IAM: how to deploy and manage authentication for your MSP

| By:
Frank DePrisco

Identity and access management, or IAM management, covers an organization's policies and procedures to govern access to sensitive data and files. Proper IAM can be indispensable to your client’s overall cybersecurity plan.

System administrators use technology like multi-factor authentication, single sign-on, and privileged access management to ensure users only have access to the files and parts of the network they need to do their job. By using an individual profile to control each user’s network access, IT admins hope to minimize human error and limit cyber attacks. 

Cybersecurity professionals initiate these protocols in various ways. They can launch IAM access management protocols on-premise, with the help of a third-party vendor, or through other options. When a vendor launches IAM, it’s usually done through cloud technology. This does cause some concerns from a security perspective, but overall, implementing these access controls is worth the risk.

Why authentication is important to identity and access management (IAM)

Today’s business world requires a constant connection to the digital world. Companies need to operate within the cloud to even stand a chance in their industry. This modern corporate environment is due, in part, to the advent of technologies like cloud computing and the Internet of Things.

Data is becoming more critical as we rely on these technologies to accomplish work. According to Indeed, a leader in the current corporate landscape, data is becoming a valuable asset for most businesses. Good data can help businesses accomplish things like:

  • Increase profitability
  • Strengthen a company’s ability to problem-solve
  • Improve customer satisfaction
  • Optimize corporate procedures

If data is this powerful of a resource, it stands to reason that businesses should do whatever they can to protect their proprietary information. This is where authentication comes in.

Authentication is vital to IAM access management because it ensures that someone is who they say they are. If a particular user has their own profile within a network, with just a username and password, that information could easily fall into the wrong hands.

Savvy MSPs work with their clients to implement added layers of protection like two-factor authentication or biometric scanning. More robust platforms offer businesses cutting-edge security technology like AI assistance for spotting unusual behavior trends on the network. As hackers become more sophisticated, MSPs and other cybersecurity professionals will need to gain a deeper understanding of IAM authentication to properly protect their clients’ digital assets.

Deploying authentication: a step-by-step walkthrough

If you’re new to identity and access management (IAM), figuring out where to start can be challenging. You may understand the importance of access controls but struggle with implementation. The step-by-step guide below will guide you as you launch IAM systems and procedures within your MSP business.

Step 1: Create a usage inventory

The IAM management deployment process starts by carefully examining your current setup. This means both your systems and your people. 

Start the process by drafting a usage list. Which apps, platforms, tools, and services do team members use most often? Anything you think users within your client’s organization will interact with should be on the list.

A careful and thorough usage inventory is an essential part of the overall IAM process. An inaccurate usage list can undermine the entire process before it even starts. Any IAM manager or members of your MSP team need this data to inform which IAM tools and technologies are most important for your clients moving forward.

Step 2: Understanding the digital landscape

Most organizations run on a variety of systems and tools. These system components operate in different environments. As a result, most companies’ network infrastructure is a hybrid of multiple environments – on-premise, cloud-based, and so on. 

Despite the differing environments, IAM identity access management is still necessary. It’s your job as an MSP, or the job of your IAM team, to understand the totality of your client’s digital framework. How many different environments do they use? What are those environments? 

Depending on your client’s setup, you may need additional technology like security assertion markup language (SAML) or OAuth to integrate these environments. Understanding the landscape of their daily operations further informs your IAM decisions and helps tailor them perfectly to your clients’ needs.

Step 3: Know your client’s needs

IAM management works best when adapting it to your client’s organization. Steps 1 and 2 can bring your IAM process a long way toward that goal, but here are some additional questions to ask to strengthen your efforts:

  • What company standards or industry regulations require consideration?
  • Does your client’s setup call for automatic provisioning and de-provisioning?
  • Are employees and customers relying on the same system?
  • Do authentication measures need to be strengthened through multi-factor authentication, biometrics, or some other form of additional technology?

When building an IAM stack for your clients, always keeping IAM best practices in mind is crucial. If possible, come up with a strategy to assess the performance of your current IAM setup.

It’s also helpful to make security efforts identity-centric. Taking the time to set up user profiles and invest in authentication technology to protect digital assets goes a long way toward furthering cybersecurity efforts.

Best practices for implementing authentication

As you construct an IAM management framework for your clients, here are some best practices to keep in mind:

Focus on the most valuable data

Work with your clients to identify their most valuable assets. Where and what is essential to the product or service they deliver? Usually, this means proprietary information, industry secrets, and personally identifiable information (PII). After agreeing on what data is valuable and where it’s stored, you and your client can adapt your IAM plan accordingly.

