An Introduction to Identity and Access Management
On this page
What is Identity and Access Management?
Identity and access management (IAM) is part of cyber and information security strategies. It covers the policies, processes and supporting technologies to ensure that the right entities gain access to the right resources at the right time. Consequently, IAM deals with the question of how to identify entities that request access, that is users, devices, applications and more. IAM also defines the rules, processes and tools required to apply access controls for the resources in an automated manner. The tool (or set of tools), that is central for implementing the IAM strategy, is called the identity and access management system.
How Does Identity and Access Management Work?
As the name suggests, IAM is a combination of identity management and access management. Identity management handles the policies, tools and procedures concerning identity data that describe identities, commonly persons. A critical aspect of identity management is identity lifecycle management - the process of creating to deleting identity data. Other important features of identity management are identification and verification of identities as well as identity governance.
Access management defines and implements access controls for digital identities. Therefore, it depends on identity management. A modern approach for access management is a zero-trust architecture, where access controls are based on verified identities and not on any perimeter network. Tokens are a way to communicate identity and access information in a verifiable manner.
Why is Identity and Access Management Important?
Identity and access management can improve efficiency and productivity. It can offer streamlined and automated processes for managing identities. Such processes include onboarding (creating new identities), updating and offboarding (decommission identities) but also auditing. Automated processes reduce human errors. As a consequence, IAM increases security because permission errors caused by manual tasks are eliminated.
By having a central system that governs digital identities, security policies can be enforced centrally which helps to achieve compliance with laws and regulations such as GDPR or PSD2. For example, an IAM system can enforce multi-factor authentication, improve security and user experience with single sign-on technologies, assign permissions and audit activities centrally.
IAM ensures that customers, users and employees - and in its advanced form also devices and applications - are identified, that their identity is verified and that access controls are enforced. It helps to reduce security breaches. Ideally, all (IT) systems integrate with the IAM system. Therefore, IAM is vital for protecting data and security in general.
What is the Difference Between IAM and Privileged Access Management?
Privileged access management (PAM) is a discipline within IAM that can be used to deal with a subgroup of users who have high privileges, such as administrators. Such access rights commonly can have a great impact and thus need special attention when it comes to controlling and monitoring activities.
What is the Difference Between IAM and Entitlement Management?
Entitlement management is a specialized discipline within access management. It covers the processes, procedures and tools to administer and resolve permissions based on identity attributes. This approach is referred to as attribute-based access control.
An entitlement management system (EMS) uses a variety of identity attributes to form a decision on whether access to a given resource is allowed or not. With the help of an EMS you can achieve separation of duties, where security policies (resource access) are developed and maintained independently of the application and its code.
Meeting security requirements is a complex topic and IAM is an important part of it. There is not one solution that fits them all but there are some common concepts. The following table lists some concepts and terms that are good to know in the context of IAM and related systems.
|Identity Management System||The security framework that is central for the IAM strategy. It can integrate with, or federate to, multiple Identity Providers (IdPs) when managing identities.|
|Identity Provider (IdP)||The component of the IAM system that stores, manages and asserts identity data. Can also be external such as a social identity provider.|
|Identity as a Service (IDaaS)||An identity provider running as a cloud service.|
|Client||The application (entity) intending to consume data from a server (resource). It commonly needs to integrate with the IAM system as part of the access control implementation.|
|Digital Identity||Data, often verifiable data issued by a trusted authority such as the identity provider, that describes a person (entity).|
|Onboarding||The process of creating and setting up a new digital identity. The process of removing or deactivating a digital identity is called offboarding.|
|Provisioning||Assigning an digital identity (new) access rights. The process of removing access rights is called deprovisioning.|
|Identity Lifecycle Management||The policies, processes and tools for managing digital identities - from onboarding, provisioning, updating (including deprovisioning) to offboarding.|
|Identity Governance and Administration (IGA)||A strategy that aims to automate, visualize, connect and manage IAM functions to meet audit and compliance rules. Provides the tools and processes to administer identities in a secure and productive manner, e.g. self-service portals.|
|Identification||The process of determining who an entity claims to be, e.g., by providing a username.|
|Authentication||The process of verifying that an entity is indeed the one it claims to be. Commonly, the process requires the entity to provide one or more credentials, e.g., a password.|
|Authentication Method||The implementation of a credential verification process, often combined with identification, e.g., username and password.|
|Credential||A secret or piece of information, e.g., a password or key, that is tied to an entity and thus suitable for verifying its identity.|
|Credential Management||The discipline within IAM that aims to protect and govern credentials.|
|Passwordless Authentication||An authentication method that does not use passwords as credentials, e.g., SMS code or email verification links.|
|Multi-factor Authentication||An authentication method or chain of some that requires the user to present more than one credential, e.g., a password and SMS code.|
|Single Sign-On (SSO)||Single sign-on is an authentication process that allows users or clients to log in once to one domain, e.g., the identity provider and access services in other domains without having to re-authenticate, i.e. without further interaction.|
|Authorization||The process of enforcing access control rules, i.e. granting permissions. Authorization relies on authentication for identifying entities.|
|Role-based Access Control||Entities are assigned roles and each role has a set of permissions. Access decisions are based on whether or not an entity has a given role.|
|Attribute-based Access Control||Access decisions are based on the attributes of an entity.|
|Token||A token is a piece of data asserted by a trusted authority like the identity provider. Tokens may represent a digital identity of a user (ID token), or they may be used for implementing access controls (access token). A popular format for tokens is JSON Web Token (JWT).|
|Token-based Architecture||An IAM design that uses tokens to communicate identity and access data information (instead of applications and resources accessing identity information directly). Access controls are then performed based on data in tokens.|
|API Management System||The platform, tools and services that publish, monitor, analyze and enforce usage of an API (or APIs). Integrates with the IAM system for identity related operations such as authentication and token issuance.|
|Zero-trust Approach||An approach, where trust is not based on any assumptions. The default behavior is to trust no-one (zero trust) but trust is established through authentication (e.g., token-based authentication).|
|Least Privilege Access||The concept or principle to grant only the permissions required to perform a task (not more and not less).|
What IAM Tools do I need?
An identity and access management system needs to be able to solve even challenging use-cases. Thus, we recommend to apply the principle of separation of concern. Instead of having a single component that implements many or all features, an IAM system should consist of separate components (or sub-systems) where each implements a singular logical function. Components work together to support a use-case. The IAM system should consist of logical components for authentication, federation, access and user management. Also, it should include a token service to be able to use tokens to communicate identity data.
As part of its central role an IAM system integrates with many technologies. It is therefore important that it supports standardized protocols such as
- OAuth 2.0,
- OpenID Connect (OIDC),
- System for Cross-Domain Identity Management (SCIM) and
- Security Assertion Markup Language (SAML).
At the same time, it must support different authentication methods including passwordless and multiple factors. If you can get rid of passwords, you will not have to spend any time, effort or money on password management.
How do I implement an IAM strategy?
Understanding the business is the foundation of a good IAM strategy. If IAM aligns with the business, it will be able to improve productivity and efficiency as well as security. There are some best practices that you can follow when getting started. For example, use passwordless or multiple factors for authentication. Implement an adaptive authentication process that can change based on the context (e.g., when logging in from a different country). Automate processes such as onboarding, provisioning and offboarding as much as possible.
Adapt a zero-trust approach and follow the principle of least-privilege. Give users enough privileges to do their job but not more. Consider attribute-based access control with entitlement management and tokens to communicate identity data for a scalable and future-proof architecture.