This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.)for on-prem (mainframe, AD, etc.) as well as all cloud providers (SaaS, CSP’s). A uniquely identifiable catalogue of entities is important and a must. If you are just starting your identity program, this is the best place to start. If you consider yourself advanced, but cannot account for every identity and associate it with an owner, this is a critical gap.

Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access. Proper maintenance of this authoritative data requires defined lifecycle management processes for both employees and non-employees, regular validation and update of identity information, and storage of accurate data within a repository. The authoritative source can then be linked to automation, for example birthright provisioning/de-provisioning and attribute-based access control mechanisms.

Lock down administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, apply recommended policies and settings and scan regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.

Automated feeds allows your organization to react to changes in the user life cycle at a frequency that strengthens your security posture. Consider utilizing batch, instead of real-time syncs, of your HR data. Adding a predecessor job that verifes the feed is within normal ranges of expected terminations, protects against the possibility of your HR system sending incorrect data possibly disabling a large number of personnel and disrupting the business.

Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.