Skip to main content
Security

10 IAM Controls You Should Already Have

MFA, conditional access, PAM, JIT access, and the identity controls that turn a cloud environment into a defensible one.

Logical Front 2021-10-19 5 min read
10 IAM Controls You Should Already Have

Identity is the new perimeter. Every successful cloud breach we've investigated in the last five years involved compromised credentials somewhere in the chain. Firewalls matter less than they used to. Endpoint EDR matters. Identity controls matter most.

Here are 10 controls we consider baseline for any serious cloud environment. If you're missing more than two or three of these, it's time to prioritize IAM work over almost everything else.

1. MFA on Every Account, No Exceptions

This is 2025. If you don't have MFA on every user account — including service accounts where possible and especially admin accounts — you have a gap that costs roughly five minutes to close per user.

Implementation notes:

  • Phishing-resistant MFA is the bar now: FIDO2 hardware keys (YubiKey, Feitian), Windows Hello for Business, or passkeys. SMS and TOTP are better than nothing but are bypassable.
  • Legacy protocols (basic auth, IMAP, SMTP auth) bypass MFA and must be disabled. Microsoft turned basic auth off in 365 for this reason.
  • Service accounts should use managed identities or short-lived credentials, not long-lived passwords.

2. Conditional Access Based on Signal, Not Just Credentials

A correct password plus a correct MFA code isn't enough if the request is coming from a country you don't operate in, at a time your users don't work, from a device you've never seen before. Conditional access policies layer signal-based trust on top of credentials.

Policies we apply by default:

  • Block sign-in from countries where you have no users
  • Require compliant device (registered in MDM) for admin roles
  • Block sign-in from anonymous proxies and Tor exits
  • Require stronger MFA for sensitive operations (privileged role activation, password changes)
  • Block legacy authentication protocols

Azure Conditional Access, AWS Identity Center with Verified Access, and Okta ThreatInsight all support these patterns.

3. Privileged Access Management for Admins

Admin accounts have the highest blast radius. Treat them differently.

  • Separate admin accounts from daily-use accounts. Never admin from the same user that checks email.
  • Hardware-backed MFA required for admin sign-in.
  • Session recording for admin activity in critical environments.
  • Privileged Access Workstations (PAWs) for the highest-sensitivity admin work — dedicated hardware that does nothing except admin.

This is paranoid. It is also the difference between "a junior analyst clicked a phishing link and our environment is now encrypted" and "a junior analyst clicked a phishing link and we reimaged their laptop."

4. Just-in-Time Access

Standing admin is the enemy. JIT means admins get elevated access for a time window, with a reason, approved (or auto-approved based on role).

Azure PIM is the reference implementation: an admin activates "Global Administrator" for four hours with a justification, the activation is logged, and the access automatically expires. Similar patterns exist for AWS and GCP via Identity Center and Privileged Access Manager.

5. Regular Access Reviews

Quarterly minimum for privileged roles, annually for regular access. The manager attests or revokes. Evidence goes to the audit folder.

What we automate:

  • Reports of who has what access, by group
  • Identification of access that hasn't been used in 90 days
  • Identification of groups with no membership changes in a year (often abandoned)
  • Flagging of users with duplicate or overlapping access

Manual access reviews against CSV files are how mistakes happen. Automate the generation and the evidence collection.

6. Service Account Discipline

Non-human identities outnumber humans in most cloud environments. They deserve the same rigor.

  • Named service accounts for each purpose. Never shared between systems.
  • Short-lived credentials where possible (IAM roles assumed by EC2, managed identities for Azure VMs, workload identity for GKE).
  • Secret rotation for accounts that must use long-lived credentials.
  • Scope of access limited to what the specific workload needs. No "admin on the storage account because it was easier."

7. Zero Trust Network Access for Remote

VPNs are dying. They grant network-level access that violates the principle of least privilege — you prove your identity once and then you have access to everything on the internal network.

Zero Trust Network Access (ZTNA) flips this: every application request is authenticated and authorized independently. User proves identity, app authorizes request, connection is established at the application layer. No network access is granted.

Tools: Cloudflare Access, Zscaler Private Access, Tailscale, Twingate, Google BeyondCorp, Microsoft Entra Private Access.

8. Session Monitoring and Anomaly Detection

Credentials get compromised. Sessions get hijacked. You need detection that works after the initial authentication.

What to monitor:

  • Impossible travel (London at 9am, Singapore at 10am)
  • Token replay from a different IP
  • High-volume download from a normally low-volume user
  • Access to resources the user has never touched before
  • Off-hours activity

Microsoft Sentinel, Defender for Cloud Apps, AWS GuardDuty, and third-party CASBs (Netskope, Skyhigh) handle this.

9. Offboarding That Actually Removes Access

When someone leaves, their access needs to go away. All of it. Not just email.

The checklist:

  • Disable the user in the identity provider
  • Revoke all active sessions (not just "change the password")
  • Remove from all groups
  • Transfer ownership of critical resources
  • Disable API keys and personal access tokens
  • Check SaaS apps that aren't in SSO (every org has some)
  • Rotate any shared secrets the user knew

Automate what you can. Clever, OneLogin, Okta, and Entra all support lifecycle automation.

10. Break-Glass Accounts That Are Actually Glass

Every environment needs a break-glass account — an admin account that's used when nothing else works. MFA is broken, the normal admin account is locked out, something catastrophic is happening.

How to do it right:

  • Credentials written down and stored in a physical safe.
  • MFA that doesn't depend on the cloud you're trying to rescue.
  • Monitored. Every use generates a critical alert.
  • Tested quarterly (you do use it, just in controlled conditions).
  • Credentials rotated after every use.

This is unglamorous but important. A break-glass account you can't actually use isn't a break-glass account.

What We'd Actually Do

For a cloud environment that needs IAM improvement:

  1. Week 1: MFA on everything. Hardware keys for admins.
  2. Week 2: Conditional access policies — country blocks, device compliance for admins, legacy auth blocked.
  3. Week 3: Review every privileged role. Remove permanent assignments in favor of PIM.
  4. Week 4: Inventory service accounts. Rotate any with long-lived passwords.
  5. Month 2: Offboarding automation tied to HRIS.
  6. Month 3: Break-glass accounts configured and tested.

Three Takeaways

  1. Phishing-resistant MFA is the single highest-leverage security control of 2025. Hardware keys for admins, passkeys for users.
  2. Standing admin access is a vulnerability. JIT via Azure PIM or equivalent closes it.
  3. Offboarding is where breaches live. Automate it, test it, audit it.

Talk with us about your infrastructure

Schedule a consultation with a solutions architect.

Schedule a Consultation
Talk to an expert →