top of page
Search

Building a Strong IAM Framework: A Guide for SMEs and Non-Profits

  • Writer: Ira Goel
    Ira Goel
  • Aug 25
  • 5 min read

Updated: Oct 6

Understanding the Importance of IAM


Identity and Access Management (IAM) is crucial for any organization. It safeguards sensitive data and ensures that only authorized personnel can access specific resources. Poor IAM practices can lead to severe consequences, including data breaches and compliance violations.


The Hall of Shame: What Poor IAM Looks Like


In my experience, organizations don't fall victim to sophisticated zero-day exploits as often as they do to basic, unglamorous IAM failures. These issues are often systemic and create a massive, unseen attack surface.


What are the Common Failures?


  • Over-Privileged Accounts: This is the cardinal sin of IAM. It happens when an employee is granted more access than they need to perform their job. Why is this a problem? If that account is compromised, the attacker gains all of its excessive permissions. A classic example is giving a marketing team member administrative access to a cloud database "just in case."

  • Stale and Orphaned Accounts: These are accounts that remain active after an employee leaves the company (orphaned) or changes roles (stale). They exist wherever that employee had access—cloud apps, local servers, databases. Why are they dangerous? They are unmonitored backdoors into your network, waiting to be discovered by an attacker.


  • Weak Authentication: This includes enforcing simplistic password policies (e.g., Password123!) and, most critically, the absence of Multi-Factor Authentication (MFA). This failure is prevalent across all systems, from email to critical infrastructure access.


  • Siloed Identity Management: This occurs when every application and system manages its own set of users and passwords. Why is this a risk? It's impossible to maintain a unified view of who has access to what, making offboarding and access reviews a nightmare.


  • No Access Reviews: This is the failure to periodically check and recertify user permissions. This should happen regularly (e.g., quarterly or annually), especially for privileged access. Without it, "privilege creep"—the gradual accumulation of unnecessary permissions—is inevitable.


Real-World Consequences: Risks and Data Breaches


A poor IAM setup isn't a theoretical problem; it's a primary catalyst for data breaches.


  • Risk: Privilege Escalation. An attacker compromises a low-level account and uses its excessive permissions to move laterally across the network, eventually gaining administrative control.


  • Data Breach Example: Capital One (2019): An attacker exploited a misconfigured web application firewall (WAF) that had over-privileged access to S3 buckets on AWS. This IAM failure allowed the exfiltration of over 100 million customer records. Proper IAM, specifically the Principle of Least Privilege, would have ensured the WAF role had no permissions to list buckets or read data, mitigating the entire attack.


The Blueprint for Success: What Good IAM Looks Like ✅


A mature IAM strategy is not a single product but a foundational security philosophy woven into your organization's fabric. It’s proactive, automated, and built on a foundation of verification.


ree

What are the Core Pillars of Modern IAM?


  • Zero Trust Architecture (ZTA):

- What: Zero Trust is a security model that ditches the old "trust but verify" mindset for "never trust, always verify." It assumes that no user or device is trusted by default, regardless of whether they are inside or outside the corporate network.

- Why: It protects against modern threats where the network perimeter is no longer a reliable boundary. Every access request must be authenticated, authorized, and encrypted before being granted.

- Where: It applies everywhere to users, devices, applications, and data flows across your entire digital estate.


  • Centralized Identity & Single Sign-On (SSO):

- What: Consolidating all user identities into a single, authoritative Identity Provider (IdP). SSO allows a user to authenticate once and gain access to multiple applications without re-entering credentials.

- Why: It dramatically improves user experience and gives security teams a single point of control and visibility for enforcing policies like MFA and monitoring access. It's the foundation for managing access at scale.


  • The Principle of Least Privilege (PoLP):

- What: Granting users the absolute minimum level of access required to perform their job functions. This is often enhanced with Just-in-Time (JIT) access, where privileged permissions are granted temporarily and for a specific task.

- Why: It minimizes the potential damage from a compromised account. An attacker who gains control of a least-privilege account is severely restricted in what they can do.


