Advancing Your Identity Management Strategy with the IAM Maturity Model

Understanding the 7 Core Tenets of Identity and Access Management

How Mature is Your Identity and Access Management Program?

Maturity models are the key to improving organizational performance by identifying gaps, setting benchmarks, and establishing priorities—and IAM is no exception.

However, increasing your IAM maturity level means not only understanding your organization’s overall position, but also within each of the major IAM tenants: Federation, Multi-Factor Authentication, Single Sign-On, Delegated Administration, Identity Lifecycle Management, Access Management, and Governance. Here's what you need to know.


Take our assessment to discover your level of IAM maturity and receive actionable steps for each tenet.

Determine Your Organization's IAM Maturity Level with Our Free Assessment Tool


Maturity Model Overview

As recently as five years ago, establishing strong network controls and ensuring a defense-in-depth posture was enough to minimize the risk of a cyber-attack and keep the bad actors out of your network. However, times have changed, and the delineation of organizational perimeters has blurred between on-premise and cloud-based resources as more and more users need remote access to resources and accounts.

So, how do we define the new security perimeter? The answer is clear: with user identities and managing the precise level of access each has within the organization’s systems and resources. 

Four Key Areas of Comprehensive IAM

At Identity Automation, we work with a wide variety of organizations, across multiple industries, yet the areas organizations seek to improve with an integrated IAM solution remain consistent. The primary motivators of IAM technology are threefold: to strengthen the organization’s security posture, to increase operational efficiency, and to enhance the user experience.

It’s important to note that in the IAM space the meaning of different terms can vary from person to person. Let’s take a moment to review the top four areas of comprehensive IAM and how they differentiate from one another.

  1. Lifecycle Management - the collection of technologies and processes that govern the creation, management, and removal of identities across the systems and applications within your enterprise. 
  2. Authentication - the technology that validates a user is who they claim to be.
  3. Access Management - a collection of technology techniques that control what a user is granted access to and what they can access within an organization’s resources. 
  4. Governance - refers to the technology and processes that enable an organization to define, review, enforce, and audit access management policies, while also mapping IAM functions to compliance requirements, and in turn, audit user access to support compliance initiatives.

Identify Your Organization’s Focus Areas with the IAM Maturity Model

As we transition from the perception of IAM— a technology that’s confined to select areas— to a robust and mature IAM system, we have to determine how to improve our IAM capabilities. That’s where the Identity and Access Management Maturity Model comes into play: by identifying gaps, setting benchmarks, and establishing priorities for your IAM program. 

So, which tenets of the Identity and Access Management Maturity Model does your organization need to focus on to increase capabilities and secure the new perimeter?


Watch our on-demand webinar, IAM Maturity Model Overview: Understanding the 7 Tenets of Identity and Access Management, to learn our best practice strategies for implementing the tenets and steps for increasing these capabilities.

Chapter 1


If your organization is just in the beginning phase of your IAM program, taking your identity management efforts to the next level we recommend you start with the most logical first step in the IAM maturity model— Federated Identity Management.

Federated Identity Management, also known as federation, is the most simplistic tenet of identity management. In fact, the majority of organizations can use federated identity management without implementing a full scale IAM solution.

Federation is a specific type of SSO that enables organizations to integrate with applications without exposing critical systems or data by leveraging a trusted party to identify and authenticate constituents. The trust has been established between the systems ahead of time to verify this mutual exchange of information.

For example, companies who rely on third-party applications on a consistent basis can federate a set of applications to allow users one central point for authentication, such as entering a username and password.

So, Who Can Benefit from Federated Identity Management?

Federated identity management has significant benefits to organizations, particularly those who are in the beginning stages of an IAM program or those who are currently using or switching to cloud or SaaS-based applications.

A primary benefit of federation is to simplify the user authentication experience, saving time and headaches. Users login to the central point for authentication once and then seamlessly continue their day-to-day processes without having to constantly enter and manage separate credentials for each application.

In addition, organizations look to federation as a way to reduce administrative overhead. For example, there will always be employees coming and going, and perhaps your organization requires a password reset every 6 months. With federation, your administrative team has one central portal to make these updates, instead of within multiple applications for each user.

