Identity and access management connects authenticated users to the resources they need

when they need them. A solid IAM setup minimizes the risk of data breaches and makes life
much harder for cyber attackers. This makes it a critical security tool for all modern
businesses.

To function properly, IAM systems need maintenance. That's where IAM assessments enter
the picture. This article will discuss what IAM assessments are, why they are useful, and how
to carry them out.

What is an IAM assessment?

An IAM assessment seeks to evaluate access control and authorization processes. The
assessment considers governance, security, and identity management issues. It identifies any
gaps or areas of improvement. And it provides a roadmap for better IAM practices in the
future.

The core aims of an IAM assessment include:

 Clearly explaining access management best practices.

 Making IAM solutions more effective across the entire organization.
 Controlling all aspects of IAM strategy. This includes remote access, legacy systems,
cloud, and on-premises assets.
 Ensuring data protection is as robust as possible.

Why does your business need an IAM assessment?

IAM assessments are necessary because data is constantly under threat. Credential theft
and unauthorized access are the major sources of data breaches. Poor access management
policies provide an open door for hackers.

Over time, IAM systems tend to become disordered and outdated. Attack vectors evolve
every week. Hackers may compromise the credentials of privileged accounts. Network
identities can change, creating new ways to access confidential data.

IAM assessment benefits

A well-executed IAM assessment delivers various critical benefits for your security posture.
These benefits go beyond just improving access control, and include:

 Managing the strategic direction to achieve IAM maturity. Assessing IAM

solutions allows companies to understand how network access works, and how to
counter urgent risks.
 Prioritizing critical tasks. Not all assets or users have the same risk profile. A good
IAM assessment establishes priority tasks to protect sensitive data.
 Spreading good IAM practices across the entire organization. Assessments
generate policies that are disseminated to all stakeholders. This drives security
improvements in all areas.
  Assessments detect security weaknesses and areas to address. Vulnerabilities can
appear at any time. Only regular IAM assessment processes can detect poorly secured
entry points or over-privileged users.
 Better security for data. Access control is the first step in guarding confidential data.
 Change management. IAM can be used to grant permissions to change managers,
who, in turn, make sure that only legit IT infrastructure changes can take place.
 Compliance benefits also flow from a solid IAM assessment. Assessments improve
security controls and generate evidence to prove compliance.

IAM assessment phases

The IAM assessment process can be broken down into five separate areas: who, what, when,
where, and how. Let's quickly explore how the five sections work.

IAM assessment: who

Assessors must determine which users have access to which resources. Knowing who is
using the network is the first stage in understanding how to secure data and applications. This
is not a simple task and requires careful analysis of the organization's network environment.

The term "user" includes employees (with both regular and privileged access). But it can also
encompass IoT devices, service accounts, third-party partners, applications, and even clients.
Every user has their own profile. This details the resources they require, and the privileges
needed to access them.

IAM assessment: what

The second part of assessing IAM solutions is understanding what assets need protection.
What physical infrastructure or applications are users connecting to?

Document what these resources are, but also how they are used. This allows assessors to
discover patterns of use. They can also map assets to uncover security gaps – such as over-
privileged accounts with excessive access to private client data.
The "what" phase also includes current IAM tools and other elements of your security
posture. Assessment teams must establish whether legacy systems deliver robust security, and
how they can be improved.

Time also needs to feature in this section of the assessment. Will the mix of applications
change in the future, and will expansion create new access control risks?

IAM assessment: where

This section of the assessment covers how users connect to network assets. This is
important because traditional on-premises networking rarely applies in the modern economy.
Employees routinely connect remotely from home or public access points. Remote
connections to cloud portals may also bypass existing IAM controls.

IAM assessment teams must identify remote work locations and out-of-office identities. If
they know "where" users are, security teams can apply appropriate access controls and user
privileges.

IAM assessment: when

Understanding when users connect to network assets is another critical part of assessing an
IAM program. Users tend to have consistent usage patterns reflecting their working
schedules. This creates a digital fingerprint. If usage patterns change, this may provide
evidence of illegitimate access.

IAM assessment: how

The fifth aspect of assessing IAM involves analyzing the composition and effectiveness of
existing identity and access management systems. In other words, "how" companies meet
their IAM compliance requirements.

Assessments should consider how current technology is meeting IAM requirements. But they
also need to consider future investments. Will IAM systems continue to meet business goals?
Can improvement actions deliver better security?

Strategy also comes into this part of the process. Assessors need to make sure security
policies reflect existing IAM systems. They need to ensure policies, technology, and
procedures match compliance aims. If not, new policies and action plans are required.

Identity and access management audit checklist

When you carry out an identity and access management assessment, covering every area is
important. This brief audit checklist provides a useful guide to ensure comprehensive
coverage:

1. Focus on your security policy

Use the assessment to revisit and improve your security policy. Your IAM security policy
should reflect current technology or any IAM systems you intend to implement. It delivers
formal procedures to manage identities and secure your network assets. And it should make
responding to security incidents much easier.