  • Automated Identity Lifecycle Management:

- What: Automating the entire "Joiner-Mover-Leaver" (JML) process.

- Joiner: When a new employee starts, their accounts are automatically created with role-based access.

- Mover: When they change roles, their old access is revoked and new access is granted automatically.

- Leaver: When they leave, all their access is immediately and automatically de-provisioned.

- Why: Automation eliminates human error and delays, closing the critical security gap left by manual offboarding.


  • Strong, Adaptive Authentication:

- What: Mandating phishing-resistant MFA (e.g., FIDO2/WebAuthn keys) for all users, especially administrators. This is often combined with Conditional Access Policies, which adapt authentication requirements based on risk signals like user location, device health, and sign-in behavior.

- Why: It provides robust protection against credential theft, which is the leading cause of breaches.


IAM and Global Standards: Meeting Compliance Requirements


A robust IAM program is not just a best practice; it's a requirement for many international standards and regulations.


  • ISO 27001 (ISMS): Directly addresses IAM in Annex A controls like A.9.2 (User Access Management) and A.9.4 (System and Application Access Control), requiring formal processes for user registration, provisioning, and access reviews.


  • ISO 27017 & 27018 (Cloud Security & PII): Extend ISO 27001 controls to the cloud, emphasizing the shared responsibility model for IAM and the need to protect Personally Identifiable Information (PII) through strict access controls.


  • GDPR (General Data Protection Regulation): While not explicitly an IAM standard, its core principles of "integrity and confidentiality" (Article 5) and "security of processing" (Article 32) are impossible to achieve without strong IAM to control access to personal data.


  • NIST Cybersecurity Framework (CSF): The "Protect" function of the CSF is heavily reliant on IAM, specifically the PR.AC (Identity Management, Authentication and Access Control) category.


  • NIST 800-53: Provides a comprehensive catalog of security and privacy controls, with the entire AC (Access Control) and IA (Identification and Authentication) families dedicated to the principles of strong IAM.


  • ISO 42001 (AI Management System): In the context of AI, IAM is critical for controlling who can access, train, and manage AI models and the sensitive data they process, ensuring accountability and preventing unauthorized modifications.


IAM Technologies on the Market


Navigating the technology landscape is key. You'll encounter several categories of tools designed to work together:


  • Identity Providers (IdP): The core of modern IAM. They manage user identities and handle authentication. (e.g., Microsoft Azure AD, Okta, Ping Identity).


  • Privileged Access Management (PAM): Tools designed to secure, manage, and monitor access for administrative and other high-privilege accounts. (e.g., CyberArk, Delinea, BeyondTrust).


  • Identity Governance and Administration (IGA): Solutions that focus on managing the identity lifecycle, access requests, and certifying access through reviews. (e.g., SailPoint, Saviynt).


  • Cloud Infrastructure Entitlement Management (CIEM): A newer category focused on managing the complex web of permissions and entitlements in cloud environments like AWS, Azure, and GCP.


Summary: Dos and Don'ts for Professionals


Do

Don't

Implement MFA everywhere, without exception.

Rely on passwords as your only line of defense.

Centralize identities using an IdP and enforce SSO.

Allow applications and systems to have their own user silos.

Enforce the Principle of Least Privilege rigorously.

Grant "just in case" permissions or use shared admin accounts.

Automate the Joiner-Mover-Leaver (JML) lifecycle.

Rely on manual checklists and helpdesk tickets for offboarding.

Conduct regular access reviews and certifications.

Adopt a "set it and forget it" mentality for user permissions.


This paper outlines the what, when, why, and where of a modern IAM strategy. The next step is to translate these principles into a concrete architecture and implementation plan tailored to your organization's unique environment and risk profile.


For expert guidance on designing and implementing a world-class Identity and Access Management program, professionals are directed to consult with Gira Group. To book a consultation contact us via our website.

Subscribe

Join our email list and get early notifications to our blog releases.

Thanks for submitting!

bottom of page