Implement a strict password policy

Using technologies like multi-factor authentication and single sign-on platforms are great IAM practices for access management. With that said, it would be best if you also were implementing a strict, complex password policy for your client’s team members. Ensure team members are using complex passwords and create a regular auditing schedule to force passwords to change frequently.

Leverage automation wherever possible

Most IAM platforms allow for easy automation of simple tasks like password creation, provisioning and de-provisioning access credentials, and creating user accounts. Automating these workflows increases cybersecurity protection and weakens common attack sources like insider threats.

Take advantage of just-in-time access

IT admins can elevate user permissions on a case-by-case basis with just-in-time access. They can manually grant access to particular files or areas of the network for a limited timeframe. This allows organizations to accommodate access requests in certain circumstances without compromising overall network integrity.

Use multiple types of access control where appropriate

MSPs can rely on role-based or attribute-based access controls to help protect clients’ networks. Role-based permissions revolve around a particular position within an organization. For example, if you work with a lot of third-party vendors, you can set a “vendor” or “contractor” role within your system to limit their access. Attribute-based access control relies on filters assigned to each user. An example may be employees gaining access to a particular project based on the department they belong to. Leveraging these access controls is another way to regulate provisioning and de-provisioning as team members leave the company or change roles.

Continuously evaluate resource access

Companies are constantly adding new tools and platforms to their tech stack. With the network infrastructure changing, routinely auditing access permissions is one of the strongest IAM policies you can implement. As old tools go out and new tools come in, it’s important to remove any abandoned accounts that could present an opportunity for threat actors.

Store logs in a central location

Storing logs in a central location allows easier access than multiple storage caches. Most central storage locations are cloud-based, which could pose a security concern. As long as you’re following IAM best practices, centralizing your log storage is an overall net positive, though.

Ensure easy IAM tool integration with your current system

Any IAM tools you bring on should easily integrate with your system. This is more than just helpful advice. IAM best practices advise limiting the number of settings adjustments you need to make to bring on any new tools. Searching for tools that integrate with your current technology is not only suggested but also necessary.

Take a “zero trust” stance on security

Many software platforms have an inherent element of implicit trust, meaning if you use a particular app, it will remember you when you return. Zero trust abandons that feature and assumes there is potential for a data breach whenever possible. In the zero trust environment, companies can always ask users to verify their identity before granting access. Constantly requesting users to verify their identity drastically reduces the risk of unverified users accessing company resources.

To take a deeper look at important concepts like the “zero trust” approach to cybersecurity, visit the ConnectWise cybersecurity center

Embrace multi-factor authentication (MFA)

IAM best practices can’t rely on login credentials alone. Multi-factor authentication is an indispensable feature for verifying a user’s actual identity. MFA protocols usually use one or more of the following technologies: 

  • Biometric authentication – retina scan, facial recognition, fingerprint scan, etc.
  • possession authentication - sending a passcode to the user’s smartphone or another secondary device
  • Geographic or time data
  • Knowledge authentication – requiring a user to answer security questions, solve a captcha puzzle, etc.

Discover what the future holds for authentication technology, and learn what our team is doing to evolve our SSO strategy in our Authentication & Authorization webinar. 

Abide by “least privilege.”

The concept of least privilege access means giving users as much access as they need to do their job and no more. Role-based and attribute-based access controls are used to accomplish this. It’s also important to regularly review permissions to ensure “least privilege” remains current and that no one team member has more access than they should. 


After deployment: managing authentication as an MSP

IAM management doesn’t stop after the deployment of your protocols. As noted above, many of these processes require continuous monitoring and updating. Ensuring employees have only the access they need to do their job and nothing more requires MSPs to remain active in their client’s identity and access management for the life of their service agreement. 

ConnectWise is here as a partner in your growing MSP business. Learn more about Identity and Access Management solutions from ConnectWise & Evo or request custom pricing today.


The three guiding IAM principles are:

  1. Collect identity data
  2. Multi-factor authentication is fundamental to IAM
  3. Stick to the principle of “least privilege”

IAM policies are managed through either role-based or attribute-based access control. Policies are then tested, verified, and adopted. Once adopted, policies are continuously monitored to ensure they align with IAM best practices.

Users are managed via role-based and attribute-based permissions. Role-based is when a business applies certain permissions to the “sales team” or “customer service.” Asset-based refers to an organization that uses a certain set of permissions for everyone working on a particular project.

Companies might use asset-based permissions in an environment where team members work on different client accounts. For example, users at a market agency who work on an account for Nike will be the only users with access to the “Nike area” of the system. If you’re not on that account, you won’t receive access. This setup adheres to the important IAM principle of “least privilege” by giving users just enough access necessary to do their job.