Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and Management

8 identity management best practices to have in place

By Jeff Reich
computer-code.jpg

Image via Unsplash

April 19, 2023

Identity breaches continue to be disclosed at a staggering rate, and if organizations don't already have identity management best practices in place, they are already behind the curve. Last year, IDSA’s Trends in Security Digital Identities showed that 84% of respondents had experienced an identity-related breach in the past year. 96% indicated that they could have prevented or minimized the breach by implementing identity-focused security outcomes, which is why it is critical for organizations to protect the digital identities of everyone they work with, including employees, contractors, third parties, customers, consumers and machines. They can do this by following the best practices outlined below, which have been developed by technology vendors and security providers who understand the importance of identity-centric security. Security leaders can enable and enforce many of these best practices through multi-factor authentication (MFA) and other identity and access management (IAM) tools. 

1. Find the assets and identity sources

Today, infrastructure, applications, directories and networks are widely dispersed across on-premises and disparate cloud environments. If security leaders want to secure their organization’s assets, they need to know what the assets are and where they are located. There is simply no way to protect assets of which they are unaware.

2. Define identity ownership

It’s a truism that what gets measured gets managed, so define the individual or entity that is responsible for creating, removing, maintaining and securing any identity associated with the organization. Include these four broad categories of identities when deciding who owns the identities: 

  1. Employees
  2. Contingent workers, contractors or third-party identities
  3. Machine identities, which includes bots, application to application accounts, robotic process automation (RPA), and built-in IaaS accounts
  4. Customers or clients

Workforce and customer identity solutions are converging, so organizations should make sure the IAM deployment can handle these diverse types of identities. Each identity type has unique needs that can only be met after classifying the distinct types and their requirements.

3. Use unique identifiers

In the directory, make sure that every human and non-human identity is unique. Establish and use identifiers regardless of the relationship of the identity to the organization. For example, security leaders need to maintain the unique identifier if a contractor becomes a full time employee or an employee leaves and later returns to the organization.

Creating and maintaining a unique identifier for each identity allows an organization to maintain a trail of activity for each identity. If the identifier is changed, it becomes much harder to track identity activity. It also makes identity management more complex than necessary and can negatively impact audits and regulatory compliance.

4. Create a source of trusted identity data

Identity is critical to making decisions about when to grant access to applications and data, so security leaders need to have authoritative sources for identity data. This data helps make informed decisions about user access, such as what level of access is appropriate to provision and when they need to enable or disable that access. Leaders need to be able to trust the identity data consistently throughout the identity’s lifecycle. This includes employee data, third-party vendors, guests and IoT devices, among other identities. The authoritative identity data requires proactive collection and maintenance by trusted parties, continuous validation to ensure data is accurate and up to date and storage in a secure, accessible and searchable repository.

5. Automate provisioning and deprovisioning

Security leaders can manage identities better if they automate the provisioning and deprovisioning of access to resources and data by using lifecycle events, such as when an employee joins the company, moves to a different department, or leaves for an outside role. Granting and revoking access to resources and data is an essential part of business operations and enterprise security. Manual processes inevitably leave opportunities open for attackers to compromise the system, so automate it and tie it to the authoritative source.

6. Manage privileged access 

A privileged access management solution helps security leaders secure access to critical assets. During an authentication event, they have greater assurance that they understand the request based on the access profile of the user, how sensitive the resource or data requested is and what level of elevated permissions is being requested. Security leaders can (and should) also increase protection by applying multi-factor authentication (MFA) to privileged access and continuously discovering privileged access. Attackers frequently leverage compromised identities to gain access to protected systems, moving laterally to gain elevated permissions. In this way, they can use a weak identity to gain access to resources that ought to be protected by otherwise strongly controlled privileged access accounts.

7. Establish a governance program and processes

Management of identity and access is essential, so make sure to establish a cross-functional team that oversees adherence to the organization’s IAM processes and policies. This team should also provide methods for introducing improvements to the program and evaluating the potential impact of any IAM program changes. Because IAM deployments impact distinct groups of users in different ways, security leaders need to include different stakeholders to ensure that their needs and the implications of the program are understood. 

8. Focus on identity-centered security outcomes

Security leaders need to protect digital identities, whether human or non-human, and secure their access to enterprise data and resources. To do that effectively, they need to think in terms of security outcomes that are centered around identity. They can combine identity and access management capabilities, including authorization, authentication, identity governance and administration with key security capabilities. Organizations base all authorization access to applications, resources and data on the identity requesting access, therefore identity must be at the center of all access decisions.

KEYWORDS: best practices breaches digital identity identity (ID) management Privileged Access Management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jeff reich headshot 2

Jeff Reich is the Executive Director of Identity Defined Security Alliance (IDSA).

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • IAM-cyber-freepik1170x658v7.jpg

    8 best practices to harden identity and access management permissions

    See More
  • online conference

    Identity management conference to take place April 12

    See More
  • cybersecurity

    8 best practices to improve cybersecurity program performance

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • contemporary.jpg

    Contemporary Security Management, 4th Edition

  • 9780128147948.jpg

    Effective Security Management, 7th Edition

See More Products

Events

View AllSubmit An Event
  • November 14, 2024

    Best Practices for Integrating AI Responsibly

    ON DEMAND: Discover how artificial intelligence is reshaping the business landscape. AI holds immense potential to revolutionize industries, but with it comes complex questions about its risks and rewards.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing