What is identity and access management?

Understanding identity and access management

What is IAM?

Meaning of identity and access management

Identity and access management (IAM) refers to the policies and tools used by IT departments to ensure that people and entities have the appropriate level of access to the organization’s technical resources. IAM systems are technology solutions to securely manage digital identities and their access to various applications and systems.

IAM systems manage people and also other kinds of identities, such as software (apps or programs), and hardware (such as IoT devices).

IAM systems perform two key tasks:

  • Authenticating that the entity is who it purports to be. When you enter a username and password into a website, the website authenticates you by checking its database to see if your username and password matches what is in the database. This is a form of authentication, albeit a less secure method than modern authentication.

  • Authorizing the entity for the appropriate level of access to resources. Authorization is the process of checking what access the authenticated user is allowed to have to technical resources and ensuring only that access. For example, if you log into a content management system as an editor you are allowed to make changes to content, but you are not allowed to make changes to the user accounts or add new users.

How authentication and authorization work in identity management systems How authentication and authorization work in IAM systems

IAM systems are an important element of cybersecurity because they are designed to perform the key function of providing secure access to enterprise resources.

Key IAM system functionality

IAM systems provide this core functionality:

Task Tools
Manage user identities IAM systems manage user identities. The IAM may be the sole directory used to create, modify, and delete users (such as employees). Or it may integrate with one or more other directories, such as Microsoft Active Directory, and synchronize with them.
Provisioning/deprovisioning users Once a user is in the system, IT must provision the user, which is the process of specifying which apps, resources, etc. the user has access to and what level of access (administrator, editor, viewer, etc.) the user has to each item. Since it would be time-consuming to specify every individual’s access to every resource, identity management systems generally enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and are automatically given access as per the definitions for that role. Just as it can be time-consuming to provision users, it can be time-consuming to deprovision them from all the apps and systems to which they have access. An IAM system automates this process—which is important since ex-employees who still have access present a serious security risk.
Authenticating users IAM systems perform the task of authenticating a user when the user requests access. Today, secure authentication means multi-factor authentication and, preferably, adaptive authentication.
Authorizing users After authenticating the user, the IAM system authorizes the user for access, as needed, to specific apps and resources based on the user’s provisioning.
Reporting IAM systems provide reports that help organizations prove compliance with regulations, identify potential security risks, and improve their IAM and security processes.
Single Sign-On Single Sign-On is not a component of all identity management systems, but it is a component of the best ones. SSO adds security and makes users more productive by making it faster and easier for them to access the resources they need without having to login each time or remember many different passwords.

Cloud versus On-Prem Systems

IAM systems can be cloud-based (often called IDaaS) or on-prem. The first IAM systems were on-prem, i.e. physically located within the organization’s firewall and managed by the organization. Today, more and more organizations are moving to cloud IAM systems, with McKinsey reporting that only 38 percent of the enterprises they interviewed expect to be on-prem in three years. In three years, 60 percent will rely on a third-party IAM service that supports multiple public-cloud environments and unifies access across on-prem and public-cloud resources.

The move to cloud IAM is being driven by cost savings and reliability. Using a third-party cloud IAM means savings in infrastructure and maintenance. It also reduces the risk of downtime as cloud vendors provide distributed and redundant systems with high up-time and short SLAs.

Related Resources:

IAM Success Kit: 3 Tools to Uplevel Your Company’s Identity Management

Use this kit to improve your company’s identity and access management.

Get the kit

Identity Access Management 101 video

Learn the basics of identity and access management in this video of a recent webinar.

View video

4 Key Elements of a Next-Generation Identity and Access Management Platform

Read more