Published: 22 January 2024
Contributors: Matthew Kosinski, Amber Forrest
Identity and access management (IAM) is the cybersecurity discipline that deals with how users access digital resources and what they can do with those resources. IAM systems keep hackers out while ensuring that each individual user has the exact permissions they need to do their jobs and not more than that.
The average corporate network houses both human users (employees, customers, contractors) and nonhuman users (bots, IoT and endpoint devices, automated workloads). With the rise of remote work and cloud computing, these users are increasingly distributed, and so are the resources that they need to access.
Organizations may struggle to keep track of what all these users are doing with apps and assets scattered across on-premises, remote and cloud-based locations. This lack of control poses serious risks. Hackers can break into a network undetected. Malicious insiders can abuse their access rights. Even benign users can accidentally violate data protection regulations.
IAM initiatives can help streamline access control, protecting assets without disrupting legitimate uses of those assets. Identity and access management systems assign every user a distinct digital identity with permissions that are tailored to the user's role, compliance needs and other factors. This way, IAM ensures that only the right users can access the right resources for the right reasons while unauthorized access and activities are blocked.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM® Security X-Force® Threat Intelligence Index.
Register for the Cost of a Data Breach report
The purpose of IAM is to stop hackers while allowing authorized users to easily do everything they need to do, but not more than they're allowed to do. IAM implementations use a variety of tools and strategies to achieve this goal, but they all tend to follow the same basic structure.
A typical IAM system has a database or a directory of users. That database contains details about who each user is and what they can do in a computer system. As users move through a system, the IAM uses the information in the database to verify their identities, monitor their activities and ensure that they only do what the database says they can do.
For a more in-depth understanding of how IAM works, it helps to look at the four core components of IAM initiatives: identity lifecycle management, access control, authentication and authorization and identity governance.
Identity lifecycle management is the process of creating and maintaining digital user identities for every human and nonhuman user in a system.
To monitor user activity and apply tailored permissions, organizations need to differentiate between individual users. IAM does this by assigning each user a digital identity. Digital identities are collections of distinguishing attributes that tell the system who or what each user is. Identities often include traits like a user's name, login credentials, ID number, job title and access rights.
Digital identities are typically stored in a central database or directory, which acts as a source of truth. The IAM system uses the information in this database to validate users and determine what it will and won't allow them to do.
In some IAM initiatives, IT or cybersecurity teams manually handle user onboarding, updating identities over time and offboarding or deprovisioning users who leave the system. Some IAM tools allow a self-service approach. Users supply their information and the system automatically creates their identity and sets the appropriate levels of access.
Distinct digital identities not only help organizations track users but also enable companies to set and enforce more granular access policies. IAM allows companies to grant different system permissions to different identities rather than give every authorized user the same privileges.
Today, many IAM systems use role-based access control (RBAC). In RBAC, each user's privileges are based on their job function and level of responsibility. RBAC helps streamline the process of setting user permissions and mitigates the risks of giving users higher privileges than they need.
Say that a company is setting permissions for a network firewall. A sales rep likely wouldn't have access at all, as their job doesn't require it. A junior-level security analyst might be able to view firewall configurations but not change them. The chief information security officer (CISO) would have full administrative access. An API that integrates the company's SIEM with the firewall might be able to read the firewall's activity logs but see nothing else.
For added security, IAM systems may also apply the principle of least privilege to user access permissions. Often associated with zero trust cybersecurity strategies, the principle of least privilege states that users should only have the lowest permissions necessary to complete a task, and privileges should be revoked as soon as the task is done.
In keeping with the principle of least privilege, many IAM systems have distinct methods and technologies for privileged access management (PAM). PAM is the cybersecurity discipline that oversees account security and access control for highly privileged user accounts, like system admins.
Privileged accounts are treated more carefully than other IAM roles because theft of these credentials would allow hackers to do whatever they want. PAM tools isolate privileged identities from the rest, using credential vaults and just-in-time access protocols for extra security.
Information about each user's access rights is usually stored in the IAM system's central database as part of each user's digital identity. The IAM system uses this information to enforce each user's distinct privilege levels.
Authentication and authorization are how IAM systems apply tailored access control policies in practice.
Authentication is the process of determining that a user, human or nonhuman, is who they claim to be. When a user logs in to a system or requests access to a resource, they submit credentials to vouch for their identity. For example, a human user might enter a password, while a nonhuman user might share a digital certificate. The IAM system checks these credentials against the central database. If they match, access is granted.
While a username and password combination is the most basic form of authentication, it's also one of the weakest. For that reason, most IAM implementations today use more advanced authentication methods.
Multi-factor authentication (MFA) requires users to provide two or more authentication factors to prove their identities. Common factors include a security code that is sent to the user's phone, a physical security key or biometrics like fingerprint scans.
Single sign-on (SSO) allows users to access multiple apps and services with one set of login credentials. The SSO portal authenticates the user and generates a certificate or token that acts as a security key for other resources. SSO systems use open protocols like Security Assertion Markup Language (SAML) to share keys freely between different service providers.
Adaptive authentication, also called risk-based authentication, uses AI and machine learning to analyze user behavior and change authentication requirements in real time as risk level changes. By requiring stricter authentication for riskier activity, risk-based authentication schemes make it harder for hackers or insider threats to reach critical assets.
A user logging in from their usual device and location may only need to enter their password, as this routine situation poses little risk. That same user logging in from an untrusted device or trying to view especially sensitive information may need to supply more factors, as the user is now engaging in riskier behavior.
Once a user is authenticated, the IAM system checks the privileges that are connected to their digital identity in the database. The IAM system authorizes the user to only access the resources and perform the tasks that their permissions allow.
Identity governance is the process of tracking what users do with access rights. IAM systems monitor users to ensure that they don't abuse their privileges and to catch hackers who may have snuck into the network.
