Identity and Access Management (‘IAM’) system deployment is generally one of the most complex IT programs undertaken by any organization. It touches almost all pats of the organization – departments, locations, business units as well as IT systems. Therefore, it is crucial to ensure an appropriate design for the IAM system before starting the deployment program. Skipping or rushing the design phase can lead to security gaps, operational inefficiencies, compliance issues, and costly rework.

This blog discusses the recommended practices to ensure a good design for IAM deployment program.

Why is the IAM design important?

A clearly defined IAM design helps keep the organization’s information safe and make sure only the right people can access it. It does it so by

1. Ensuring alignment with business risks
   • IAM isn’t just a technical project—it’s a business enabler
   • A good design aligns access controls with organizational roles, workflows, and compliance needs
   • Helps prioritize use cases (e.g., onboarding automation, SSO for employees, secure partner access)
2. Reducing security exposure
   • Poorly designed IAM can leave vulnerabilities: over-privileged accounts, orphaned users, etc
   • Thoughtful design includes least privilege, Multi-Factor Authentication (‘MFA’), and Segregation of Duties
   • Anticipates insider threats and external attacks
3. Avoiding costly rework
   • Retrofitting a poorly implemented IAM system is expensive and disruptive
   • A well-designed IAM system, on the other hand, minimizes changes during deployment by considering identity sources, integration points and use cases upfront
4. Improving user experience
   • Design ensures smooth onboarding, self-service capabilities, and SSO where needed
   • Avoids user frustration from excessive logins, access delays, or inconsistent permissions
5. Ensuring compliance and audit readiness
   • Early design accounts for regulatory requirements
   • Proper logging and reporting are baked into the IAM system
6. Supporting scalability and futureproofing
   • Considers growth
   • Modular design supports future integrations and technologies

Similar to having a secure key system for a building, a well-designed IAM system helps control who can enter the building and different rooms, keeps track of who goes where, and ensures that everyone has the access to right areas in the building at the right time.

What does a good design look like?

It is important to have a comprehensive planning and scoping for designing an IAM program. The program should start with a clearly defined business objectives, including

1. What business problems are we solving? (e.g., security, compliance, user experience)
2.  What are the success criteria and KPIs?
3.  Who are the stakeholders? (IT, HR, security, compliance, legal, etc.)

The IAM program should start with a defined scope. This should include

1. User Types and Identities
   • What types of users will be managed? (Employees, contractors, customers, partners, systems)
   • What are the identity sources? (HR system, Active Directory, cloud directory, etc.)
   • Are there external/federated identities to support?
2. IT Systems
   • What systems need to be integrated? (SaaS apps, cloud platforms, legacy systems)
   • Does these systems have required integration points/ technologies?
   • What IAM tools are already in place, if any?
   • What authentication methods are used currently?
3. Access Control Model
   • Role-Based Access Control (‘RBAC’), Attribute-Based Access Control (‘ABAC’), or custom?
   • What are the roles, groups, and entitlements?
   • How will privilege escalation and least privilege be enforced?
4. Authentication & Authorization Requirements
   • What authentication methods? (Password, MFA, SSO, biometrics)
   • Will SSO be implemented? Across which systems?
   • How will federated login (e.g., Google, Microsoft, SAML, OIDC) be handled?
5. Identity Lifecycle Management
   • How are users provisioned and deprovisioned?
   • How are changes (role change, termination, etc.) handled?
   • Is Just-In-Time (JIT) provisioning needed?
6. Policies & Governance
   • Who approves access requests? How is it documented?
   • What policies apply (e.g., access reviews, segregation of duties)?
   • What is the recertification schedule?
7. Auditing, Logging & Compliance
   • What needs to be logged? (Authentication events, privilege use, changes)
   • How long is data retained?
   • What compliance standards must be met? (e.g., GDPR, HIPAA, SOX, ISO 27001)
8. Roadmap and Phases
   • What’s the MVP (Minimum Viable Product)?
   • Will it be rolled out by user group, department, region, or system?
   • What’s the timeline for each phase?
9. Team Structure and Roles & Responsibilities
   • IAM architect, project manager, security lead, identity governance lead, developers
   • Define responsibilities (e.g., who owns identity data, who approves access, etc.)
10. Risk Management and Change Control
    • What risks are associated with implementation?
    • What is the fallback or rollback plan?
    • How will changes to roles or policies be reviewed and approved?
11. Training and Support
    • Who needs training? (Admins, help desk, end users)
    • Is documentation in place for support teams?
    • What self-service tools are provided (e.g., password reset, access requests)?
12. Monitoring and Continuous Improvement
    • What metrics will be tracked post-launch?
    • Who reviews access logs and anomalies?
    • Is there a process for continuous policy and system review?

Finally, it is important to not forget that the IAM system needs to be maintained and supported after the deployment. It is important that the ongoing maintenance & support structure is clearly defined upfront and enforced once the system is operational.

By clearly defining the scope and objectives, all stakeholders have the same understanding of what the IAM system is supposed to do and how it will help the organization. This is the foundation in planning and implementing the IAM system efficiently and effectively.

How to design a good IAM system?

Now that the importance and content of IAM system design is clear, let’s discuss how can organizations go about achieving this. Here are some of the key activities for coming up with a good design.

