Identity and access management, or IAM, is a framework of business processes, policies and technologies that facilitates the management of digital identities. With an IAM framework in place, IT security teams can control user access to critical information within their organizations.
Using methods such as single sign-on (SSO), two-factor authentication and privileged access management, IAM technologies securely store identity and profile data and manage data governance functions to ensure that only necessary and relevant data is shared.
IAM performs the following fundamental security actions:
Identifies roles in a system and how roles are assigned to individuals.
Adds, removes and updates individuals and their roles in a system.
Assigns levels of access to individuals or groups of individuals.
Protects sensitive data within the system and secures the system itself.
An enterprise's ability to know who is accessing which data and which systems and from where is not only helpful but critical to data protection. Employees are in far-flung locales, sometimes in branch offices and sometimes working remotely from their homes. Traditional defenses built around a known perimeter are no longer adequate, which is one reason why cybersecurity experts now refer to identity as the new perimeter.
This comprehensive guide examines the many aspects of identity and access management, including its challenges, technologies and trends. Hyperlinks direct readers to related articles that provide additional insights and guidance about how to understand, implement and manage IAM.
Why is IAM important?
Business leaders and IT departments are under pressure to grant access to corporate resources while at the same time protecting those resources. It's a balancing act, and it's not a simple one. Security teams must assign and track user privileges so that users can work with the data and applications they need to be productive -- without being so lax that bad actors find their way into systems.
The increased adoption of cloud services and the growth in hybrid and remote workforces mean more users are accessing more applications from more locations. These conditions make proper identity management indispensable.
Cybersecurity relies on IAM and its ever-increasing list of features, including biometrics, behavior analytics and AI. With its tight control of resource access in highly distributed and dynamic environments, IAM aligns with security's transition from using traditional firewalls and inherent-trust practices to more rigid control architectures.
The foremost of these stricter controls is the zero-trust model. An organization that implements zero trust authorizes and authenticates users continuously, not merely once at the perimeter. This inverts the idea that users who've been cleared can be fully trusted. The zero-trust architecture prevents unnecessary movement between applications and systems, which, in turn, limits the damage an intruder might do.
With IAM in place, an organization gives itself important capabilities for heightened control over managing users' access in an organized fashion. Automation features eliminate manual steps, which boosts efficiency and lowers the chance of human error.
Businesses that are inattentive to IAM run the risk of intrusion, data loss, ransom attacks and worse. Bad actors often use stolen credentials to impersonate valid users. Because this access appears legitimate, cybercriminals can misuse credentials to linger inside a network for extended periods. If the stolen credential can be used to gain administrator privileges, the data loss and potential damage can be considerable. Bad actors use a range of tactics, including phishing and vishing, to acquire credentials.
Research by Verizon found that, over the past decade, stolen credentials have played a role in nearly one-third of breaches. Credential theft is so effective that it is used by both run-of-the-mill cybercriminals and highly organized nation-state threat actors.
Basic components of IAM
IAM products offer access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise.
In this context, access is the ability of an individual user to perform a specific task, such as view, create or modify a file. Roles are defined according to job, authority and responsibility. Key types of access control include the following:
Role-based access control.
Discretionary access control.
Attribute-based access control.
Mandatory access control.
To gain access to those authorized resources, users must prove they are who they say they are. This is a complicated but necessary component of IAM, typically involving passwords, challenge-response authentication and related methods.
IAM systems should capture and record user login information, manage the enterprise database of user identities and orchestrate the assignment and removal of access privileges. Tools used for IAM should provide a centralized directory service with oversight and visibility into all aspects of the company user base.
To ensure the effectiveness of their IAM efforts, security teams should look to various identity standards and protocols. These tried-and-true standards can help improve an organization's security posture, compliance efforts and even user experience. The authentication, authorization and accounting framework, for example, is a way for security teams to organize their IAM work. It provides structure for access control, policy enforcement and usage tracking.
Another way for a business to manage IAM is the use of identity governance and administration, which is a collection of processes that help ensure proper installation, oversight, enforcement and auditing of IAM policies.
It's worth remembering that a digital identity isn't just for a person. IAM can and should manage the digital identities of devices and applications -- what's often called machine identity management or nonhuman identity management. These can be APIs, servers and devices that access information and need to be managed. Security experts say organizations have begun to realize just how many of these identities are present in their environments. Working to secure them is one of the emerging trends in IAM.
Benefits of IAM
IAM technologies can be used to initiate, capture, record and manage user identities and their related access permissions in an automated manner. In an era when workforces are more geographically scattered than ever before, well-operated IAM takes on greater importance.
An organization with an effective IAM program should expect to see the following benefits, among other advantages:
Access privileges being granted according to policy, with all individuals and services properly authenticated, authorized and audited.
Control of user access, which reduces the risk of internal and external data breaches.
Enforcement of policies around user authentication, validation and privileging.
