-in-time access
- Deploy phishing-resistant MFA for privileged users
- Automate access reviews with recertification workflows
- Federate identity into all cloud environments
Phase 3: Optimization
- Implement conditional access policies based on risk signals
- Deploy identity threat detection and response (ITDR)
- Move toward passwordless authentication
- Integrate device posture into access decisions
- Externalize authorization to a policy engine