Developing a strong IAM strategy

A well-structured Identity & Access Management (IAM) strategy empowers organisations to reach their goals with greater speed and efficiency. While everyone has their unique objectives, we all navigate similar market dynamics, societal trends and technological progress. This blog post aims to highlight such universal trends and explores their impact on your digital strategies, offering insights into making strategic IAM decisions to best leverage these developments.

Starting point: Strategic business trends

• Digitalisation: In many organisations today, data is the primary resource. Business operations are driven by data, and processes are automated as much as possible. This trend is not just financially motivated; it also addresses the challenges of a tight labour market. By digitising processes, we can ensure that talent is preserved for those areas within organisations where human input is most needed for keeping the organisation running and making a difference.
• Intuitive and hybrid collaboration: Automation and digitalisation require user-friendly and intuitive solutions. Employees need to be able to work seamlessly from various locations, use different devices and maintain online contact with colleagues, contractors, customers and partners. Collaboration and data sharing should be possible anytime and anywhere.
• Focus on core activities: Organisations are constantly re-evaluating what tasks they should perform in-house and what can be outsourced. Our business model is becoming more and more refined, with increasing integrations with business processes, applications and data sources from suppliers, partners, customers and governments. At the same time, we are outsourcing our IT processes and migrating them to the cloud.
• Agile operations: Agile working extends beyond an IT concept. Organisations as a whole must be able to respond more quickly to new societal developments, market trends and technological innovations. This means that we are not only more intertwined with other companies and organisations, but these interrelationships and dependencies are also changing more frequently and rapidly.
• Security and privacy: Advancing digitalisation makes organisations and individuals more vulnerable. A hacked server can cause more damage than a company fire, and misuse of personal data can lead to personal tragedies, be disastrous for a business’ reputation and result in huge claims and fines. Information security and privacy are boardroom topics.
• Transparency and accountability: The philosophy of ‘if it’s not wrong, we’re doing it right’ is no longer sustainable. Organisations must comply with laws and regulations, but also maintain the transparency to demonstrate this compliance at any time. And should problems arise unexpectedly, we must immediately provide insight into how they occurred and how they are being resolved. This is necessary not only towards authorities but also towards customers, partners and other stakeholders.

Choosing an IAM strategy

Identity and Access Management plays a crucial role in these developments. There is no ‘one size fits all’ solution for the digitalisation of organisations, but regardless of the chosen IT solutions, IAM must enable seamless access to those systems for all users. Below, we outline six key IAM strategy choices to streamline your digital plans.

IAM strategy choice 1: Stay in control with an agile IAM

Many existing IAM functionalities no longer meet current needs or are becoming end-of-life. A modern Identity and Access Management system needs to be automated, capable of connecting to an increasing number of systems and supporting all operational processes. At the same time, ‘big bang’ implementation projects are often not feasible. A future-proof IAM solution should offer a scalable growth path where basic authentication and authorisation functions are migrated smoothly, followed by the integration of source systems, automation of the identity lifecycle and gradual connection of more target systems. In parallel, service automation can help fine-tune ‘specials’ and streamline further account management processes. This scalable approach is elaborated on in the blog post “What is a good sequence for an IAM implementation?”

However, this growth path should never be set in stone; a modern IAM environment needs to be agile. Moreover, for further rollout and development, you should not have to rely on external, costly specialists and long lead times. The core of the IAM solution should be standard, allowing the in-house management team to add and configure additional functions as add-ons, with enough flexibility to avoid modifications to existing systems.

Take HelloID, for example. We are always developing new connectors for source and target systems that customers can easily add and configure. The Service Automation module allows for easy automation and fine-tuning of service processes, while all RBAC settings and other business rules are easily configurable. This empowers organisations to lead their IAM environment’s development independently of suppliers, with all the necessary know-how provided through free training and online resources.

IAM strategy choice 2: Cloud-native solution

With tech vendors such as Microsoft focusing almost exclusively on cloud solutions, most organisations are following suit, moving their IT applications to the cloud. Even governments have started adopting a ‘yes-if’ stance towards cloud services. This makes a cloud-based Identity and Access Management process a natural fit for your modernisation plans. However, the journey does not stop there, as there are various cloud strategies to consider.

You might opt for a managed service model, where an existing on-premise solution is re-hosted to an Infrastructure-as-a-Service (IaaS) environment. This approach is often a good fit for larger organisations, offering the flexibility for extensive customisation but at a significant cost.