Better compliance with government regulations.
IAM implementation is necessary for secure operations, but companies can also gain competitive advantages. For example, IAM technologies enable a business to give users outside the organization -- such as customers, partners, contractors and suppliers -- access to applications and data without compromising security.
IAM technologies and tools
IAM technologies are designed to simplify the user provisioning and account setup process. These systems should reduce the time it takes to complete these processes with a controlled workflow that decreases errors and the potential for abuse while enabling automated account fulfillment. An IAM system should also allow administrators to instantly view and change evolving access roles and rights.
These systems should balance the speed and automation of their processes with the control that administrators need to monitor and modify access rights. Consequently, to manage access requests, the central directory needs an access rights system that automatically matches employee job titles, business unit identifiers and locations to their relevant privilege levels.
Multiple review levels can be included as workflows to enable the proper checking of individual requests. This simplifies setting up appropriate review processes for higher-level access. It also eases reviews of existing rights to prevent privilege creep, which is the gradual accumulation of access rights beyond what users need to do their jobs.
A good IAM tool will automate least-privilege provisioning, enable SSO across multiple apps and providers, provide broad access visibility into an organization's systems and deliver a reasonably smooth user experience, among other functions.
IAM systems should be used to provide flexibility to establish groups with specific privileges for specific roles so that access rights based on employee job functions can be uniformly assigned. The system should also provide request and approval processes for modifying privileges, as employees with the same title and job location might need customized or slightly different access.
Unique passwords. The most common type of digital authentication continues to be the unique password. While not especially secure or convenient, passwords are typically how users access their accounts for shopping, banking, entertainment, email and work.
To make passwords more secure, some organizations require longer or more complex passwords that include a combination of letters, symbols and numbers. Users understandably find it onerous to remember which long and complex password will get them logged in to this app or that site. SSO entry points and password managers can help alleviate that burden.
Multifactor authentication.MFA is an increasingly common type of authentication. An IAM system that requires a user to enter a code texted to their phone, for example, increases the likelihood that the access attempt is legitimate. Unless they've already gained access to -- or possession of -- the user's phone, bad actors with a stolen password won't be able to clear that second authentication hurdle.
The MFA movement is gaining momentum. Employers now routinely ask remote workers to use a second or third factor to prove their identity. Financial institutions and other security-minded organizations use MFA processes before granting a customer access to an account. In 2024, Google Cloud, AWS and Microsoft Azure all decided that they will require MFA for their customers to access cloud services.
Adaptive authentication. When dealing with highly sensitive information and systems, organizations can use behavioral or adaptive authentication methods to assist in identity management. IAM tools, for example, are now more capable of noticing when someone who typically logs in from a certain place at a certain time is attempting to access systems from another location and at a time they are not normally working. These behaviors could signal that the user's credentials have been compromised.
By applying AI, organizations can more readily recognize if user or machine behavior falls outside of the norm; anomalies should trigger automatic lockdowns.
Biometrics. Some IAM systems use biometrics as their method of authentication. Biometric characteristics, such as fingerprints, irises, faces, palms, gaits, voices and, in some cases, DNA, are seen as an easy and precise way to know exactly who is accessing what.
While the convenience of facial recognition or fingerprint scanning is hard to deny, the use of biometrics involves risks -- ones that are unlike other challenges in IT or security. Stolen fingerprint data, for example, can't be replaced the way a hacked password can be. Make sure to fully understand the pros and cons of biometric authentication.
When an organization collects a person's specific facial characteristics, it assumes the serious responsibility of safeguarding that data. Organizations with plans to adopt biometrics need to work through a long list of privacy and legal questions before committing to this form of authentication.
IT teams will sometimes grant privileges to a user beyond what's needed for that person to do a particular job. For an intruder, these overprivileged accounts are especially valuable targets because they allow access to many parts of an organization. A related risk is poor deprovisioning practices, or the removal of access when a specific employee changes roles or leaves the company. Strict provisioning also reduces the chances of an insider threat.
An organization needs to identify a team of people who will play a lead role in the enforcement of identity and access policies. IAM affects every department and every type of user -- employee, contractor, partner, supplier, customer and so on -- so it's essential the IAM team comprises a mix of corporate functions. An approach that pulls together various people and is organized around the same goals should improve the chances of success in identity security.
Implementations should be carried out with IAM best practices in mind, which include the following:
Adoption of the zero-trust architecture.
Use of MFA.
Strong password policies.
Promotion of security awareness training.
Businesses also should make sure to centralize security and critical systems around identity. Perhaps most importantly, organizations should create a process they can use to evaluate the efficacy of current IAM controls.
While IAM relies on a lot of technology, it is not about only the frameworks and tools. An IT security team needs people who possess IAM skills and expertise. Those seeking jobs in the field should be ready to demonstrate their knowledge when it comes time for the IAM job interview.
