What are your best practices for Identity and Access Management (IAM) in the Cloud?

Identity and access management in the cloud - there are more interpretations of this question - like where are the identities stored (on-premise/in cloud/ both with sync between them already)? 

where is the service with managed access located? what is the access based on?

what kind of SSO service API is supported by the user store/ application if any?

what authentication methods are supported by applications/services? 

what technology is preferred by customers consuming/planed to consume those services? 

What authorizations are possible/requested and based on what? 

Too many possibilities, too many options to answer it in short. 

To be honest, universal best practices in this area, as I am aware of, don't exist yet. 

Case by case, the best practices will be different based on answers to the questions above.

Cloud IAM is a different beast from traditional on-premises IAM.

There are very many web pages and posts on Q&A sites that deal with common best practices for cloud-based IAM. Many of the points suggested in these web pages and posts are very general in nature and could apply to on-premises IAM installations too.

So, I am going to offer up some unique advice. Here are some best practices for IAM in the cloud:

1. Look for a vendor who offers a large range of app integrations. Even more preferable is a vendor who integrates apps on request from customers. This is because there are so many apps out there today, and no vendor offers ready integration with ALL possible apps. Even one app left out of your IAM environment is a significant security threat. So, you want easy integration for every possible cloud-based app.


2. Look for a vendor who offers thick-client Single Sign-On. Let’s face it, not all your apps are cloud-based. While cloud-based apps are now the norm, the IT world hasn’t completed the shift completely. And for security reasons, some critical apps and resources like banking data, are better off stored on-premises. So, you are setting yourself up for a security breach if your thick-client and homebrewed apps are not contained within your organization’s IAM environment.


3. Choose per-user subscriptions over perpetual licenses and pay-per-use models over per-user subscriptions. Per-user subscriptions offer lower total costs and put the onus for maintenance, upgrades, and repairs on the vendor. But they also have drawbacks. Your organization must buy extra licenses to future-proof itself. And there is a large gap in utilization between departments. Engineering departments use about 90%+ of IAM features on a regular basis. But sales departments only use about 20%. Why pay the same for occasional and regular users? Pay-per-use also allows your organization to debit IAM expenses to different departments which frees up budget from IT departments.


4. Choose a Converged IAM software. Gartner says that over 70% of new IAM implementations will be Converged IAM by 2025. This is because integration between IAM modules like Access Management and Access Governance offers superior features to standalone products with limited modules. The MSSP model is also going to be the preferred choice of customers, and MSSPs will choose Converged IAM products for high ROI and integration between modules.

It is worth noting that Compact Identity from IlantusProducts is the only true Converged IAM product on the market, and is offered as pay-per-use as well.

Understanding who may access your sensitive data and under what circumstances they can access it is necessary for enforcing identity and access management best practices.

You'll also need a full picture of your company's IT architecture to keep an eye on all of your components for future and existing dangers. Staying current with industry developments will help you better your existing IAM situation.

Keep these identity management best practices in mind as you develop your Identity and Access Management (IAM) strategy:

- Implement zero-trust security

- Use multi-factor authentication

- Avoid privileged accounts

- Enforce a strong password policy

- Adhere to regulatory compliances

- Automate Onboarding and Offboarding

- Go passwordless

- Conduct routine audits

Below are some of the best Practices for Identity Access Management

• Eliminate High Risk Systems


• Routine Review and Removal of Orphaned Accounts


• Automate Onboarding and Offboarding


• Develop a Zero Trust Approach to Security


• Use Multi-factor Authentication


• Centralize Your System

Case by case, that will be the very first thing I am going to tell. 

In general, you will definitely need a team to start, IT professionals, application owners, and a trustworthy partner who has the skills. 

IAM product-wise, the top-ranking list on the market is always the resort, so go and find someone （architecturally, not sales) from e.g., One Identity, AAD, and have them carve your way out. 

Among many relevant responses from other peerposters, I can provide you with the following recommendation: "Always stay in control of your identity data".

That means:

- know where your data are (in the normal situation and after a breach).

- be prepared to restore a degraded service on another provider (or on prems) backing up user data, application config, business rules and compliance reports.

It is usually simple and cheap to achieve this with some Curl commands to get JSON from your IAM cloud provider instance. It is more complex and expensive to have a B plan ready for deployment and to transform those JSON extracts into CSV ready to upload in the new alternative