6 Identity and Access Management Best Practices

Emily Heaslip
February 23, 2021
6 Identity and Access Management Best Practices6 Identity and Access Management Best Practices
Emily Heaslip
February 23, 2021
On this page

Stolen credentials are among the biggest threats to data security across industries, accounting for around 80% of data breaches. In 2022 alone, nearly half of breaches during the first six months involved the theft of passwords and user accounts.

As more companies shift to cloud-based remote work, the need for stronger controls guarding user credentials is also rising. The identity and access management market — consisting of expertise, identity access management tools, and software, and training — is predicted to​​ grow to $34.52 billion by 2028. Identity and access management plays an integral role as more companies migrate to cloud-based programs.  Here’s what you need to know about this important aspect of data security.

What is identity and access management?

Identity and access management (IAM) is the practice of defining and managing user roles and access for individuals within an organization. IAM involves both tools and policies to make sure the right people can access the right resources at the right time, and for the right reasons, according to Gartner’s definition.

Identity and access management is a broad area of expertise that can best be understood by breaking it out into five domains:

  1. Identification
  2. Authentication
  3. Authorization
  4. Access governance
  5. Accountability

Ultimately, these areas of practice work together to ensure the right people gain access to the right systems and data while restricting the potential for unauthorized access.


Identification is foundational to every IAM best practice. IAM involves creating and managing unique differentiators for users, devices, or applications using the company’s system. Today, experts recommend implementing a zero-trust framework, meaning that no user, device, or application be permitted to use the network until its identity has been verified.


Authentication requires users to verify their identity in more ways than one. 2FA and multifactor authentication are the two main processes by which a users completes this process. Notably, authentication must take place at various key moments of data sharing — not just at login. For instance, when an employee processes a financial transaction, they should be required to identify and authenticate their credentials.


The Identity Management Institute defines authorization as “the act of verifying that a device, application, or user has permission to access requested network resources.” Essentially, this refers to the conditional access management and the principle of least privilege, or PoLP. Rather than give each user the same level of access, IT teams should create granular access roles.

Access governance

Similarly, access governance defines the policies and procedures for assigning and managing access across users, applications and devices. Today, access governance is best managed through automated tools that update governance in real time, helping organizations avoid fines, lawsuits, and damage to their public image.


Finally, many companies plan to increase their data analytics budgets for IAM in 2022, citing the need for information that informs better IT decision-making, in-depth audits, and support accountability. With more data on the efficacy of IAM solutions, IT teams can continually improve to protect data security while still enabling teams to collaborate remotely.

As you can see, IAM is a broad set of tools and practices that addresses access to everything from applications to on-premise devices to cloud platforms and more.

What about CIAM, PIM and PAM?

. IAM requires a system to govern employees, vendors, contractors, partners. Many organizations even need a way to govern customers through Customer Identity and Access Management (CIAM). CIAM is necessary for public-facing applications for which users need to create an account. For instance, tools Salesforce and Zeplin may require CIAM practices.

“Key CIAM features include self-service for registration, password and consent management, profile generation and management, authentication and authorization into applications, identity repositories, reporting and analytics, APIs and SDKs for mobile applications, and social identity registration and login,” wrote Gartner.

IAM practictioners also neeed to be familiar with the idea of “privileged” users — those within the organization who have elevated access privileges. This is the next level of data security and user access management that involves two key principles: PIM and PAM. Often, these principles overlap — for instance, Gartner refers to “managing and securing privilege” as PAM and the Forrester Wave refers to it as PIM.

PIM is an acronym for privileged identity management. “Privileged Identity Management (PIM) is a capability within identity management focused on the special requirements of managing highly privileged access,” explained Oxford Computer Training. “PIM is an information security and governance tool to help companies meet compliance regulations and to prevent system and data breaches through the improper use of privileged accounts.”

PAM stands for privileged access management. It follows the same basic practices as PIM:

  • Advanced privileges must be requested and approved on a case-by-case basis;
  • Administrators should have their privileged permissions for the minimum time possible;
  • Administrators should only have the permissions required to complete a specific task;
  • Membership in administrative groups must be reviewed regularly;
  • Enforce multi-factor authentication;
  • Keep access logs, audits, and set-up real-time notifications when access is activated.

The bottom line? Sound data security suggests the use of both privileged access and IAM using what’s known as “the principle of least privilege.”

Identity and access management best practices

Perhaps the most important of all identity and access management best practices is the principle of least privilege. As a best practice for managing applications, PoLP gives minimal access to any user or component, and only increases those privileges when explicitly instructed to do so by an administrator.

