Sep 15 2021

3 Stages of Building an Identity and Access Management Program for Government

Ensure authorized access by assessing foundational elements, establishing controls and operationalizing the program.

Identity and access management is a cornerstone in every agency’s cybersecurity program. IAM ensures the right individuals get access to the right resources at the right time, for the right reasons

These efforts share the ­common guideline of “never trust, always verify” and ­continuously monitor and validate that a user (and the device used) have appropriate access.

Building an IAM program can be broken down into three stages: assessing foundational elements, putting in place essential controls and, finally, operationalizing the IAM program. 

RELATED: What are the benefits of a single digital identity for government services?

1. Foundational Concepts for IAM Programs

As agencies get started with a formal IAM ­program, the best place to begin is with an internal assessment. Most organizations already have some IAM elements in place, and an IAM ­program maturity assessment will look at existing controls and ­processes and identify areas for improvement to move the initiative forward. 

The IAM program maturity ­assessment will identify gaps in core enterprise security controls (such as directory services, firewall architecture and remote access), identity ­governance, access ­management and privileged account management (PAM). 

2. Deploy Essential Identity and Access Management Controls

Once an agency has ­foundational security ­controls in place, it can move on to building out the core elements of an IAM program: PAM, single sign-on and adaptive authentication. 

PAM is often seen as the most critical ­element in reducing cyber-risk and achieving a high return on security investments.

Establishing a single ­sign-on service provides identification, ­authentication and authorization services for the enterprise. Moving legacy applications to an agency SSO improves the user experience and adds ­t­­he ­protection of adaptive authentication.

3. Operationalize the Agency’s IAM Program

Agencies with mature IAM ­programs can then turn to a program maturity model to adopt ­continuous ­improvement over time. They can embrace ­zero-trust ­security, introduce identity ­governance ­controls, apply ­least-privilege and ­role- based access, and advance to ­continuous adaptive authentication. 

This ­continuous improvement phase also introduces fresh ­opportunities to automate identity governance and privileged account management ­processes. IAM specialists should ­leverage the knowledge of all subject matter experts.

MORE FROM STATETECH: Assessing IAM policies is critical for agencies.

Otto Dettmer/Ikon Images