What is identity and access management (IAM)?

Definition of identity and access management

Identity and access management is the framework and processes organizations use to manage and secure digital identities and control user access to critical information. Systems include user registration, identity authentication, role-based access control, and compliance auditing and reporting.

Identity and access management systems protect sensitive data and systems from unauthorized access and breaches while also streamlining and automating the management of users’ digital identities, access permissions, and security policies.

Understanding the core concepts related to identity and access management

Digital identities

A digital identity is a collection of information about individuals, organizations, or electronic devices that exists on a network or online. Digital identities are made up of any number of characteristics or data attributes, such as:

• Date of birth
• Domain
• Email address
• IP (internet protocol) address
• Medical history
• Online search activities (e.g., browsing history, electronic transactions)
• Purchasing history or behavior
• Social Security Number
• Username and password

Digital resources

Digital resources include any assets that exist in digital form and can be accessed electronically. These resources are typically stored, processed, and transmitted using computers and networks. Examples of digital resources in the context of identity access and management include:

• APIs (application programming interfaces)—a set of rules and protocols used to build or interact with software applications by allowing different software programs to communicate with each other
• Cloud services—services that deliver computing power, storage, and applications over the internet
• Databases—structured collections of data, such as SQL databases, NoSQL databases, and cloud-based data warehouses
• Digital certificates—SSL (secure sockets layer) /TLS (transport layer security) certificates and other forms of digital authentication used to secure communications and transactions
• Digital content—images, videos, audio files, animations, and interactive media
• Email and communication platforms—digital communication tools, such as email services, instant messaging apps, and social media
• Files and documents—text files, spreadsheets, presentations, PDFs (portable document formats), and other document types stored on computers or cloud storage services
• IoT (internet of things) devices—internet-connected devices that gather and transmit data
• Network resources—IP addresses, DNS (domain name system) records, routers, firewalls, and other network infrastructure components
• Software applications—cloud-based applications, mobile applications, desktop software, and enterprise systems 
• Virtual machines and cloud instances—virtualized computing environments hosted on physical servers or cloud infrastructures
• Web pages and websites—any HTML (Hyper Text Markup Language) document accessible via a web browser, including informational sites, e-commerce platforms, and corporate blogs

Identity management vs access management

The terms identity management and access management are often erroneously used interchangeably. The function of identity management is to confirm that an entity is who or what they are presented to be. In contrast, access management uses validated identity information to determine what resources an entity can use and how.

Identity and access management vs identity management

Identity and access management and identity management are related but distinct areas within the broader scope of cybersecurity. Identity management is primarily concerned with managing identities, while identity and access management adds access control measures to ensure secure and appropriate access to resources.

Identity management	Identity and access management
Deals primarily with the digital identity lifecycle of users	Integrates identity management to ensure that these identities are used in accordance with corporate policies and security requirements
Core functions include: -Creating, updating, and deleting user accounts -Managing changes to identity information over time -Verifying a user’s identity before granting access	Core functions include: -Allowing users to authenticate once and gain access to multiple systems with single sign-on (SSO) -Defining and enforcing policies that determine user permissions -Enhancing security by requiring multiple forms of verification (i.e., multi-factor authentication or MFA) -Granting or denying access to specific resources based on established policies

Why the enterprise needs identity and access management and identity management

The enterprise needs identity access and management to support security and compliance, as well as improve organizational productivity.

Identity and access management is used not only for employees but also for contractors, partners, and customers, as well as devices and code segments, such as APIs or microservices.

These systems provide IT administrators with a single source of truth to establish and maintain records and to manage users’ access to resources as they are onboarded or leave the organization. 

Tracking identity information for the many entities in an enterprise network is a challenge. An identity management system protects enterprises by ensuring that only authenticated users (i.e., individuals or devices) are granted access to the specific applications, components, and systems they are authorized to use.

In addition, identity management systems allow IT teams to apply business policies to users’ access. For example, dependent conditions can be set, such as requiring secured connectivity when accessing sensitive information.  