Finally, federation is used to increase the security posture in identity management and can even be combined with multi-factor authentication (MFA). When authentication is streamlined to one central location, very little information is shared with external applications, due to the trust established ahead of time. Adding MFA, such as a one time password or push authentication, adds an extra layer of protection from a security standpoint.

Where Does Your Organization Fall on the Federation Maturity Model?

As far as complexity of implementation, Level 1 is considered low hanging fruit. In this Basic Level of the Federation Maturity Model, the organization has an Identity Provider (IDP) in place with support for the SAML federation protocol and at least one additional federation protocol.

Level 2 is quite a leap, rather than a step, in the maturity model and mainly speaks to supporting multiple federation protocols.

In Level 3, security is increased by implementing multiple types of authentication methods with granular and adaptive authentication policies. And in the ultimate level, or Mesh, an organization is doing business with other businesses and with consumers, resulting in more SPs  and IDPs alike.

Moving along to the ultimate level, or Mesh, an organization is doing business with other businesses and with consumers, resulting in more SPs  and IDPs alike. At Level 4, the complexities of mesh and simplifying administration come into play, as the organization is tasked with not only managing the IDPs, but the sessions involved in each as well. 

Chapter 2

Multi-Factor Authentication

By now, we should all be aware of the inadequacies of passwords. Breach after breach, it's been made painfully clear that single-factor authentication is not enough. In fact, according to the 2017 Verizon Data Breach Report, over 80% of hacking related breaches are due to weak or stolen passwords. So when the traditional means of authentication are so clearly flawed, what’s the next step?

Most organizations know that multi-factor authentication (MFA) can help amp up security with an additional authentication method that further proves the user is who they claim to be. However, it can be difficult to navigate through the many authentication methods that exist or to compare functionality across numerous MFA solutions and vendors.

Building Blocks: Authentication Factors, SFA, 2FA, and MFA

An authentication factor is an "independent category of credential used for identity verification." In plain English, that means something that proves that you are who you say you are. As defined by NIST SP 800-63-3, the three factors that are identified as the cornerstones of authentication are:   

  1. Something you know (e.g., a password).
  2. Something you have (e.g., an ID badge or a cryptographic key).
  3. Something you are (e.g., a fingerprint or other biometric data).

Breach after breach, it's been made painfully clear that single-factor authentication is not enough.

Where Does Your Organization Fall on the MFA Maturity Model?

At the Basic Level, an organization has 2FA in place, with authentication factors supporting the “something you know” and “something you have” authentication methods.

Level 2, also known as the Advanced Level, supports all three authentication factors, achieving true MFA capabilities.

Moving on to level 3, you should first define risk mitigating policies. This helps ensure your high-risk users are protected with the highest risk mitigating authentication policies. At this point, you’ll also need to start thinking about how to refine these policies based on various contextual factors, such as time of day, day of the week, network origin, and whether the device is trusted.

Once you’ve reached Level 3, the next step is to begin considering your artificial intelligence strategy. You may be wondering, how does artificial intelligence even fit into the discussion of MFA? While voice and face recognition are excellent examples of artificial intelligence driven authentication methods, there are other factors, such as keystroke patterns, which learn over time how you interact with the keyboard. 

Chapter 3

Single Sign-On

Single sign-on, also known as SSO, is a widely popular component of identity and access management (IAM) that not only helps organizations address important access challenges, it also offers clear productivity and user experience benefits.

However, SSO is not a one-size-fits-all-solution— and once implemented, there are varying levels of SSO capabilities which can be evaluated using a maturity model.  Similar to the Federation and Multi-Factor Authentication Maturity Models we’ve previously discussed, the SSO Maturity Model helps organizations define their current level on the capability scale and understand next steps that can be taken to advance these capabilities. 

While there are varying definitions for the term, at Identity Automation, we define SSO as a one-time login that permits the user to seamlessly access their complete workstation. This initial authentication could be an ID/password challenge or it could be a passwordless challenge, such as using physical or biometric means of authentication. Once the user successfully confirms his or her identity, they will not be prompted for an additional login when accessing applications within the single sign-on environment.

