What is access management?

Access management and identity management together form the two pillars of a broader cybersecurity discipline—identity and access management (IAM). IAM deals with provisioning and protecting digital identities and user permissions in an IT system.

Identity management involves creating and maintaining identities for all users in a system, including human users (employees, customers or contractors) and nonhuman users (AI agents, IoT and endpoint devices or automated workloads).

Access management involves facilitating secure access for these users to an organization’s data, on-premises resources and cloud-based apps and assets. The core functions of access management include administering user access policies, authenticating user identities and authorizing valid users to perform certain actions in a system.

With the rise of cloud computing, software-as-a-service (SaaS) solutions, remote work and generative AI, access management has become a core component of network security. Organizations must enable more kinds of users to access more kinds of resources in more locations, all while preventing data breaches and keeping out unauthorized users. 

According to the National Institute of Standards and Technology (NIST), core access management functions include:

• Policy administration
• Authentication
• Authorization

Granular access policies govern user access permissions in most access management systems. Organizations can take several different approaches to set their access policies.

One common access control framework is role-based access control (RBAC), in which users’ privileges are based on their job functions. RBAC helps streamline the process of setting user permissions and mitigates the risk of giving users higher privileges than they need.

For example, say that system administrators are setting permissions for a network firewall.

• A sales rep most likely would not have access at all, as that user’s role doesn't require it.
  
  
• A junior-level security analyst might be able to view firewall configurations, but not change them.
  
  
• The chief information security officer (CISO) would have full administrative access.
  
  
• An application programming interface (API) for an integrated security information and event management system (SIEM) might be able to read the firewall’s activity logs.

Organizations can use other access control frameworks as alternatives to, or in conjunction with, RBAC. These frameworks include:

• Mandatory access control (MAC) enforces centrally defined policies on all users, based on clearance levels or trust scores.
  
  
• Discretionary access control (DAC) enables the owners of resources to set their own access control rules for those resources. 
  
  
• Attribute-based access control (ABAC) analyzes the attributes of users, objects and actions to determine whether to grant access. These attributes include a user's name, a resource’s type and the time of day.

Most organizations’ access control frameworks follow the principle of least privilege. Often associated with zero trust security strategies, the principle of least privilege states that users should have only the lowest permissions necessary to complete a task. Privileges should be revoked when the task is done to help prevent future security risks.

Authentication is the process of verifying that a user is who they claim to be.

When a user logs in to a system or requests access to a resource, they submit credentials—called “authentication factors”—to vouch for their identity. For example, a human user might enter a password or a biometric fingerprint scan, while a nonhuman user might share a digital certificate.

Access management tools check the submitted factors against the credentials that they have on file for the user. If they match, the user is granted access.

While a password is the most basic form of authentication, it is also one of the weakest. Most access management tools today use more advanced authentication methods. These methods include:

• Two-factor authentication (2FA) and multifactor authentication (MFA), in which users must supply at least two pieces of evidence to prove their identities.
  
  
• Passwordless authentication, which uses credentials other than a password, such as a biometric factor or a FIDO passkey.
  
  
• Single sign-on (SSO), which allows users to access multiple apps and services with one set of login credentials. SSO systems often use open protocols such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) to share authentication data between services.
  
  
• Adaptive authentication, which uses artificial intelligence (AI) and machine learning (ML) to analyze a user’s risk level based on factors such as behavior, device security posture and timing. Authentication requirements change in real time as risk levels change, with riskier logins requiring stronger authentication.

Authorization is the process of granting verified users the appropriate levels of access to a resource.

Authentication and authorization are deeply linked, and authentication is typically a prerequisite for authorization. After the user’s identity has been proven, the access management system checks that user’s privileges based on predefined access policies recorded in a central database or policy engine. The system then authorizes the user to have those specific privileges during their session.

By restricting users’ permissions based on access policies, access management tools can help prevent both insider threats who maliciously abuse their privileges and well-meaning users who accidentally misuse their rights.

If a user’s identity validation fails, the access management system does not authorize them, blocking them from using the privileges associated with their account. This helps prevent outside attackers from hijacking and abusing legitimate users’ privileges.

Access management solutions can be broadly classified in two categories: tools that control access for internal users, such as employees, and tools that control access for external users, such as customers. 

An organization’s internal users—staff, managers, administrators—often require access to multiple systems, including business apps, messaging apps, company databases, HR systems and more.

Almost all of an enterprise’s internal resources are considered to be sensitive, requiring protection from malicious hackers. But not every internal user needs as much access to every internal resource. Organizations need sophisticated access management tools that enable them to control user access permissions on a granular level.

Common internal access management tools include:

IAM platforms are comprehensive solutions that integrate core identity and access management functions in a single system. Common features of IAM platforms include user directories, authentication tools, access policy administration and identity threat detection and response (ITDR) capabilities.

Privileged access management (PAM) is a subset of access management that governs and secures highly privileged user accounts (such as admin accounts) and privileged activities (such as working with sensitive data).

In many IT systems, highly privileged accounts are afforded special protections because they are high-value targets that malicious actors can use to cause serious damage.

PAM tools isolate privileged identities from the rest by using credential vaults and just-in-time (JIT) access protocols. JIT gives authorized users privileged access to a specific resource for a limited time upon request, rather than giving users perpetually elevated permissions.

Identity governance and administration (IGA) tools help ensure that an organization’s access policies and access controls meet security requirements and regulatory mandates.

IGA solutions offer tools for defining and implementing compliant access policies throughout each user’s lifecycle. Some IGA tools can also help automate key compliance workflows, such as user onboarding and provisioning, access reviews, new access requests and deprovisioning for offboarded users. These functions give organizations more oversight over user permissions and activity, which makes it easier to detect—and stop—privilege misuse and abuse.

ZTNA solutions are remote access tools that follow the zero trust principle of “never trust, always verify.”

Traditional remote access tools, such as virtual private networks (VPNs), connect remote users to the entire corporate network. In contrast, ZTNA connects users only to the specific apps and resources they have permission to access.

Moreover, in the ZTNA model, users are never implicitly trusted. Every access request for every resource must be verified and validated, regardless of the user’s identity or location. 

Organizations must often facilitate secure access to resources for external users. Customers might need access to their accounts on e-commerce platforms. Vendors might need access to invoicing systems. Business partners might need access to shared data. External access management tools specifically serve these external users.

Some organizations use the same tools for internal and external access management, but this strategy isn’t always feasible. The needs of internal and external users can differ. For example, external users often prioritize convenience over security, while internal users have higher privileges that require stronger protections.

Customer identity and access management (CIAM) tools govern digital identities and access security for customers and other users who sit outside of an organization.

Like other access management tools, CIAM systems help authenticate users and facilitate secure access to digital services. The core difference is that CIAM tools emphasize the user experience through progressive profiling (allowing users to complete their profiles over time), social logins and other user-friendly features. 

Access management tools help organizations facilitate secure access to sensitive resources for authorized users regardless of where they are located.

The result is a more secure, more efficient network. Users have the uninterrupted access that they need to do their jobs, while threat actors and unauthorized users are kept out.