Benefits of identity access and management and identity management

• Apply the principle of least privilege
  Use granular access controls to minimize access to resources to just what is needed. 
• Automate onboarding and offboarding
  Automatically grant, modify, or revoke access as users join the organization, change roles, or leave the organization. 
• Enable single sign-on
  Allow users to use a single identity to log in to different systems.  
• Enhance productivity
  Expedite users’ access to resources and reduce time spent by IT automating many user account–related tasks.
• Eliminate weak passwords
  Implement password policies that enforce strong password requirements. 
• Identify potential risks
  Use artificial intelligence (AI) to detect anomalies in data access.
• Measure performance
  Track the effectiveness of identity programs.
• Mitigate insider threats 
  Apply behavioral analysis to identify unusual access patterns by internal users.  
• Simplify compliance
  Govern access, track usage, and enforce policies for all users, applications, and data to automate regulatory compliance reporting.
• Support zero trust 
  Extend beyond simple authentication decisions and use a complete, up-to-date identity record for each user to ensure that access is only granted based on the resources that are needed, when they are needed. 
  

How identity and access management and identity management work

To start, an identity management system establishes a digital identity for each entity under management. Once a digital identity is in place, an identity management system is used to administer the digital identities, including supporting maintenance, modifications, and monitoring throughout their lifecycles.  

To ensure only the necessary access is granted, identity and access management systems enable the enterprise to allocate narrowly constructed permissions based on identities instead of permitting broad-based access via a username and password.

These are used to control which users have access to which resources, devices, and assets in the network. This prevents unauthorized access to resources, which increases security and productivity to reduce risk and vulnerabilities.

Identity and access management systems continually monitor information sources. If something changes in the information source, the IAM system pulls the new information, recomputes it, applies policies, and then pushes that information to other systems. Typically, these systems have a set of rules and scripts that are used to process the data.  

Choosing the right identity and access management system

When evaluating identity and access management software, it is important to take the time upfront to create a baseline needs assessment. This will vary by organization, but the following are several key areas that should be considered and used to guide the selection of an IAM solution.

Industry

Basic identity and access management and systems provide the requisite functionality for many organizations. However, some industries have unique requirements. Some solutions are tailored for different industries (e.g., healthcare, financial services) and include functionality that addresses their specific needs (e.g., compliance, advanced security, geographically distributed user bases).

On-premises versus cloud deployment

Cloud identity management solutions (IDaaS, or identity-as-a-service) have become the default option for most organizations. However, some need either on-premise or hybrid options. It is important to understand what the deployment options are as well as their strengths and available support.

Size of the organization

Identity and access management software needs will differ based on the organization’s size to match capabilities and tools with IT environments, business locations, user locations, and workloads. Another important consideration with regard to size is anticipated growth. An organization that expects significant growth should select a system that can scale as needs change.  

Support requirements

The first support consideration should be related to deployment and implementation. Identity and access management and identity management providers should be evaluated according to the support they offer and how that aligns with the organization’s needs.

Once the system has been launched, it will require ongoing maintenance and monitoring. Organizations must also determine if this will be handled internally or if vendor support is required.

User base

An organization’s user base should be factored into evaluations of identity and access management systems. For instance, consider if human users are limited to employees only or if they will include external users, such as contractors, customers, and partners. Non-human entities (e.g., devices, applications, cloud storage) should also be considered.

Capabilities to seek 

When selecting identity and access management software, it is important to prioritize capabilities. While most vendors offer a basic set of capabilities, the extended feature list often differs.

Capabilities and features to look for and evaluate when assessing identity management systems include the following.

Administration

• Ability to change users and permissions in bulk 
• Automated provisioning for existing and new cloud and on-premises applications procured
• Consoles and tools for operations, monitoring, and maintenance that are easy to understand and use
• Self-service password administration to allow users to set and change passwords without IT support

Authentication and access

• Ability to log into multiple systems, including legacy applications, cloud applications, network resources, and servers 
• Authentication technologies either included or supported (e.g., one-time passwords, biometrics, knowledge-based, key cards, mobile phone-based tokens)
• Smooth authentication user experience, including how credentials are provided 
• Third-party (e.g., customers, contractors, and partners) access for users within or outside the company’s network 

Identity directories

• Cloud-based directory option that contains all user names and attributes 
• Support for application-as-profile master—the directory treats the user’s profile in an application as the ongoing source of truth for that user’s profile, and changes to a profile in the master application drive changes to the profile in other applications 
• Variety and quality of integrations with identity repositories (e.g., active directory and LDAP (lightweight directory access protocol))

Platform

• Ability to customize the user interface
• Reliability of cloud-based service   
• Maintains optimal performance under significant workloads
• Scalable to support an increased number of users 
• Vendor follows appropriate security protocols and has appropriate certifications
• Pre-built and customizable reports are provided to manage operations
• Logging capabilities to support audit requirements 
• Ability to act as the identity provider to external service providers  
• Cross-browser support for browser-based applications  
• APIs to support integrations with cloud and on-premises applications

Provisioning

• Stakeholders and managers can approve or reject requested changes to access based on a defined workflow 
• Ability to terminate access to multiple applications based on dates 
• Automated creation of account and access rights, changes, and removals for on-premise and cloud applications 
• Bidirectional profile synchronization to maintain profile attributes consistency across applications if the change is made in the provisioning system or the application 
• Policy management capabilities that allow administrators to create access policies and apply policy controls throughout request and provisioning processes 
• Profile attributes can be transformed to the required format for all of the systems being updated
• Role management capabilities that allow administrators to establish roles with an associated set of authentication rights  
• Users can request access to an application and be automatically provisioned if they meet policy requirements (e.g., self-service access)

Systems and application support

• Ability for users to access company applications from their own device as allowed by company policy
• Mobile capabilities for various mobile operating systems 
• Single sign-on for native and cloud applications 
• Standard integrations to most common cloud and on-premise applications 

Identity and access management implementation challenges

Typical IAM implementation challenges include:

• Understanding and managing user expectations
• Meeting stakeholder requirements
• Integrating compliance standards
• Lack of knowledge and skill required when considering multiple user sources, authentication factors, and open industry standards
• Expertise to implement identity and access management at scale 

Cloud vs. on-premises deployment

Like many solutions, identity access and management are often migrated from on-premises to the cloud. Hosted, cloud-based identity access and management solutions are part of the identity as a service (IDaaS) category. IDaaS deployments offer a number of benefits, including:

• Distributed and redundant systems for better reliability and security
• Greater efficiency
• Improved uptime backed by SLAs (service level agreements)
• Lowers costs by reducing the need to purchase and maintain systems and infrastructure 
• Option to use exclusively from the cloud or deployed in tandem with an on-premises identity and access management solution

Identity and access management standards

An IAM solution must integrate with many other systems to provide complete visibility of access to all the enterprise’s systems, users, and roles. Standards that identity and access management platforms support in order to facilitate these integrations include the following.

OAuth 2.0

OAuth is an open-standards identity management protocol that provides secure access for websites, mobile apps, the Internet of Things, and other devices. It uses tokens that are encrypted in transit and eliminates the need to share credentials. OAuth 2.0, the latest release of OAuth, is a popular framework used by major social media platforms and consumer services.  

Security Assertion Markup Language (SAML)

SAML is an open standard utilized for exchanging authentication and authorization information between identity and access control solutions and other applications. This method uses XML to transmit data and is typically the method used by identity and access management platforms to grant users the ability to sign in to applications that have been integrated with IAM solutions. 

OpenID Connect (OIDC)

With the release of the OpenID Connect, OpenID became a widely adopted authentication layer for OAuth. Like SAML, OpenID Connect (OIDC) is widely used for SSO, but OIDC uses REST/JSON instead of XML. By using REST/JSON protocols, OIDC was designed to work with both native and mobile apps, whereas the primary use case for SAML is web-based apps.  

Lightweight Directory Access Protocol (LDAP)

One of the oldest identity management protocols, LDAP stores and arranges data (e.g., user or device information) to help users find organizational and personal data and to authenticate users to access that data. It is an open, industry-standard protocol that allows applications to communicate with directory services and is commonly used to support user authentication, including single sign-on (SSO) support, simple authentication security layer (SASL), and secure sockets layer (SSL).

System for Cross-Domain Identity Management (SCIM)

Created to simplify the process of managing user identities, SCIM provisioning allows organizations to operate efficiently in the cloud and easily add or remove users. This helps reduce costs, minimize risk, and streamline workflows. SCIM also facilitates communication between cloud-based applications. 

Identity access and management and identity management use cases

Regulatory compliance

Identity and access management helps organizations comply with regulatory requirements by managing user access and privileges, as well as data governance. IAM solutions also streamline compliance audits with automated reports that detail access rights and privileges and provide information about what data protection protocols are in place to prevent unauthorized access to sensitive information.

Bring your own device (BYOD)

Identity and access management solutions can improve employee productivity by enabling access not only to large volumes of data and multiple applications but granting that access across numerous devices and locations. Identity management and IAM solutions help administrators onboard personal devices by ensuring that the appropriate identity verification and access controls are implemented.

Internet of things (IoT)  

Security protocols can be extended to difficult-to-manage IoT devices with IAM solutions. These tools treat IoT devices as users, employing proven identity authentication and authorization methods as well as leveraging the capabilities of IAM to facilitate oversight. 

Future elements of identity security

Upcoming advances in IAM may include:

• Dynamic trust models 
  AI models that will adjust authorization based on behavior and interaction history.
• Frictionless access
  Universal biometrics used across physical, digital, and phone include sophisticated privacy protocols.
• Universal ID
  Merged identities being federated and universal, making bring-your-own-identity the norm.

Secure the enterprise with IAM

Identity and access management is a key element of enterprise security programs because it insulates critical assets and systems from inadvertently or purposefully created network entry points that cybercriminals might otherwise exploit. Enterprises that leverage these solutions’ capabilities benefit not only from lower identity management budgets but also from the ability to quickly and seamlessly pivot in response to new business challenges and opportunities.

Identity access and management and identity management glossary

Access management
Access management is a collection of practices and tools used to control, monitor, and manage access to IT resources.

Active Directory (AD)
AD is Microsoft’s user-identity directory service. It is integrated with other systems to provision and deprovision users’ access rights.

Authentication
Authentication is the process that a user (i.e., an individual, application, or service) goes through to verify their identity before they are granted access to digital systems. Tools used for authentication include passwords, one-time personal identification numbers, and biometric information.

Authorization
Authorization is the process of validating which applications, files, and data the user can access based on permission settings that are implemented and maintained by the organization. Users’ access privileges are authorized after their identity has been authenticated.

Biometric authentication
This authentication method uses unique characteristics such as fingerprints, retinas, and facial features to verify users’ identities.

Cloud infrastructure entitlement management (CIEM)
CIEM is a security process used to manage identities, access rights, privileges, and permissions across cloud infrastructure environments.

Deprovisioning
Deprovisioning is the act of removing user access to applications, systems, and data within a network. 

Identity as a service (IDaaS)
IDaaS is a cloud-based offering of identity and access management services. 

Identity governance and administration (IGA)
IGA is policy is a policy-based approach to identity management and access control that encompasses the entire identity lifecycle.

Identity provisioning
Identity provisioning is used to manage user accounts, ensuring that they have access to the right resources and are using them appropriately.

Multi-factor authentication (MFA)
MFA is an access management tool that combines two or more authentication mechanisms for accessing IT resources, including applications and devices.

Principle of least privilege
The principle of least privilege is a security approach that grants a user only the minimum levels of access or permissions to the resources required to perform the task for the minimum length of time required.

Privileged access management (PAM)
PAM manages the extensive access that privileged users are granted to applications, systems, or servers to perform their jobs (e.g., implementation, maintenance, and updates). PAM tools separate these user accounts from others and track activities associated with them closely. 

Role-based access management (RBAC)
RBAC allows the enterprise to create and enforce advanced access by assigning a set of permissions based on the level of access specific user categories require to perform their duties. With RBAC, different users are granted access privileges based on their roles, job functions, and responsibilities.

Separation of duties (SoD)
Also known as segregation of duties, separation of duties is a security principle used by organizations to prevent error and fraud. 

Single sign-on (SSO)
SSO is an authentication function that allows a user to access multiple applications and sites using one set of credentials.

You might also be interested in: