IAM is one of the most fundamental capability that needs to be set-up in an organisation. This article focuses on the IAM concepts for an Organisation's internal operations. This implies the scope of IAM not only includes Internal employees but also the 3rd party partners.

How can Startups centrally manage their internal & external users centrally?

There are number of constraints that limit the adoption of a mature IAM system viz., cost, technology expertise, priorities etc.

Microsoft's Azure AD or Microsoft Entra, is great to start-off with despite its higher cost model as it will set the foundations which can help secure the key assets. Organisation need to move towards Identity based access controls.

Basic Hygiene

Secure the User Access : Ensure all the identities are set-up in IAM and 2 FA enabled.

Secure the Applications: Ensure Organisation Apps are on-boarded on the IAM. Using group management provide access to Applications based on the principles of Least Privilege

2nd Line of Defence using Zero-Trust Policies: Enforce Conditional Access Policies (CAP) to enforce organisation specific cyber security policies viz., user attributes, user location, device compliance and session configs etc.

Identity Governance: Ensure there is access re-certification to address JML and compliance with audit frameworks.

Federated Identity Management: For 3rd Party users ensure there is Federated Identity Management with the 3rd Party's IdP or ensure setting up users as guest users in your tenant.

Logging & Monitoring: Use the Identity Protection module to keep a tab on the resource access. Set-up alerts for access to critical Apps to channel your SOC's/Administrator focus and getting overwhelmed with zillions of alerts.

If you have any questions, feel free to contact us. We are happy to provide consultation and assistance in setting up your IAM.