However, the majority of organisations will likely seek out a Software-as-a-Service (SaaS) solution. In this model, a service provider delivers IAM functionality via a cloud platform to multiple clients. It is crucial, though, to delve a bit deeper and take a closer look ‘under the hood’ to understand what you are getting. Sometimes, offerings labelled as SaaS are actually just traditional software provided over a cloud infrastructure service (IaaS), with little to no reinvestment in software redevelopment.

A true SaaS solution – like HelloID – is specifically developed for the cloud, using a single instance and multi-tenant approach. This means every client operates on the exact same codebase, using a single instance of the software. Only such a cloud-native Identity-as-a-Service (IDaaS) environment fully leverages the cloud’s potential.

IAM strategy choice 3: Compliance and auditability

Modern IAM systems need to be compliant with privacy laws like the GDPR and adhere to information security standards such as ISO 27001. It is essential that this compliance is always verifiable, and should a data breach or any other issue occur, a full audit trail must be accessible. For instance, HelloID logs all changes to business rules, processes, rights requests and other modifications, and records every access attempt to the infrastructure. Through standard reporting and customisable analyses, organisations have all they need for internal security reviews, external audits and certification processes. HelloID also integrates with source and target systems and provides APIs for connection with additional security systems. Linking an IAM solution to a client’s SIEM system allows for a unified view by merging IAM log data with other system logs.

In a cloud-based IAM setup, compliance is not just about the platform; the service provider must also meet these standards. For example, as an IDaaS provider, Tools4ever holds a SOC 2 Type II audit statement. This audit, focused on service organisations, assures customers of the service quality through an independent evaluation. The assessment encompasses organisational oversight, vendor management programs, software development practices, internal governance and risk management, making the SOC 2 audit a valuable addition to ISO 27001 certification.

IAM strategy choice 4: Automated identity lifecycle management

Traditionally, issuing and managing user accounts and access permissions has always been an IT-driven process. HR departments or team leaders submit requests for new accounts and permissions, which IT support then manually processes in various back-office systems. This manual approach is not only a bottleneck in the digitalisation journey but also inefficient, user-unfriendly and prone to errors.

A future-proof IAM environment demands an approach driven by business needs and fully automated for managing users and their rights. In such a setup, the HR department leads the charge, holding the reins in terms of all employee data, including roles, tasks and obligations. By establishing a direct link between HR systems and the HelloID platform, the creation and modification of accounts and access rights become fully automated. This includes automatically closing accounts when employees leave the company. Using Role-Based Access Control, we clearly define what rights each role entails, avoiding unnecessary rights accumulation and adhering to the ‘least privilege’ principle, based on which access is strictly on a ‘need to know’ basis. And with similar links to other administrative source systems, we can also automate account and rights management for students, clients, temporary workers and other user groups.

IAM strategy choice 5: Streamlined (self-)service

Automated identity lifecycle management takes care of the vast majority—about 80%—of account and access rights management. But what about the rest? The goal is to streamline all service requests, ideally letting the business itself take the lead. Department heads should have the capability to grant access rights directly, or users should be able to request access easily through an online portal. HelloID facilitates this through delegated management screens, enabling managers to handle requests directly. They can quickly assess and take action where needed, with the IAM platform ensuring these changes are correctly implemented in all necessary back-office systems. Additionally, a self-service portal allows end-users to make their own requests, which are then automatically forwarded to the relevant managers for online approval. This setup also allows for the assignment of rights with a limited duration, preventing the build-up of unnecessary permissions. This shift towards a more business-driven control model moves routine IT tasks closer to managers and end-users, enhancing efficiency and oversight.

IAM strategy choice 6: Flexible authentication & authorisation

Traditionally, an IAM solution supports the authentication and authorisation steps for users. Nowadays, many organisations rely on Active Directory, Entra ID (formerly Azure AD), Google Workspace or other Identity Providers for this purpose. However, a flexible access management layer remains essential for effective Identity Management. This is crucial for being prepared for migration projects, easily and quickly integrating new user groups, facilitating the collaboration of multiple Identity Providers, and enabling the merger or separation of organisations. Additionally, having your own access management platform is necessary to support flexible Multi-Factor Authentication and context-dependent access services.

• HelloID
• IAM
• cloud