In essence, SSO solutions enable users to access all of their applications using a single set of credentials and is all about improving your users’ productivity and user experience. 

Where Do You Fall on the Single Sign-On Maturity Model?

In Level 1, the Basic level of the SSO Maturity Model, organizations utilize Reduced Sign-On (RSO), which relies on directory services where accounts can be managed in one place. At this level, an organization has integrated many of their applications via Lightweight Directory Access Protocol (LDAP) to reduce the number of credentials an end user needs to remember. Essentially, the directory password is pulled and used to sign into applications that have matching credentials. For many organizations, this involves using simplified credentials, where users set the same password for multiple applications. 

In Level 2, the Advanced level of the SSO Maturity Model, the SSO solution is more sophisticated and uses technology to pass credentials through to applications, either as agent or agentless web SSO.

At the Advanced level, there is no need for password managers and Federation tends to start tying in with SSO. Organizations at this level have reached at least Level Two of the Federation Maturity Model. This means that when a user launches an application, he or she is redirected back to a central login page to put in their directory credentials. Upon successful authentication, the user is sent straight back to the application.

Level 3 of the SSO Maturity Model, the focus is on native SSO, or providing SSO for native applications on Windows platforms. At Identity Automation, we frequently see native applications used in education, healthcare, retail—basically any organization that has some sort of large enterprise resource planning (ERP) system. 

Level 4 takes everything in Level 3 and expands it to other platforms, including mobile. At Level 4, Intelligent, an organization supports SSO on every endpoint, including MacOS, iOS, Android, Chrome OS, Linux, and thin clients.


Chapter 4

Delegated Administration

One of the most powerful features of any modern identity and access management (IAM) solution is delegated administration. This core feature gives business users of an organization the ability to perform basic IT functions, such as new account creation, role and group assignment, and access requests, all without the capabilities and permissions typically tied to a privileged IT role.

On a broader level, delegated administration makes full identity lifecycle management possible by ultimately allowing for automated and streamlined business processes. That being said, it’s crucial organizations thoroughly evaluate their current, if any, delegation functions and assess the capabilities in practice today, as well as understand where increased focus is needed. 

Where Do You Fall on the Delegated Administration Maturity Model?

In Level 1, also known as the Basic Level, a key characteristic is that administrators have the ability to perform simple delegation tasks, such as reset passwords. Without this primary characteristic, organizations would be considered at Level 0, meaning they have not yet implemented any delegation features or capabilities.

In Level 2, otherwise known as the Advanced Level, an organization expands on its initial offering of self-service capabilities by providing tools that empower business users to perform lifecycle management of external or sponsored accounts, such as contractors or visitors, and all self-service and delegation actions flow through to all connected systems. Another main characteristic resolves a common challenge organizations face: notifying workers of their newly created account credentials.

Level 3 of the Delegated Administration Maturity Model is comprised of two main capabilities. First, end users are empowered to help their peers based on birthright relationships (a user’s attributes or roles), such as a department, project, or class. Essentially, this allows business users to be a second line of support. Second, application owners are empowered with the tools to manage access to the applications they own.

Level 4, Intelligent, can also be broken into two main areas. First, organizations at this level have implemented some level of governance, another tenet of the IAM maturity model, maturing their delegated administration capabilities to allow full system visibility to application owners and business owners (non-IT users who are responsible for the line of business associated with an application or system). 

The second area of Level 4 speaks to granular controls that empower end users to give others the ability to act as their proxy. By defining proxy as policies, authorized users and administrators can view information as another user and perform actions on their behalf. 

Chapter 5

Identity Lifecycle Management

Identity Lifecycle Management (ILM) refers to the actual creation and management of user identities, taking appropriate actions for any changes, as well as the removal of identities across all the services and applications end users access within the organization's ecosystem. In fact, ILM is debatably the most important tenet of your entire IAM strategy because it directly ties into all the applications or services your end users access.