IAM risks
While essential to security efforts, IAM is not without risks. Organizations can -- and do -- get things wrong when trying to manage identities and control access.
Access management can be of concern when the provisioning and deprovisioning of user accounts aren't handled correctly. Security teams need to be aware of vulnerable, inactive user accounts. When there is a sprawl in admin accounts, someone should notice and raise questions about why. Organizations need to ensure lifecycle control over all aspects of IAM to prevent malicious actors from gaining access to user identities and passwords.
Audit capabilities act as a check to ensure users' access changes accordingly when they switch roles or leave the organization.
To better assess their organization's security risks, IT professionals can pursue security certifications. Some certifications are specific to identity management.
IAM vendors and products
IAM vendors range from large companies -- such as IBM, Microsoft, Oracle and RSA -- to pure-play providers -- such as Okta, Ping Identity, SailPoint and OneLogin.
The dynamic nature of the IAM tools market means that organizations have plenty of options. It also means security teams will need to do some legwork to identify the right mix of products that will address the needs of the business, such as centralized management, SSO, governance, compliance and risk analytics tools.
Some vendors are moving toward combining various products and tooling into IAM platforms. Having a suite of capabilities in a single platform could lessen the integration problems found with the currently fragmented market of IAM products.
IAM and compliance
Central to IAM is an adherence to the principle of least privilege, where users are granted only the access rights necessary to fulfill their particular work duties. This predetermined and real-time access control is necessary for security as well as compliance.
With IAM controls in place, a business should be able to prove to outside entities that it takes its security responsibilities seriously and that data is protected. Organizations with effective IAM can demonstrate compliance and adhere to applicable regulations, such as GDPR, HIPAA and the Sarbanes-Oxley Act.
The IAM roadmap
Innovation is plentiful around IAM, and enterprises are the beneficiaries of new strategies that are backed up by products and features. As has always been the case, however, security professionals must confront threats that are known -- and persistent because of their proven effectiveness -- and ones that are emerging and less defined.
One of the newer IAM-related defenses against cyberattacks is identity threat detection and response (ITDR). A combination of tools and best practices, ITDR is intended to stop bad actors from taking advantage of vulnerable identities, such as one associated with a legacy application that isn't compatible with a modern access management tool. ITDR can flag these weaknesses, giving an IT team the chance to address the vulnerabilities before they are exploited.
Advancements in AI have heightened concerns about identity security. Experts worry that AI could make phishing tactics more sophisticated and more believable. Effective phishing typically requires some morsel of information that lends at least a ring of truth to the message -- something that sounds reasonable enough to trick a recipient into action. AI can quickly and efficiently gather the bits of information that provide that veneer of legitimacy.
Longer, stronger passwords might improve identity management, but they won't satisfy those who would like to see every password permanently expire.
When cybercriminals can induce their victims to click a link or reveal a password, even strong organizational defenses and IAM protections can be thwarted.
Even without AI's help, passwords have long been vulnerable. Cracking techniques make many passwords solvable. And the prospect of needing to create and remember yet another password is a common aggravation. It's fair to say passwords are about as popular with hackers as they are unpopular with users.
Despite being both risky and unloved, passwords endure. The shift to passwordless authentication is tantalizing, but that passwordless future has yet to arrive.
In a September 2024 earnings call, Oracle's chairman and cofounder Larry Ellison lamented tech's continued reliance on passwords. Ellison argued that facial recognition tools should be the way forward. "Look at me and recognize me," Ellison said. "Don't ask me to type in some stupid 17-letter password."
Ellison's remarks came at roughly the same time that NIST, which sets the most widely accepted cybersecurity standards, proposed significant adjustments to its password guidelines. Recognizing that passwords are still widely used and likely will be for the foreseeable future, NIST is advocating for better passwords. The 2024 draft guidelines call for organizations to eliminate the common mandate for users to reset a password every 90 days; a password change, NIST suggested, should be made only when there's evidence or reasonable concern that a breach has compromised someone's credentials. The NIST proposal also recommended password length grow to between 15 and 64 characters.
Longer, stronger passwords might improve identity management, but they won't satisfy those who would like to see every password permanently expire. Promoters of passkeys, for example, argue that users should be able to access applications and websites with the same safe and simple methods they use to unlock a device. Once a passkey is created, password-manager technology matches a public key known only to the service being accessed with a private key known only to the device being used. This cryptographic key pair lets users authenticate themselves without needing to remember a password -- provided they have securely unlocked the device in use through a PIN or biometric method.
The FIDO Alliance, a nonprofit with backing from Google and others, is pushing standards that would enable wider use of passkeys. The goal would be to effectively replace passwords. Whether businesses and individuals will embrace passkeys and password managers is far from certain. And it's worth remembering that the password's demise has been sought -- and predicted -- for a long time, which gives you something to think about the next time you stop to remember how to sign in to your account.
Phil Sweeney is an industry editor and writer focused on information security topics.
