Identity and access management (IAM) is a cybersecurity discipline focused on managing user identities and access permissions on a computer network. While IAM policies, processes, and technologies can differ between companies, the goal of any IAM initiative is to ensure that the right users and devices can access the right resources for the right reasons at the right time.
IAM can help streamline access control in complex, multi-cloud environments. Today, corporate networks connect to on-premises, remote, and cloud-based (SaaS) apps and data sources. A wide range of users need access to these resources for various purposes, including human users (employees, customers, contractors) and non-human users (bots, IoT devices, automated workloads, APIs).
IAM systems allow companies to assign a single digital identity and set access privileges for each user. That way, only authorized users can handle company resources, and they can only use those resources in ways the company permits.
At its core, IAM aims to keep hackers out while making sure authorized users can easily do everything they need to do, but not more than they’re allowed to do.
Company networks are unique, and so are the policies, processes, and tools each company uses to build an identity and access management system. That said, most, if not all, IAM implementations cover four key functions:
Identity lifecycle management is the process of creating and maintaining a digital identity for every human or non-human entity on a network.
A digital identity tells the network who or what each entity is and what it’s allowed to do on the network. Typically, the identity includes standard user account information—name, ID number, login credentials, etc.—as well as information about the entity’s organizational role, responsibilities, and access permissions.
Identity lifecycle management includes processes for onboarding new entities, updating their accounts and permissions over time, and offboarding or deprovisioning users who no longer need access.
As mentioned above, each digital identity has a certain level of access to network resources, depending on the company's access policies. On a cloud platform, a customer may only have access to their personal account and data. An employee may have access to customer databases and internal tools like HR portals. A system administrator may be able to access and alter everything on the network: customer and employee accounts, internal and customer-facing services, and network infrastructure like switches and routers.
Many IAM systems use role-based access control (RBAC) to set and enforce access policies. In RBAC, each user's privileges are based on their job function or job title. Say a company were setting access permissions for a network firewall. A sales rep likely wouldn't have access at all, as their job doesn't require it. A junior-level security analyst might be able to view firewall configurations but not change them. The CISO would have full administrative access. An API that integrates the company's SIEM with the firewall might be able to read the firewall's activity logs but see nothing else.
Some IAM systems have distinct methods and policies for privileged access management (PAM). PAM is the process of managing permissions for highly privileged accounts, like admins who oversee databases, systems, or servers. These are different from other IAM roles because theft of these credentials would allow hackers to do whatever they want in a system. PAM tools isolate these digital identities from the rest, using credential vaults and just-in-time access protocols for extra security.
With the move toward zero trust network architectures, many companies apply the principle of least privilege when setting user access permissions. Instead of receiving blanket access to resources, users are only granted the lowest level of privilege necessary to complete their task, and privileges are revoked as soon as the task is over. Least privilege helps companies avoid the problems that can arise from overprovisioning, in which users have more permissions than they need for their roles.
IAM systems don't just create identities and assign permissions—they also help enforce those permissions through authentication and authorization.
Authentication is how users prove they are who they claim to be. When a user requests access to a resource, the IAM system checks their user credentials against the credentials stored in the directory. If they match, access is granted.
While a username/password combination provides a basic level of authentication, most identity and access management frameworks today use extra layers of authentication for added protection against cyberthreats.
Multi-factor authentication (MFA) requires users to provide two or more authentication factors to prove their identities. Common factors include a security code sent to the user's phone, a physical security key, or biometrics like fingerprint scans.
Single sign-on (SSO) allows users to access multiple apps and services with one set of login credentials. The SSO portal authenticates the user and generates a certificate or token that acts as a security key for other resources. Many SSO systems use open protocols like Security Assertion Markup Language (SAML) to share keys freely between service providers.
Adaptive authentication, or "risk-based authentication," changes authentication requirements in real time when risk changes. A user logging in from their usual device may only need to enter a username and password. That same user logging in from an untrusted device or trying to view sensitive information may need to supply additional authentication factors.
Once a user is authenticated, the IAM system checks the directory for their access privileges. The IAM system then authorizes the user to only access the resources and perform the tasks their permissions allow.
Identity governance is the process of tracking what users do with their resource access. IAM systems monitor users to ensure they don't abuse their privileges—and to catch hackers who may have snuck into the network.
Identity governance is also important for regulatory compliance. Companies can use activity data to make sure their access policies comply with data security regulations like the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI-DSS).
Companies rely on IAM solutions to streamline and automate IAM tasks and workflows that can be hard—or impossible—to handle manually. While companies once used point solutions to manage different IAM functions, today's IAM tools are comprehensive platforms. Common features of these identity and access management solutions include:
- Centralized directories or integrations with external directory services like Microsoft Active Directory and Google Workspace
- Automated workflows for creating, updating, and removing digital identities
- Built-in authentication options like MFA and SSO
- Access control functions for users at all levels, including privileged accounts
- Tracking capabilities to monitor users, flag suspicious activity, and ensure compliance
Some IAM solutions now incorporate artificial intelligence and machine learning to enable a more dynamic approach to authentication and authorization. AI can look for indicators of suspicious activity—like many failed login attempts in a short period or a remote user who isn't using the company's VPN—and automatically take action, like asking for more authentication factors or terminating access.
Identity-as-a-service (IDaaS) solutions, in which a third party delivers cloud-based identity and access management services and tools, are also gaining popularity. Companies can outsource important but time-consuming tasks like creating new user accounts, authenticating access requests, and identity governance.
Identity and access management has become fundamental to many companies' cybersecurity strategies. IAM tools and frameworks can help with:
Regulatory compliance: Standards like GDPR and PCI-DSS require strict policies around who can access data and for what purposes. IAM systems allow companies to set and enforce formal access control policies that meet those standards. Companies can also track user activity to prove compliance during an audit.
Data security: According to IBM's Cost of a Data Breach report, credential theft is the leading cause of data breaches. IAM systems can add extra authentication layers, so hackers need more than just a password to reach sensitive data. RBAC policies can limit the lateral movement of malicious actors, including insider threats.
Digital transformation: With the rise of multi-cloud environments, IoT devices, remote work, and BYOD, companies need to facilitate secure access for more types of users to more types of resources. IAM systems can centralize access management for all users and resources in a network, maintaining network security without disrupting the user experience.
The IBM Security Verify family provides automated, cloud-based, and on-premises capabilities for administering identity governance, managing workforce and consumer identity and access, and controlling privileged accounts.
Put your workforce and consumer IAM program on the road to success with skills, strategy, and support from identity and security experts.
Manage and protect your organization’s laptops, desktops, smartphones, tablets, wearables, and the Internet of Things (IoT)—while ensuring a great user experience—with AI-driven unified endpoint management (UEM).
Learn how Commercial International Bank used IBM Security to improve identity and access management (IAM) and identity governance.
The Cost of a Data Breach report shares the latest insights into the expanding threat landscape and offers recommendations for how to save time and limit losses.
Learn how multi-factor authentication strengthens security, meets regulatory compliance requirements, and supports a zero-trust security strategy.