Synonymous with automated lifecycle management (ALM), the goal of ILM is to automate identity processes across the organization’s environment. Automation ensures that identities across your organization’s disparate systems are in a state that matches your authoritative sources. Without an ILM engine, manually processing and managing identity changes and ensuring the appropriate actions are taken is very difficult.

While the primary focus of ILM is on the context of users, it can also refer to the identity management of any account that needs access. For example, ILM could be utilized for IoT devices and external services for service to service access.

Where Do You Fall on the Identity Lifecycle Management Maturity Model?

While our ILM Maturity Model starts with Level 1, an organization could actually be at Level 0, meaning there are no capabilities currently in place to manage user identities. Account provisioning is completely manual and done on an ad-hoc or reactive basis, so account details are prone to human error. In addition, onboarding, and the amount of time it takes to get a new employee online and productive, is often an issue.

On the other hand, organizations in Level 1 have begun automating account creation with scripts that are focused on basic account creation. However, as these scripts are created for specific purposes, they are difficult to generalize for repurposing. 

At Level 2, Advanced, an organization begins deploying vendor-provided tools to manage their accounts. However, these are single purpose synchronization tools, meaning they only work to automate account creation in that one particular vendor's product, and were not developed to provide complete lifecycle management. 

At the more sophisticated levels of the ILM Maturity Model, the processes become more and more automated. Organizations in Level 3 of the ILM Maturity Model have implemented an identity logic engine that automates processes across their entire ecosystem. The ILM engine centralizes all identity lifecycle management for a holistic approach, instead of various groups within the organization managing identities and lifecycle events within each application.

At this stage, ILM is fully automating what we call birthright access, which refers to the logic or rules whose criteria are met by the data received from authoritative sources.

While Level 4 is somewhat of a future concept, there are many groups and standards being published today that indicate the industry is heading in an API-driven direction in order to reduce the complexity of a complete ILM implementation. API-driven ILM refers to the target or downstream system which pulls identity and other business data using standard, restful APIs, giving internal and third party developers real-time access, rather than the organization having to design ways to push this data to the new system.

Chapter 6

Access Management

Access Management (AM) is a critical area in any cybersecurity strategy that refers to how identities are applied to the data and resources in an organization’s environment, ensuring users have the correct access to the appropriate systems, resources, and applications. While AM is a process of managing authorization, it’s important to recognize it’s not just the process of granting access, but also removing and changing access, depending on where the user is in the identity management lifecycle.

Access Management (AM), Identity Management, Identity and Access Management (IAM), and Privileged Access Management (PAM): while these terms use similar language and act to strengthen an organization’s security posture, they each have separate and distinct meanings. 

Access Management (AM) ensures access is granted to valid users and prohibited to invalid users by identifying, tracking, and regulating users' access to a system or application. While Identity Management creates and manages different users, roles, groups, and policies, access management ensures these roles are assigned proper access to resources based on these policies. AM is a governance process often used in conjunction with Identity Management for a comprehensive IAM system, which manages both user identities and access privileges alike.

On the other hand, PAM is a subset of Access Management that provides additional protection for privileged accounts, or the primary accounts that are at an administrative or system level. These are typically powerful accounts that give the user complete access to the system or application, so organizations make strong efforts to protect them. While AM refers to having the rights to certain resources or systems, PAM refers to having the rights to use privileged accounts.

Where Do You Fall on the Access Management Maturity Model?

At Level 1, the most rudimentary access management level, there are two prerequisites from other IAM tenets, one of which we’ve already covered in our maturity model series, ILM, and one yet to come, governance. While fairly advanced ILM capabilities are required for Level 1 of the Access Management Maturity Model, only basic governance functionality is needed.

At Level 1, Access Management is based on two primary models of access control: Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). Level 1 birthright access management is automated utilizing ABAC; however, any exceptions needed are handled on a manual or ad-hoc basis.

In order to be at Level 2 in the Access Management Maturity Model, an organization must have a mechanism in place to handle these exceptional access requests. 

