How to implement identity and access management (IAM) effectively in your business

A digital shield logo on a screen, with code surrounding it to represent a cyber security vendor.
(Image credit: Getty Images)

As more organizations move to an identity-first approach to security, their focus is shifting away from traditional controls towards implementing identity and access management (IAM) tools. 

With this in mind, it’s no surprise that analyst firm Gartner cited IAM as one of 2024’s top six cyber security trends, alongside approaches such as human-centric security design and continuous threat exposure management (CTEM).

The need for IAM tools continues to rise alongside credential compromises, with stolen and exposed credentials identified as the biggest cloud security risk in 2024 in a recent report by the managed detection and response firm Expel. 

“There’s a saying that goes hackers don’t need to hack into your system, they just log in to your system,” says Mark Child, associate research director at analyst firm IDC.

The threat has clearly been recognized by cyber security leaders, as access management (AM) attracts the third-largest spend in the security software market according to Gartner.

“It’s like Oscar’s night, with light bulbs popping all around as people recognize that they need to invest more in IAM,” says Michael Kelley, senior director analyst, at Gartner Client Service Group. “In a recent survey of 300 leaders, 70% said they’re increasing spend across the board; that’s identity governance and management (IGA), privileged access management (PAM), and AM,” he notes.

Identity is the new security perimeter

IAM should be front of mind for any chief information security officer (CISO), as many experts consider identity the new security perimeter. One of its key benefits is the reduction in potential visibility or control that hackers might try to exploit, as well as poor password hygiene by workers.

Identity-based cyber attacks are on the rise and proper IAM implementation can play a crucial role in stemming this simple attack vector altogether. This is a multi-pronged fight, with some IAM vendors advocating for greater identity controls alongside traditional methods and others advancing the end of passwords through alternatives such as passkeys and biometrics.

Humans are increasingly the weakest link when it comes to security, whether that’s down to weak and reused passwords or our susceptibility to social engineering tactics,” says Merritt Maxim, VP research director at analyst firm Forrester. “For that reason, companies need to have stronger controls around their identities because that’s often where security incidents begin.” 

First steps to implement IAM

When it comes to integrating new IAM tools into your business, Maxim believes the first step should be undertaking a thorough cloud audit and wider inventory check of your organization's assets and applications. This includes your user identities, as you may find a number of users and assistants are no longer active employees.

“These ‘orphaned’ accounts represent a real risk to the system and you’ll achieve a lot by cleaning these up,” he says. “Once you understand your inventory, then you can begin to put new IAM tools in place.”

It’s imperative that leaders lay the foundations rather than go for a quick fix, says Kelley, who often uses the analogy of a rollercoaster with his clients. 

“First you have to build the track; the foundation of access, which in this case is the identity governance administration and privileged access management. Then people can get in the car and ride the rollercoaster,” he says. “If you skip over the foundations, what tends to happen is inappropriate access, which opens the company up a lot of different problems in the future.”

Implementing IAM: No need to “boil the ocean”

The key thing with any identity-related initiative, is to try not to “boil the ocean”, says Merritt.

When it comes to going ahead with digital transformation or any new technological implementation, he recommends starting small – identifying perhaps four or five of the most widely-used applications. From here, leaders can work closely with those application teams to build and launch the integrations.

These early wins will help to build momentum internally for other projects down the line. 

“You might pick one technology, say single sign-on (SSO) or multi-factor authentication (MFA), and do a phased approach by department or region, using the lessons learned from each mini-deployment to make the subsequent ones more successful. It doesn’t matter where you start, just as long as you keep going,” he says. 

Implementing IAM: Pick your provider wisely

It’s also important to choose your cyber security vendor wisely, comparing the market and what each platform or suite of tools offers. Leaders should also seek to answer basic questions such as:

  • Does it have all the components and capabilities your organization needs, or will you need to go to multiple suppliers? 
  • Will it manage your environmental needs, as many businesses now have infrastructure and resources both on premise and in the cloud
  • Can you manage the IT through a single ‘pane of glass’?
  • Does it integrate with what you’ve already got in the environment? 

All these things can be a big drain on the IT and security team’s resources if not considered in advance.

It’s also worth looking at who the providers have partnerships with across other technology segments, says Child. “Because if partnerships exist, then they’re already likely to have integrations and [application programming interfaces (APIs)] available for those.” 

Implementing IAM: Using data to win in the boardroom

For integrations to be successful, you’re going to need buy-in – both at the board level and from employees in general – as one of the biggest challenges for success is cultural resistance and a fear of breaking something that fundamentally works. 

Strategically, one of the key things is to engage with the board and senior management to ensure they understand the value of what you’re trying to achieve.

It’s still a challenge for many security teams to get the boardroom to understand cyber risk and how it relates to business risk, with some cyber security leaders reporting senior pressure to downplay the seriousness of cyber risks within their organization. Child recommends you approach these individuals with a data-driven business case that will resonate with them. 

“Ask things like what’s the regulatory penalty if sensitive data is leaked due to an identity-related breach, or what happens if your company’s intellectual property is leaked? Do you lose your competitive advantage or even customers?

“You need the board onboard, but you also need champions throughout the organization,” he continues. “These will support new IAM rollouts and ensure people don’t try to find workarounds that not only undermine the project but also potentially worsen security.”

Implementing IAM: Not a spectator sport

It’s an exciting time for IAM, as while the concept may have been around for many years we’re currently seeing very innovative ideas and technologies emerging in this area. For those who’ve only dipped their toe in the water, or not yet even arrived at the pool, the breadth of options can feel overwhelming but it’s important not to shy away from embracing these tools. 

IAM enables a company to survive and thrive, says Kelley, and businesses simply can’t stand by as spectators. 

“You have to be moving down this path, it’s something you can’t ignore,” he says. “Even if you have just one application that embraces IAM, then make that available to users, and start learning how this new world works,” he concludes. 

Keri Allan

Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.