Identity governance is important for regulatory compliance. Companies typically craft their access policies to align with security mandates like the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI-DSS). By tracking user activity, IAM systems help companies ensure that their policies work as intended. IAM systems can also produce audit trails to help companies prove compliance or pinpoint violations as needed.
Many key IAM workflows, like authenticating users and tracking their activity, are hard or outright impossible to do manually. Instead, organizations rely on technology tools to automate IAM processes.
In the past, organizations would use point solutions to manage different parts of IAM—for example, one solution to handle user authentication, another to enforce access policies and a third to audit user activity.
Today, IAM solutions are often comprehensive platforms that either do everything or integrate multiple tools into a unified whole. While there is plenty of variation in IAM platforms, they all tend to share common core features like:
- Centralized directories or integrations with external directory services like Microsoft Active Directory and Google Workspace.
- Automated workflows for creating, updating and removing digital identities.
- The ability to create a network-wide, product-agnostic identity fabric that allows the organization to manage identity and access for all apps and assets—including legacy apps—through a single, authoritative directory.
- Built-in authentication options like MFA, SSO and adaptive authentication.
- Access control functions that allow companies to define granular access policies and apply them to users at all levels, including privileged accounts.
- Tracking capabilities to monitor users, flag suspicious activity and ensure compliance.
- Customer identity and access management (CIAM) capabilities that extend identity lifecycle management, authentication and authorization measures to digital portals for customers, partners and other users who are outside the organization.
Some IAM solutions are built for specific ecosystems. For example, Amazon Web Services (AWS) IAM and Google Cloud IAM platforms control access to resources hosted in those respective clouds.
Other IAM solutions—like the ones produced by Microsoft, IBM®, Oracle and others—are meant to work for all resources in a corporate network, regardless of where they're hosted. These IAM solutions can act as identity providers for all kinds of services, using open standards like SAML and OpenID Connect (OIDC) to exchange user authentication information between applications.
Increasingly, identity and access management solutions have been moving off-premises and adopting a software-as-a-service (SaaS) model. Called "identity-as-a-service" (IDaaS) or "authentication-as-a-service" (AaaS), these cloud-based IAM solutions offer a few capabilities that on-premises tools may lack.
IDaaS tools can be useful in complex corporate networks where distributed users log in from various devices (Windows, Mac, Linux and mobile) to access resources located on site and in private and public clouds. While on-premises IAM tools may not readily accommodate so many different users and resources across locations, IDaaS often can.
IDaaS can also help organizations extend IAM services to contractors, customers and other nonemployee roles. This can help simplify IAM implementations, as the company doesn't need to use different systems for different users.
IDaaS tools also allow companies to outsource some of the more time- and resource-intensive aspects of IAM like creating new user accounts and authenticating access requests and identity governance.
IAM initiatives can help fulfill several use cases spanning cybersecurity, business operations and more.
With the rise of multi-cloud environments, AI and automation and remote work, digital transformation means that companies need to facilitate secure access for more types of users to more types of resources in more locations.
IAM systems can centralize access management for all these users and resources, including nonemployee and nonhuman users. A growing number of IAM platforms now incorporate or integrate with CIAM tools, enabling organizations to manage access for internal and external users from the same system.
Businesses today maintain remote and hybrid workforces, and the average corporate network features a mix of legacy on-prem systems and newer cloud-based apps and services. IAM solutions can streamline access control in these complex environments.
Features like SSO and adaptive access allow users to authenticate with minimal friction while protecting vital assets. Organizations can manage digital identities and access control policies for all systems from a single, central IAM solution. Rather than deploying different identity tools for different assets, comprehensive IAM systems create a single source of truth, management and enforcement for the entire IT environment.
IAM systems, particularly those that support SSO, allow users to access multiple services with a single identity instead of creating different accounts for each service. This significantly reduces the number of user accounts that IT teams must manage. The growth of bring your own identity (BYOI) solutions, which allow users to manage their own identities and port them between systems, may also help simplify IT management.
IAM systems can streamline the process of assigning user permissions by using RBAC methods that automatically set user privileges based on role and responsibilities. IAM tools can give IT and security teams a single platform for defining and enforcing access policies for all users.
Standards like GDPR, PCI-DSS and SOX require strict policies around who can access data and for what purposes. IAM systems allow companies to set and enforce formal access control policies that meet those standards. Companies can also track user activity to prove compliance during an audit.
According to IBM's Cost of a Data Breach report, credential theft is a leading cause of data breaches. Hackers often target overprovisioned accounts with higher permissions than they need. These accounts are usually less protected than admin accounts, but they allow hackers to access vast swaths of the system.
IAM can help thwart credential-based attacks by adding extra authentication layers so that hackers need more than just a password to reach sensitive data. Even if a hacker gets in, IAM systems help prevent lateral movement. Users only have the permissions that they need and no more. Legitimate users can access all the resources that they need on demand while malicious actors and insider threats are limited in what they can do.
The IBM Security® Verify family provides automated, cloud-based and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access and controlling privileged accounts.
Put your workforce and consumer IAM program on the road to success with skills, strategy and support from identity and security experts.
Privileged access management tools to discover, control, manage and protect privileged accounts across endpoints and hybrid multi-cloud environments.
Provision, audit and report on user access and activity through lifecycle, compliance and analytics capabilities, on-prem and for the cloud.
Easily extend modern authentication into legacy applications and improve security posture while creating a consistent user experience.
SSO is an authentication scheme that enables users to log in to a session once and gain secure access to multiple related applications and services.
The Cost of a Data Breach report shares the latest insights into the expanding threat landscape and offers recommendations for how to save time and limit losses.
MFA is an identity verification method wherein a user must supply at least two pieces of evidence to prove their identity.