In addition, another characteristic of level 2 is that Access Management is refined to associate users with entitlements, which typically go through a request or approval process. Using self-service capabilities, users request exceptions through the automated mechanism in place. Business owners then review requests for their given system or application and determine if access is needed. Most likely, business owners will consider factors, such as the sensitivity level and if licensing is associated, before approving or denying a request.

In Level 3, Privileged Access Management (PAM) comes into the mix to protect privileged or high risk accounts, such as shared system or service accounts. For example, this may include organization’s administrative user accounts and root user accounts for systems, like operating systems, directory services, databases, and individual applications that require a super user account. 

In Level 4, the ultimate goal is to fully adopt the principle of least privileged access everywhere— providing users only the access they need for the minimum time they need it, and then removing that access or privilege. This principle affords another critical benefit: every request, grant, revoke, or other access control action is auditable. In this way, organizations will always know who did what and when, so they are always ready for an audit.

Chapter 7

Identity Governance

Public and highly regulated organizations require audits to ensure business is conducted in an appropriate manner. The audit process provides verification that everyone in the organization has the access they need and only what they need.

Unfortunately, the evolving regulatory landscape has made the audit process a nightmare for organizations that lack the right technology. If configurations are not centrally implemented and managed in one tool, ensuring policies are consistently enforced across the enterprise becomes a serious challenge. Furthermore, organizations vary widely when it comes to their governance maturity. The first step to evaluating your organization's identity governance capabilities is to evaluate where you stand.

What Are Entitlements?

In order to define Level 1 of the Governance Maturity Model, we first need to understand entitlements. Access granted to an application is known as an entitlement, and for each system you can access, there is an individual entitlement associated with it. For example, access to the email system is a mailbox entitlement, and that entitlement is retained as long as the user still holds the applicable role or position.

In order to achieve Level 1 of the Governance Maturity Model, an organization must maintain an entitlement repository that represents end user access. The entitlement repository is a recording or inventory of the different groupings of access within the organization and acts as the authoritative source for access across the ecosystem.

Without governance, or Level 0 on the maturity model, all entitlement-related processes would be manual, as there is no system keeping track of entitlements.

Where Do You Fall on the Identity Governance Maturity Model?

Periodically, we must validate whether or not entitlements still hold true— that a user still maintains his or her position and requires the entitlement. This entitlement review process is known as certification of access, and it allows entitlements to have an audit trail and specific oversight into continued access to the entitlement. At Level 1, organizations review granted entitlements on at least an annual basis. That being said, some auditors require a more frequent basis, such as twice a year or even once per quarter.

Organizations in Level 2 of the Governance Maturity Model reconcile the entitlement repository against data imported from systems. These entitlement reconciliations are scheduled periodically against an offline snapshot from systems. This process is similar to comparing your bank statements to your check register and making sure the amounts match up. 

Level 3 of the Governance Maturity Model expands on components found in Level 2, such as validating entitlements through reconciliation directly against the systems. However, Level 3 kicks these capabilities up a notch by identifying actions as they occur in real time, which is highly recommended for high-risk resources with access to sensitive data.

As opposed to an offline process that reconciles nightly or weekly, the capability of real-time verification of entitlement assignments allows for additional validation directly against systems, so owners can take immediate action in the case of credential discrepancies.

Another characteristic of Level 3 is organizations have mapped entitlements to specific privileges. By mapping entitlements, the IGA tool is provided context to help make a decision on whether access should be granted. 

Once reconciliation is streamlined and entitlements are mapped, the primary pain for organizations at this stage is the overwhelming amount of approval and certification requests. As long as humans are performing these processes, it’s unlikely that each request is thoroughly reviewed. 

Typically these processes are not one’s full time job, and as we’re all busy, it’s easy to fall into the habit of selecting all the requests, clicking approve, and marking the task as complete. However, we know this is not the best way to protect our data. Therefore, in order to ease the burden, organizations looking to advance to Level 4 employ Artificial Intelligence (AI) to detect anomalies that individuals may not be able to see to make predictions for approvals and certifications.

close chapters modal


Take our assessment to discover your level of IAM maturity and receive actionable steps for each tenet.

Download a PDF version of this guide by filling out this form

Simply fill out this form to receive a PDF version of our guide.