Lorenzo Leonelli, CISSP, discusses why greater awareness of identity and access management, along with sensible use and protection of access credentials is critical within organizations, and shares some best practices and practical examples from his own experiences.
.png?h=300&w=600)
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
Identity and access management (IAM) is often considered to be important simply because regulations require it, fines punish its absence and breaches often start with stolen accounts. However, there’s so much more to it. Access creep is a real issue for many organizations and, even in 2025, identities are still shared, misused or unmanaged. That’s why IAM is now the new perimeter – especially with cloud and hybrid systems.
Identity Management Best Practices
First, let’s consider what I view as a few best practices in respect of properly implementing identity management:
- Assess Users and Roles – Using role‑based access control (RBAC). This should be an ongoing process: set up access reviews to remove unused or excessive privileges; this cuts down on access creep and improves compliance posture.
- Enforce Strong Authentication Everywhere – Consider multi-factor authentication (MFA) options like hardware tokens or biometrics. These mitigate almost all account compromise attempts, protect stolen-account scenarios and avoid password sharing. Remember that using biometrics in your work environment may lead to privacy liabilities.
- Apply Least Privilege – Limit access to only what users need. Use just‑in‑time (JIT) privilege elevation and privileged access management (PAM) so that admin rights expire when tasks finish. These instruments are built into Windows and other common platforms, without the need for third-party applications.
- Automate Provisioning, Role Migration and Offboarding – Link your IAM system to HR tools so access is granted correctly on hire and revoked immediately on exit. This prevents orphaned accounts and reduces insider risk exposure.
What this is intended to yield in practice is that:
- Compliance becomes worthwhile when your identity/access posture is automated and auditable
- Stolen account attacks are thwarted by strong authentication and proactive credential hygiene
- Access creep is kept in check by reviews and well‑defined roles
- Insider threats are minimized with least privilege, PAM and rapid offboarding; and
- A quick identity‑centric approach buys time to build broader security programs and builds confidence among leadership
Of course, these best practice steps can appear trivial and easy on paper… but that is not the case! I’ve duly encountered situations in which companies have inadvertently undermined their IAM strategy through common mistakes. The two I have most frequently seen are:
- Handing out new accounts and – especially when it relates to a manager – granting unduly broad permissions. This often happens because HR doesn’t feel empowered to restrict access for a new manager.
- Role creep/change: Once permissions are added they typically remain unreviewed and thus active for months or years, becoming misaligned with real organization roles. This increases the attack surface (too many doors are left open). A related error occurs when a user changes their role: I’ve heard too often “just keep the old access rules for a couple of months until the user transitions and completes their tasks” and suddenly permissions grow unchecked.
Real World, Small Company, Real Problems
I once worked with a small business of about 10 people and was told by the proprietor that he was concerned that he was not compliant with the EU’s GDPR regulations. He had “lost” some customer’s data, was uncomfortable with asking for it to be provided a second time and wanted to fix the issue.
I quickly discovered that all the organization’s files were saved on a single Windows 10 PC that acted like a mini server. It wasn’t connected to any domain, just part of a simple office workgroup where everyone mapped a network drive to access shared folders. No one had really thought about permissions or access levels; everyone had full access to everything.
It emerged that the data loss problem occurred when a new employee accidentally deleted a folder containing data relating to a new client, including reports, passwords, contract drafts and PII. The files were organized in folders including the customer name – nice and straightforward. But the files of the customer were lost – and the weekly backup wasn’t enough to restore them because data related to a new customer that hadn’t been backed up yet.
In the event, we were able to partially rebuild the missing folder using data and attachments from email conversations. Nonetheless, to avoid any recurrence, I also created and implemented three very basic roles:
- “ViewOnly” – For people who only needed to read documents but couldn’t change or delete anything
- “Editor” – For employees who worked on SEO reports and needed to edit or update files but not delete or move sensitive folders
- “Admin” – For just the two founders, who had full control including deletion, folder restructuring, and managing permissions.
This solution to the problem involved creating individual local user accounts on the Windows PC for each team member and assigning them to one of these roles. Then I simply adjusted the folder structure and folder-level permissions using Windows' built-in NTFS security. For example: the client folders could only be edited by Editors and fully controlled by Admins, while ViewOnly users could open files but couldn’t touch anything else.
If the environment and the skillset allows, it is also worth considering that a best practice would also be to create separate roles/logins for these admins - one as "Users" and one as "Admins". This is considered a best practice to limit lateral movement.
In terms of this instance, to track who did what, I enabled basic auditing on key folders (using a basic filter in Windows Event Viewer). In this way, the owners could at least see who accessed or modified important files. We also decided that the two founders would be accountable for managing roles and reviewing access every couple of months.
I also set up File History on the Windows machine, using an external hard drive. This created automatic backups of files every four hours rather than just weekly. I gave instructions to perform another monthly full encrypted backup on an external drive and keep the drive not in the office but in the home of one owner. It wasn’t a fancy solution, but it meant that if someone deleted or overwrote a file, they could just right-click and restore an earlier version themselves — no IT or external help needed.
Bigger Organizations, Bigger Issues
When an organization is or becomes bigger, the scale of the problems can grow commensurately. A mid-sized organization asked for our help during a period of growth; its HR team had been giving new managers “temporary” full access to everything - just to make sure they wouldn’t be blocked while onboarding.
As frequently happens, those temporary permissions were still in place months later; new hires retained access to folders, tools and even financial data far beyond what they needed or should ever have had. Over time their roles shifted, but no one ever went back to remove old access. As a result, within the organization there were many accounts with excessive permissions. Worse still, Active Directory file permission rules were copied via LDAP to other on-premises and cloud applications.
My remedy involved mapping out who had access to what and comparing it with their actual job functions. I met HR and team leaders to secure agreements on what each role should be able to access. In truth, this was very difficult, since it also involved an IT team that was partially internal and partially external.
Eventually, however, we built a new set of role-based access profiles using the already-implemented AD. I ensured permissions were minimal to start - enough to work, but nothing more. We also introduced a 30-day access expiry (mandatory expiry) for any temporary permissions, meaning they had to be reviewed or were removed automatically. Most importantly, we gave each department head responsibility for their team’s access reviews. Every month, they got a report showing who had access to what. This required them to confirm it still made sense.
During this process we removed many unnecessary permissions. In a sign of how dangerous poor IAM can be, this included several admin-level permissions that no one even remembered assigning.
Lessons Learned
For me, the fundamental rule to remember (and abide by) is that every identity or user asset must have one and only one manager accountable for it during its whole lifespan. Any other arrangement invites access drifts, vanishing accountability and IAM integrity loses its purpose. Without defined ownership, audit trails vanish and permissions drift even after employees change roles or leave. Assigning role owners, enforcing regular reviews and automating provisioning and deprovisioning are critical steps to prevent these drift-based failures and maintain a secure identity environment.
Lorenzo Leonelli, CISSP, has 25 years of experience in IT, cybersecurity and project management. He has held technical and management roles, with responsibility for cybersecurity strategy, risk management, compliance, infrastructure protection and business continuity. His cybersecurity work spans identity, access governance and management, physical security and GRC.
ISC2 WebinarNew to the security industry? Or thinking about transitioning into an information security role? If so, this webinar is for you. Please join us for a virtual webinar, Security Industry 101: What Every Newcomer Needs to Know on October 15 at 1:00 p.m. ET. The session will cover what you need to know about the cybersecurity field including:
|