2. Assign responsibilities clearly

Clearly define who is responsible for aspects of identity and access management. This might
include:

 Managing federated identities

 Offboarding accounts
 Checking admin privileges
 Quality-checking data governance.
An identity and access management (IAM) audit checklist helps organizations ensure that
their IAM processes and controls are effective, secure, and compliant with industry standards
and regulations. While every organization may have unique requirements, here is a general
IAM audit checklist that can serve as a starting point:

1. Governance and Policy:

o Review IAM policies, procedures, and documentation.
o Assess the effectiveness of the IAM governance framework.
o Verify that IAM roles and responsibilities are defined and communicated.
2. User Provisioning and Lifecycle Management:
o Evaluate the process for creating, modifying, and disabling user accounts.
o Check if access rights are granted based on job roles and responsibilities.
o Assess the effectiveness of user account termination and deprovisioning.
3. Authentication and Authorization:
o Review the authentication mechanisms in place (passwords, multi-factor
authentication, etc.).
o Evaluate the effectiveness of password policies and controls.
o Assess the authorization process for granting access to resources.
4. Access Controls:
o Review access control lists (ACLs) and permissions for sensitive systems and
data.
o Verify that access controls are based on the principle of least privilege.
o Assess the effectiveness of segregation of duties (SoD) controls.
5. Privileged Access Management:
o Review processes for managing privileged accounts (admin, root, etc.).
o Assess controls for privileged access request, approval, and monitoring.
o Verify that privileged sessions are logged and regularly reviewed.
6. Identity Federation and Single Sign-On (SSO):
o Evaluate the implementation and security of SSO solutions.
o Review trust relationships with identity providers (IDPs).
o Assess the effectiveness of identity federation controls.
7. User Awareness and Training:
o Evaluate user awareness programs related to IAM best practices and security.
o Assess the effectiveness of user training on secure authentication practices.
o Verify that users understand their responsibilities regarding access
management.
8. Audit Logging and Monitoring:
o Review logs and monitoring mechanisms for IAM-related activities.
o Assess the effectiveness of log collection, analysis, and alerting.
o Verify that critical IAM events are logged and regularly reviewed.
9. Compliance and Reporting:
o Assess the organization's compliance with relevant regulations (e.g., GDPR,
HIPAA).
o Verify the availability and accuracy of IAM-related reports.
o Evaluate processes for conducting periodic access reviews and audits.
10. Incident Response and Remediation:
o Review the organization's incident response plans for IAM-related incidents.
o Assess the effectiveness of incident detection, response, and recovery
processes.
 o Verify that security incidents related to IAM are promptly investigated and
remediated.

Sailpoit IAM Audit

March 3, 2023 • 3 minute read

While Identity and Access Management (IAM) systems come standard with many
components to streamline processes, there are a few recommended additions for safeguarding
your organization against vulnerabilities. This identity and access management checklist will
ensure you are best prepared to create efficient workflows, equip team members, and keep
your critical assets secure.  

Publish an IAM policy
First things first, make sure you have an IAM policy published and updated. The policy is a
defined set of actions and rules to help people within your organization streamline operations.
Having one on file will make it easier for team members to make decisions and can be used
as a reference if need be.  

Create Role-Based Access Controls (RBAC)

Role-based access enables administrators to assign permissions to users according to their
granular entitlements. This process does not dictate whether users can access a given
application, but rather what users can do within it. A role, often not position-relevant, grants
the same set of permissions to all users who have that role. An administrator (in any
department), for example, can view activity and analytics but won’t have the authorization or
ability to edit or perform tasks. Users may change, but the role and permissions assigned to
that role do not. Of course, you can still define, change, or remove roles as needed—and all at
scale.  

Automate the access lifecycle
At this point in technological innovation, automation is near synonymous with efficiency.
Automating the access lifecycle with provisioning and deprovisioning processes (the
assignment and removal of permissions) eliminates the more time-consuming manual
processes of access authorization while significantly reducing error. This approach to
lifecycle management streamlines onboarding—ensuring that users immediately have access
to the tools they need to perform their position duties—and supports both offboarding and
ongoing efforts by decommissioning credentials for those who no longer have access
approvals. In this way, automation is not only efficient but secure. 

Enable secure access to applications
Establishing secure user access to applications is integral to an efficient IAM system and
overall organizational security. The most popular means of accomplishing this are Two-
Factor Authentication (2FA), Single Sign-On (SSO), and Multi-Factor Authentication
(MFA).  

Each is considered a best practice for authentication as they bolster security efforts while
creating a user-friendly experience. For 2FA and MFA, users must provide two or more
authenticating factors to gain access (e.g., password, authenticator app, fingerprint scan, etc.).
Whereas, for SSO, users need only enter one set of credentials to access multiple domain-
connected applications. As they differ in function and implementation, one may be
operationally best depending on the organizational need or preference. 

Separation of duties
Foundational for any IAM solution, implementing separation of duties (SoD) ensures that no
one user retains control of more than one business operation in a given process. Operating
within role-based access, SoD is inherently compliant, as it eliminates the possibility of
single-source control of digital assets by any one user or account (e.g., accounting,
management, etc.). With built-in permissions and accountability, organizations mitigate the
risk of user-inflicted, often irreparable, damage. 

Audit accounts and users

For improved compliance, conduct a frequent audit of system accounts and users. Audits start
by taking inventory—identifying privileged accounts and users, removing unnecessary or
inactive accounts, and reviewing/tracking the permissions for active users. A complete audit
includes monitoring current activity, analyzing historical usage and reports, and establishing
administrator alerts to risky user behaviors. With the right auditing workflow, compliance is
easy to maintain and consistently achieve.  

Document everything
A crucial part of compliant operations is documentation. By monitoring, recording and
organizing all user activity, your organization has the ability to address issues head on, with
the data to contribute for resolving any dispute. Documentation also proves helpful when
confronted with a situation that has occurred before. Searchable and accurate records allow
teams to repeat or revise processes that will lead to the most successful outcome.  

Wrapping up
After checking each of the boxes – publishing an IAM policy, creating role-based access
controls, automating the access lifecycle, enabling secure access to applications,
implementing separation of duties, auditing your accounts and users, and documenting–your
organization’s IAM security will be in tiptop shape.  

If you need any help deciding on an IAM provider, find out how SailPoint can help you.