With PoLP as your guiding principle, here are some other identity and access management best practices to implement for your company.

Create individual users

Some organizations find it easier to create one username and password per platform or vendor. A marketing team, for instance, will share credentials to the company’s social media accounts with the advertising agency so that everyone working on the campaign can access analytics and results. This dilutes an administrator’s ability to manage security protocols and keep information safe. Instead, create individual credentials and manage user access on a granular level to prevent the risk of insider threat.

Require strong passwords

Every user should adhere to the password guidelines set forth by the National Institute for Standards and Technology (NIST). Passwords should:

  • Be at least eight characters but no more than 64 characters;
  • Be able — but not required to — use all special characters;
  • Avoid using sequential or repetitive characters (e.g., 1234 or aaaa);
  • Restrict context-specific passwords, such as the name of the business;
  • Avoid commonly used passwords (e.g., P@ssw0rd);
  • Restrict the use of old passwords to avoid using credentials that may have been exposed in a data breach.

In addition, institute a policy that requires users in your organization to update their passwords regularly — every 90 days is a good rule of thumb.

Use multifactor authentication

Multi-factor authentication or two-factor authentication is when a user needs to provide more than a single factor, such as a username and password, to access a platform, system, or network. This could take the form of sending a single secure sign-in code to a separate device, or asking users to provide a thumbprint or another biometric authentication factor in addition to a password.

Provide a great user experience

Gartner recommends that organizations pay as much attention to the user experience as they do to the strength of their IAM security. “Organizations should create a cohesive strategy for all external users (consumers, business customers and partners),” wrote Gartner.

IAM is only as strong as the users who follow IAM principles. When an organization makes it too difficult for an employee to access key information needed to get the job done, it encourages the use of shadow IT — applications and devices used outside the purview of the IT team. Shadow IT is often unprotected by programs like multifactor authentication and cloud DLP, rendering all the steps taken to improve IAM useless.

As you implement different tools and policies, keep your user experience in mind. Are you sacrificing your company’s productivity in the process of trying to keep your information secure? It’s a tricky balance, but a necessary one to acknowledge.

Regularly review identities, access and user privileges

Set up a regular cadence for auditing user roles and privileges across your platforms. Schedule time monthly or bi-monthly to review who has access to your Google Workspace, Slack channels, cloud storage, and platforms such as AWS. Restrict access from those who no longer use certain applications or services. Review your system and network frequently to make sure you’re never granting privileges beyond the minimum required for a person to do their job.

If this process sounds time-consuming, it is: but identity management software and identity access management tools can help.

Identity access management tools

There are a number of identity management systems and identity access management tools that can help you keep track of user roles and access. Forrester Research recommends implementing six types of IAM technology to build a comprehensive IAM approach. These are:

  1. API security: Specifically for organizations working in B2B commerce, API security can be used with single secure sign-on to manage device authorization and PII security.
  2. Customer identity and access management (CIAM): Do you provide your customers a self-service tool to manage securely maintain their usernames and passwords? Does it integrate with a CRM?
  3. Identity analytics (IA): Tools that allow administrators to detect risky behavior using machine learning.
  4. Identity as a service (IDaaS): Defined by Forrester as “software-as-a-service (SaaS) solutions that offer SSO from a portal to web applications and native mobile applications as well as some level of user account provisioning and access request management.”
  5. Identity management and governance (IMG): Tools that govern the overall “identity lifecycle.”
  6. Risk-based authentication (RBA): These IAM tools assess how “risky” a user’s activity is, and then triggers additional security measures like 2FA for those deemed high-risk.

There are dozens of IAM vendors that fall into these six categories. Depending on the size of your business and the type of information you wish to protect, you may be able to use one tool to meet the goal of multiple types of IAM software.

For instance, Nightfall is a cloud data loss prevention solution that leverages machine learning to scan your IaaS and SaaS environment using over 150+ detectors. Administrators can set up notifications to let users know when they’ve shared data in risky ways within your cloud applications. Set up granular user access rules with our detection engine, and you can also use our developer platform to set up custom scans for any cloud SaaS or IaaS platform. Any piece of data that needs protecting from insider threat is covered with Nightfall.

This guide covers the basics of identity access management. For more info and to learn how IAM fits into other security protocols, read our complete Security Playbook for Remote-first Organizations.

Learn more about Nightfall by scheduling a demo at the link below.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo