What is Identity & Access Management (IAM)?
Summary
Get the details about identity access management.
Read time: 4 minutes
IAM is a fitting acronym for "Identity & Access Management", because it’s all about verifying who you are before being granted access to critical IT systems. It’s a digital “Yes, I am allowed to be here.”
Gartner® defines IAM as "the systems that ensure only the right people and devices can access the right IT resources, at the right times, for the right reasons." IAM is especially important to government entities, and to financial and healthcare organizations that must adhere to strict privacy rules stemming from Gramm-Leach-Bliley, HIPAA, or Sarbanes-Oxley legislation. In the event of a breach, leak, or cyberattack, IAM provides traceability to the source, aiding in compliance.
In this article, we’ll define IAM and review how it works, as well as some challenges and key terms to know when considering IAM options.
How Identity & Access Management (IAM) works?
Chances are you already perform some degree of IAM in your personal life. You use passwords on your phone and PC and have probably set some limits on who can view the details of your social media profiles. Maybe you’ve even unfriended a few people.
In the world of enterprise IT, IAM is the practice of specifying which employees and devices have access to mission-critical IT systems and resources and managing the various levels of control and permissions for hundreds if not thousands of users.
Just as importantly, IAM tracks how users are using that access, and manages the off-boarding of users and devices when they leave the organization.
What is an IAM System?
IAM systems define and manage roles not just of people, but also applications and devices accessing the network infrastructure from anywhere in the organization, whether on-premises or the cloud. The goal is to establish a singular, universal digital identity per user or asset so that all activity can be monitored. Once established, that identity must be maintained and updated as rights and systems evolve over time.
Examples of people include employees, customers, suppliers, and business partners like accountants and consultants. Each may have varying levels of access to different company systems.
Examples of devices include PCs, laptops, smartphones, routers, servers, and sensors. With the growing complexity of the Internet of Things (IoT) in which devices and software apps communicate autonomously with one another, levels of permission must be managed between them as well, or they may become unguarded gateways into the IT infrastructure.
An IAM system contains these components:
A centralized database of the information used to define each user or device.
An administrative portal with the necessary tools to control access rights by individual title, job function, or device type, and to add users, modify roles, and delete assets as needed.
A front-end gatekeeper system that checks, verifies, and enforces permissions of each asset against the IAM database. These can include single sign on (SSO), passwords, two-factor or multi-factor authentication systems, pre-shared digital keys and certificates, software tokens, and today, even biometrics like fingerprints, retinal scans, and facial recognition.
An audit and reporting solution that tracks activity by individual user or asset.
There’s more to IAM than enabling strong passwords. Upon attempting a login, the IAM system will authenticate the user or device against pre-determined levels of permission. It will then deny or grant access to the resource and track its use for every single request.
Related content
The Challenges of IAM
The challenge of effective IAM is maintaining consistent rules and policies at scale. Managing large populations of identities (people and objects) and their ever-changing rights across multiple business units is not possible with a spreadsheet. Cleaning up outdated identities and revoking extra privileges requires constant vigilance. A tool that unifies and automates these tasks is required.
Every time someone is hired, promoted, or assigned to a new project or location…every time the organization retires an asset, or an employee leaves the company…every time a new device or application is installed on the network…every time a password is changed…all credentials must be updated across all systems.
COVID has only highlighted the need for effective IAM, as an increasing number of employees now require access to corporate IT systems when working from home, making remote identity tracking more critical than ever.
Maintaining IAM also means ensuring compatibility with all aspects of your IT environment, from edge to cloud to on-premises, so properly vetted users can access information wherever, whenever they need it. Many IAM solutions employ open standards so they can be modified by customers to meet unique needs.
There’s a lot to know about IAM, and a lot to keep pace with – especially in large organizations where high volumes of people and assets are always on the move. There are many commercially available IAM solutions available, but not all are created equal. Some now employ artificial intelligence, while others are password-less.
Our IT professionals have the experience and solutions to help you manage the complexities of identity and access management with granular control. Speak with one of our data security experts to learn more about what you can do to minimize risk with IAM solutions.
IAM Glossary of Terms
In the meantime, here’s a short list of some key IAM terms.¹
Access Management. The authentication, authorization, and security auditing components used to control user access.
Biometrics. The use of fingerprint sensors, iris and retina scanning, and facial recognition for user authentication.
Credential. A type of verification such as a password, digital key, or certificate presented by the user to gain access to a system.
De-provisioning. The process of removing a user or device identity from an ID repository and terminating access privileges.
Identity lifecycle management. Similar to access lifecycle management, this refers to the entire set of processes and technologies for maintaining and updating digital identities.
Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management functionality to an organization’s systems that reside on-premises and/or in the cloud.
Multi-factor authentication (MFA). MFA requires at least two independent steps or values to be entered into a system for access. One example is a text message code sent to a smartphone to enter into a web browser.
Privileged user or account management. An account granted higher levels of administrative access, such as the ability to add, change or delete user roles.
Single sign-on (SSO): A single username and password used to access all authorized systems without using different credentials.
Zero Trust. A network environment in which nothing is assumed to be safe; all user and device requests are verified.
Recommended for you
What is Shadow IT? The Risks, Costs & Benefits
Shadow IT brings a lot of risk to organizations of every size. It also offers potential benefits. This article shares how to make it work for you.
Explore six responsible security considerations for using generative AI and unstructured data
As we look within the framework of unstructured data, a critical issue looms large: safeguarding data integrity and security in the face of generative AI. Explore six responsible security considerations for using GenAI.
What is penetration testing: An in-depth look
A penetration test, or pen test, is a simulated cyberattack against your computer system to check for potential vulnerabilities. Learn about pen tests here.
- ¹Glossary courtesy of What is IAM? Identity and access management explained. https://www.csoonline.com/article/2120384/what-is-iam-identity-and-access-management-explained.html