3 Stages of Building an Identity and Access Management Program for Government

Ensure authorized access by assessing foundational elements, establishing controls and operationalizing the program.

Your browser doesn’t support HTML5 audio

Identity and access management is a cornerstone in every agency’s cybersecurity program. IAM ensures the right individuals get access to the right resources at the right time, for the right reasons

These efforts share the ­common guideline of “never trust, always verify” and ­continuously monitor and validate that a user (and the device used) have appropriate access.

Building an IAM program can be broken down into three stages: assessing foundational elements, putting in place essential controls and, finally, operationalizing the IAM program. 

RELATED: What are the benefits of a single digital identity for government services?

1. Foundational Concepts for IAM Programs

As agencies get started with a formal IAM ­program, the best place to begin is with an internal assessment. Most organizations already have some IAM elements in place, and an IAM ­program maturity assessment will look at existing controls and ­processes and identify areas for improvement to move the initiative forward. 

The IAM program maturity ­assessment will identify gaps in core enterprise security controls (such as directory services, firewall architecture and remote access), identity ­governance, access ­management and privileged account management (PAM). 

2. Deploy Essential Identity and Access Management Controls

Once an agency has ­foundational security ­controls in place, it can move on to building out the core elements of an IAM program: PAM, single sign-on and adaptive authentication. 

PAM is often seen as the most critical ­element in reducing cyber-risk and achieving a high return on security investments.

Establishing a single ­sign-on service provides identification, ­authentication and authorization services for the enterprise. Moving legacy applications to an agency SSO improves the user experience and adds ­t­­he ­protection of adaptive authentication.

3. Operationalize the Agency’s IAM Program

Agencies with mature IAM ­programs can then turn to a program maturity model to adopt ­continuous ­improvement over time. They can embrace ­zero-trust ­security, introduce identity ­governance ­controls, apply ­least-privilege and ­role- based access, and advance to ­continuous adaptive authentication. 

This ­continuous improvement phase also introduces fresh ­opportunities to automate identity governance and privileged account management ­processes. IAM specialists should ­leverage the knowledge of all subject matter experts.

MORE FROM STATETECH: Assessing IAM policies is critical for agencies.

More On Security, Authentication, Identity Management,