Gatekeeper
Back to Insights
Identity and Access Management for Saudi Organizations: Best Practices and NCA Requirements

Identity and Access Management for Saudi Organizations: Best Practices and NCA Requirements

Complianceby Gatekeeper

Identity and Access Management: The First Line of Defense

Identity and Access Management (IAM) is the cornerstone of any successful cybersecurity strategy. In an era where remote work, cloud systems, and multiple applications are everyday realities, it is no longer sufficient to protect only the network perimeter. Every user's identity must be verified, their permissions precisely defined, and their activities continuously monitored.

According to the Verizon Data Breach Investigations Report (DBIR), over 80% of application-related breaches involve stolen or weak credentials. This statistic alone underscores the importance of building a robust IAM framework. In the Saudi context, the National Cybersecurity Authority (NCA) mandates specific identity and access management requirements within the Essential Cybersecurity Controls.

Core Components of an IAM Framework

A comprehensive IAM framework consists of several integrated components working together to ensure that the right people have the right access to the right resources at the right time:

Identity Management

Concerned with the digital identity lifecycle from creation to deletion. This includes provisioning new users, modifying their permissions when job roles change, and deprovisioning their accounts when they leave the organization. These processes should be automated to reduce human error and ensure timely execution.

Authentication

The process of verifying a user's identity before granting access. Authentication mechanisms range from traditional passwords to Multi-Factor Authentication (MFA), biometric authentication, digital certificates, and physical security keys (FIDO2). Passwords alone are no longer sufficient to protect sensitive systems.

Authorization

Determines what an authenticated user is permitted to do. It relies on access control models such as Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). The Least Privilege principle must be applied, granting users only the minimum permissions necessary to perform their tasks.

Identity Governance

Concerned with the policies and processes governing identity and access management. This includes periodic access reviews, Separation of Duties, compliance evidence for regulators, and reporting and analytics.

Multi-Factor Authentication (MFA): A Necessity, Not an Option

Multi-Factor Authentication is one of the most effective security controls for preventing unauthorized access. Multiple studies indicate that MFA prevents over 99% of automated account compromise attacks. NCA controls mandate MFA for all sensitive systems, remote access, and privileged accounts.

MFA relies on combining two or more of the following authentication factors:

  • Knowledge Factor (Something You Know): Passwords, PINs, or security question answers. The most common factor but the weakest when used alone due to susceptibility to guessing or phishing theft.

  • Possession Factor (Something You Have): A smartphone with an authenticator app (such as Microsoft Authenticator or Google Authenticator), a physical security key (YubiKey), or a smart card. FIDO2 keys are recommended for high-sensitivity accounts.

  • Inherence Factor (Something You Are): Fingerprint, facial recognition, iris scanning, or voice recognition. Provides a high level of security but requires specialized hardware and privacy considerations under PDPL.

Privileged Access Management (PAM)

Privileged accounts are the highest-value targets for attackers because they grant broad access to sensitive systems and data. These include administrator accounts, service accounts, and break-glass accounts. NCA controls require specific measures for managing these accounts:

  1. Password Vault: Store privileged account credentials in a centralized encrypted vault with automatic periodic password rotation. No individual should know the privileged account password directly.

  2. Session Recording: Record all privileged sessions in video and text for audit and incident investigation purposes. This enables precise review of every action taken by a privileged user.

  3. Just-In-Time (JIT) Access: Grant privileged permissions only for a limited time when actually needed, with automatic revocation after task completion. This approach reduces the exposure window in case of account compromise.

  4. Anomalous Behavior Monitoring: Use User and Entity Behavior Analytics (UEBA) to detect unusual activities in privileged accounts such as logins from unexpected geographic locations, at unusual times, or access to systems outside the scope of normal duties.

Single Sign-On (SSO)

Single Sign-On enables users to access multiple applications using a single set of credentials. SSO achieves a balance between security and usability through:

  • Reducing the number of passwords users need to remember, which decreases the reuse of weak passwords across multiple systems.

  • Enabling centralized authentication control, which simplifies enforcement of strong password policies and MFA across all applications.

  • Accelerating access revocation when employees leave, as disabling the central account immediately prevents access to all linked applications.

  • Providing comprehensive visibility into user activities across all applications through a single centralized logging point that facilitates auditing and monitoring.

SSO relies on standard protocols such as SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0. Enterprise identity solutions such as Microsoft Entra ID, Okta, or open-source alternatives like Keycloak are recommended.

NCA Requirements for Identity and Access Management

Identity and access management is not a purely technical project but an ongoing governance process requiring collaboration between cybersecurity, IT, human resources, and senior management teams.

The Essential Cybersecurity Controls (ECC-2:2024) define detailed identity and access management requirements under the Cybersecurity Defense domain. Key requirements include:

  • Adopting a comprehensive identity and access management policy covering account creation, modification, deletion, and periodic access reviews.

  • Implementing Multi-Factor Authentication (MFA) for all sensitive systems, remote access gateways (VPN), administration panels, and cloud management consoles.

  • Applying the Least Privilege and Need-to-Know principles with access reviews at least every three months to ensure unnecessary permissions have not accumulated.

  • Implementing a strong password policy with minimum length (12 characters), complexity requirements, prevention of previous password reuse, and account lockout after multiple failed attempts.

  • Immediately revoking access for departing employees upon termination of their relationship with the organization, ensuring all their accounts across all systems are disabled.

Conclusion: Identity Is the New Security Perimeter

In the world of cloud computing and hybrid work, traditional firewalls are no longer sufficient to protect digital assets. Identity has become the new security perimeter. Saudi organizations that invest in building a robust IAM framework -- combining MFA, Privileged Access Management, Single Sign-On, and Identity Governance -- will be more agile and resilient against evolving threats. Start by assessing your current state, identifying gaps, and developing a phased roadmap to build an IAM framework that complies with NCA requirements and effectively protects your digital assets.

Share this post