Monitoring these critical identity and access management rules helps you evaluate the performance of your IAM solution.
#1. Pay attention to data quality
An IAM solution depends on standardized identity data. If a data owner in your company crosses the line and does not transform the relevant data to the required format, the IAM solution will already reach its limits even with basic functions.
#2. Inform your employees
Finally, the IAM solution will affect all hierarchical levels and organizational units of your company. It is therefore essential that your employees are aware of the possibilities and limitations of the IAM solution so that the system can live and provide your company with the expected benefits. So train your employees! Save IAM instructions on SharePoints! Make some noise about IAM so that your employees are interested and engaged and you get the maximum benefit from the IAM solution. Because as you know: only informed employees can make informed decisions.
#3. Focus on people, not technology
Yes, an IAM solution will bring considerable benefits to your company. But technology is only as good as the people who use it. So do not rely solely on technology. Rely on employees who want the best for your company.
#4. Do your homework
Many companies have distributed their infrastructure across multiple physical and virtual locations. Your IAM solution can only manage access to applications, shares, etc. that are at least indirectly connected via interfaces. To get the full benefit from an IAM solution it is essential that all relevant elements are known and can be integrated. A nice interface in corporate design is worth a lot - but only if the underlying systems are correct and complete.
#5. Grant your employees a little autonomy
Have you ever forgotten your password? No problem, right? Just call the ServiceDesk and it's done. Not quite: Mr. Jay Bretzmann from IDC (a market research company) estimates the cost of resetting a password at between approx. CHF 7 and CHF 70. Just calculate how many of your employees reset their password each month. You can save yourself the effort - with the right IAM solution, which enables independent password resets.
#6. Pay attention to humanity
Let us assume that you need ten different applications for your work. On each of them you have to register separately. How many passwords do you use? If you have any number under ten in your head, you are a security problem for your company. But don't worry, you won't be the only one. If one of your passwords is known, attackers can use credential stuffing to try to access other applications with that same password. A better solution would be to use a single, very strong password and access all required applications via SSO using an IAM solution.
#7. Take care of the orphans
Travelers should not be delayed. Detach yourself from employees who do not (no longer) want the best for your company. But don't forget to deactivate / delete the corresponding accounts. Orphaned accounts can be attacked, even if nobody uses them anymore.
#8. Use permissions sparingly
No, you don't want to be responsible for the new guy lolling around at the coffee machine because he doesn't have the necessary permissions for his job yet. But even less do you want to be the one who distributes too many authorizations, overprivileges users and is partly to blame for someone stealing access to sensitive data.
Be stingy with permissions. If someone asks you why you are so stingy, point out the "Least Privilege" principle: An employee should only be assigned the maximum number of permissions he or she needs for work. Under no circumstances should he or she be given sensitive privileges that are not justified by his or her area of responsibility.
#9. Respond promptly
Your time required to provide a new employee's authorizations is directly negatively correlated with productivity: He cannot log in? Coffee. He cannot start application XY? Coffee. In addition, the new employee's motivation will also suffer in the foreseeable future. However, the same priority should also be given to blocking accounts that are no longer used. As described in point seven above, orphaned accounts represent a major security risk. Surely you don't want an employee who has been dismissed without notice to have a week to do as much damage as possible to your company? No? Then you should immediately block his account!
#10. Trust is good, control is better
Do you know who in your company uses all privileged accounts? No? Then it is best to define an owner of the account; a person in charge who always has an eye on who is doing what with the account. Alternatively, you can opt for a PAM (Privileged Access Management) solution: PAM regulates, registers and documents all actions performed from privileged accounts. Trust is good and necessary for a pleasant working atmosphere.