1. Baselining – it is important to understand the current maturity of organization’s IAM systems. This should include preparing a system inventory to be managed by the IAM system. Once the current maturity is understood, target outcome should be identified. This helps understand the gaps and expected outcomes that need should be delivered by the IAM program.
2. IAM Roadmap – organizations should define a roadmap clearly outlining how the end objectives of the IAM program will be achieved. This should define the timelines, priorities, as well as resources.
3. Solution Design –business requirements from IAM system should be understood and a detailed solution design outlining how the IAM system will deliver these requirements should be defined. The requirements (and accordingly solution design) should cover
4. Identify Business Needs: Think about what organization needs to function smoothly. For example, you might need a system that allows employees to access their work files easily, or a way for customers to log in to your website securely.
5. Compliance Requirements: These are rules and regulations your organization must follow. For instance, if you handle personal data, you need to comply with privacy laws like GDPR and PDPA. This means your IAM system must protect user data and ensure only authorized people can access it.
6. Security Policies: These are guidelines to keep your organization safe. You decide how strong passwords should be, whether to use MFA, and how to monitor for suspicious activities.

These designing activities first gives you a blueprint for success. It aligns IAM with your business, security, and operational needs and reduces risk in deployment and ongoing maintenance.

Explanation on key terms

This blog uses many IAM related terms. This section provides a high-level understanding of these terms.

1. User Lifecycle Management is like managing the journey of a user from the moment they join your organization until they leave (‘Cradle to Grave’). Here’s how it works in simple terms:
   • Creating Users: When someone new joins your organization (such as a new employee), you create an account for them. This account gives them access to the systems and information they need to do their job.
   • Managing Users: While they are with the organization, you manage their account. This includes updating their access if they change roles, resetting passwords if they forget them, and ensuring they have the right permissions to do their work.
   • Deleting Users: When someone leaves the organization, you delete their account. This ensures they no longer have access to your systems and information, keeping everything secure.
2. Access Control Models are ways to decide who can access what in your organization. Here are two common models explained simply:
   • Role-Based Access Control (‘RBAC’): Think of this as assigning roles in a play. Each role (like ‘Manager’ or ‘Employee’) has specific permissions. When someone joins your organization, you give them a role, and they automatically get the permissions that comes with it. For example, a manager might have access to more information than a regular employee because their role requires it.
   • Attribute-Based Access Control (‘ABAC’): This model offers more flexibility. Instead of just using roles, you look at various attributes (like the person’s department, location, or the time of day). For example, you might allow access to certain files only if the person is in the office and it’s within working hours. This flexibility ensures that you can create more specific rules based on different conditions.
3. Authentication & Authorization are ways to ensure that the right people can access the right things. Here are three methods explained simply:
   • Multi-Factor Authentication (‘MFA/): Similar to having multiple locks on a door. To get in, you need more than just a password. You might also need a code sent to your phone or a fingerprint scan. This makes it much harder for someone to break in because they need more than one piece of information.
   • Single Sign-On (‘SSO’): Imagine having one key that opens many doors. With SSO, you log in once and get access to multiple systems without needing to enter your password multiple times. This makes it easier for users and reduces the number of passwords they need to remember.
   • Just-In-Time (‘JIT’) Access: Think of this like a temporary pass. You get access to something only when you need it and for a limited time. For example, if you need to work on a special project, you might get access to certain files just for the duration of the project. Once it’s done, your access is removed. This helps keep things secure by limiting access to only when it’s necessary.
4. Logging & Monitoring are ways to keep an eye on what’s happening in your systems. Here’s how it works in simple terms:
   • Enable Auditing: Similar to keeping a detailed diary of everything that happens in your system. It records who did what, when they did it, and where they did it. This helps you track activities and identify when something goes wrong.
   • SIEM Tools: These are special tools that help you collect and analyse all the logs and data from your systems.
5. Compliance & Governance ensures that your organization follows important rules and guidelines. Here’s how it works in simple terms:
   • General Data Protection Regulation (‘GDPR’): This is a set of rules from Europe that protects people’s personal data. If your organization handles personal information (like names, addresses, or emails), you need to make sure it’s kept safe and used properly. For example, you must get permission before collecting someone’s data and let them know how it will be used.
   • Personal Data Protection Act (‘PDPA’): This is a set of rules for protecting personal data in Singapore which is similar to GDPR.
   • ISO 27001: This is an international standard for managing information security. It provides a framework for keeping your data safe. Being compliant to ISO 27001 means that you have safeguards to ensure that your organization’s information are protected from threats like hackers or data breaches. It includes things like risk assessments, security policies, and regular audits.
   • Sarbanes-Oxley Act (‘SOX’): This is a US law that ensures companies provide accurate financial information. It requires strict controls over financial reporting and data. For example, companies must keep detailed records of their financial transactions and have processes in place to prevent fraud.
   • There are other specific legislations that may apply to specific industries such as Health Insurance Portability and Accountability Act (‘HIPAA’) for health information, as well as specific regions such as The Personal Data Protection Act Australia (‘Privacy Act’), and as long as your data is being processed and is transient in those areas, you would need to ensure compliance to those regulations.