IAM: Focus Areas 2025

This article is part two of our four-part series on cybersecurity topics that have been of particular interest to us this year. Identity and access management (IAM) continues to be a key topic, both from a compliance perspective and due to technological developments. Three aspects have been on our minds for some time and were also central this year: ensuring central IAM governance despite increasing cloud solutions, managing and controlling (highly) privileged accounts and dealing with non-human identities. We will discuss these three aspects in more detail below.

Centralized IAM governance in times of M365 and SaaS solutions

Uncontrolled data sharing on M365 or Atlassian, guest accounts with a lack of responsibility and unknown necessity, and SaaS solutions that are operated as shadow IT.

Such circumstances are undesirable from a security perspective, but often correspond to reality. On the one hand, organizations strive for open and uncomplicated collaboration with external parties. On the other hand, specialist departments use the opportunity to deploy SaaS solutions quickly and independently in order to increase productivity and agility. From a security and architecture perspective, however, uncontrolled use remains problematic, as considerable risks can arise.

We recommend using IAM consistently as a central instance for cloud solutions in order to control accounts and authorizations for these use cases. By connecting Entra ID to IAM, accounts and their basic authorizations for Azure and M365 can be managed centrally. In the area of fine-grained authorizations on M365, there are certain limits to the control and monitoring by IAM. As part of a conceptual consideration, the management and control functions between IAM and M365 should be clearly regulated and ensured by configuring your own cloud instance. The uncomplicated option of inviting guests directly via Azure appears attractive at first glance, but often ignores questions about ownership and lifecycle management of the identities created. This is where IAM can contribute to the solution with central IAM governance without severely restricting user flexibility.

The same applies to the business use of SaaS solutions, which should be approved and centrally orchestrated in IAM. With IAM, SaaS authorizations can be requested, approved and managed in a traceable manner. Various options are available for provisioning users and their authorizations:

• Just-in-Time (JIT) using OpenID Connect (OIDC) or SAML
• System for Cross-domain Identity Management (SCIM)
• Manual setup directly in the SaaS solution based on a ticket

This consistent control of cloud authorizations in IAM establishes central governance, which significantly simplifies processes and increases the level of automation. This not only sustainably promotes the security of identities and accounts, but also enables single sign-on (SSO) for users and thus a high user experience (UX).

IAM as the basis for end-to-end Privileged Access Management (PAM)

The term “Privileged Access Management”, or PAM for short, has a strong presence in the security environment and is increasingly becoming the focus of regulatory authorities such as the Swiss Financial Market Supervisory Authority (FINMA). But what is PAM anyway? This question is not easy to answer, because PAM is not just a tool for secure password management for administrators, nor is it simply a jump host solution with session recording that enables controlled access for infrastructure management.

An end-to-end PAM ensures that the authorizations and access of (highly) privileged accounts are secured and monitored. The basis for this is the management of privileged accounts and their authorizations. Classic IAM can be used for this Privileged Identity Management (PIM). IAM has the necessary processes to grant an identity the required authorizations in a controlled and risk-oriented manner while ensuring central IAM governance. In contrast to regular authorizations, privileged authorizations should only be activated temporarily and with justification when necessary. Additional processes are therefore required in the PAM context for the justified activation of privileged access. Existing IT service management (ticketing) solutions are often integrated into PAM for the justification.

However, in order for effective PAM to take place at all, privileged accounts must be identified, which can be a major challenge in itself. We always recommend that privileged accounts are handled appropriately by carrying out a risk assessment according to their authorizations. This forms the basis for implementing the necessary protective measures in a risk-oriented manner.

Only once the foundations have been laid can classic PAM controls such as password vaults, strong authentication, jump host infrastructure and monitoring and recording of PAM sessions be used.

A closer look reveals that PAM is not just another tool solution, but a conceptually, procedurally and organizationally very demanding and interlinked subject area. Nevertheless, PAM is a central component of a comprehensive security strategy and must be approached systematically.

Manage and control non-human identities (NHI) effectively

Many known security incidents are based on the misuse of technical accounts that represent non-human identities (NHI). These accounts are an obvious target for attackers because their access data is often poorly secured and valid for a long time. In addition, the use of technical accounts is often not monitored strictly enough and their far-reaching authorizations contribute to the criticality of the attack vector.

In modern IT landscapes with diverse cloud services, automation, microservice architectures, IoT devices and AI bots, the importance of technical accounts has increased significantly. Their consistent protection is crucial for overall corporate security and requires clear governance.

This is also where IAM comes into play: Non-human identities are managed in IAM in the same way as human identities, although they do not necessarily have to be mapped in the same system. The concept of an identity fabric with different, interlinked IAM systems should also be examined. Clear ownership for NHI serves as the basis for ensuring lifecycle management. Authorizations are centrally enforced and documented as part of authorization assignment and periodic recertification. This enables compliance with the principle of least privilege and ensures traceability and the ability to provide information. Reconciliation and ICS controls are established as control processes, which ensure that technical accounts that do not exist in the IAM can be identified and appropriate measures can be initiated.

In addition to enforcing the IAM as the lead system for NHI, further security measures are essential to safeguard the technical accounts. These relate to credential management, authentication and authorization in the sense of actual access control at runtime as well as the Security Operation Center (SOC/CDC) with anomaly detection and other use cases. This means that the use of NHI can be restricted as required and misuse by system administrators and attackers can be prevented in the best possible way.

Conclusion and invitation to exchange

IAM is a central component of the security strategy and must keep pace with technological, regulatory and organizational developments. IAM becomes effective when organization, processes and technology interact in a coordinated manner. This requires a clearly defined target image and consistent concepts that enable targeted prioritization and staged further development.

Are these issues of concern to you? Then get in touch with us and arrange a non-binding consultation with our experts. Together we will find out whether and how we can best support you.