What is identity and access management (IAM)?

With the rise of cloud computing, remote work and generative AI, IAM has become a core component of network security.

The average corporate network today hosts a growing number of human users (employees, customers, contractors) and nonhuman users (AI agents, IoT and endpoint devices, automated workloads). These users are distributed across various locations and need secure access to both on-premises and cloud-based apps and resources.

Hackers have taken notice of this expanding identity attack surface. According to the IBM® X-Force® Threat Intelligence Index, 30% of cyberattacks involve the theft and abuse of valid accounts.

Identity and access management can help facilitate secure access for authorized users while blocking unauthorized access for outside attackers, malicious insiders and even well-meaning users who are misusing their access rights. IAM tools enable organizations to create and securely dispose of digital identities, set and enforce access control policies, verify users and monitor user activity. 

The goal of IAM is to stop hackers while allowing authorized users to easily do everything they need to do, but not more than they're allowed to do.

Toward that end, IAM implementations have four pillars:

• Administration
• Authentication
• Authorization
• Auditing

Identity administration—also referred to as “identity management” or “identity lifecycle management”—is the process of creating, maintaining and securely disposing of user identities in a system.

To facilitate secure user access, organizations first need to know who and what is in their system. This typically involves assigning each human and nonhuman user a distinct digital identity.

A digital identity is a collection of distinguishing attributes tied to a specific entity. Digital identities capture traits such as a user's name, login credentials, job title and access rights.

Digital identities are typically stored in a central database or directory, which acts as a single source of truth. The IAM system uses the information in this database to validate users and determine what they are allowed to do.

In addition to onboarding new users, IAM tools can update identities and permissions as users’ roles evolve and deprovision users who leave the system.

IT and cybersecurity teams can manually handle user provisioning and deprovisioning, but many IAM systems also support a self-service approach. Users supply their information, and the system automatically creates their identity and sets the appropriate levels of access based on organizationally defined rules. 

Authentication is the process that verifies that a user is who they claim to be.

When a user logs in to a system or requests access to a resource, they submit credentials—called “authentication factors”—to vouch for their identity. For example, a human user might enter a password or a biometric fingerprint scan, while a nonhuman user might share a digital certificate. The IAM system checks these credentials against the central database. If they match, access is granted.

While a password is the most basic form of authentication, it is also one of the weakest. Most IAM implementations today use more advanced authentication methods, such as two-factor authentication (2FA) or multifactor authentication (MFA), which require users to provide multiple authentication factors to prove their identities.

For example, when a website requires users to enter both a password and a code that is texted to their phone, that is a 2FA scheme in action.

Authorization is the process of granting verified users the appropriate levels of access to a resource.

Authentication and authorization are deeply linked, and authentication is typically a prerequisite for authorization. After a user proves their identity, the IAM system checks the privileges that are connected to that identity in the central database and authorizes the user accordingly.

Taken together, authentication and authorization form the access management component of identity and access management.

To set user access permissions, different organizations take different approaches. One common access control framework is role-based access control (RBAC), in which users’ privileges are based on their job functions. RBAC helps streamline the process of setting user permissions and mitigates the risk of giving users higher privileges than they need.

For example, say that system administrators are setting permissions for a network firewall. A sales rep likely wouldn’t have access at all, as that user’s role doesn't require it. A junior-level security analyst might be able to view firewall configurations but not change them. The chief information security officer (CISO) would have full administrative access. An application programming interface (API) for an integrated security information and event management system (SIEM) might be able to read the firewall's activity logs.

Most access control frameworks are designed according to the principle of least privilege. Often associated with zero trust cybersecurity strategies, the principle of least privilege states that users should have only the lowest permissions necessary to complete a task. Their privileges should be revoked as soon as the task is done.

Auditing means making sure that the IAM system and its components—administration, authentication and authorization—are working properly.

Auditing entails tracking and logging what users do with their access rights to ensure that nobody, including hackers, has access to anything that they shouldn’t, and that authorized users don’t abuse their privileges.

Auditing is a core identity governance function, and it is important for regulatory compliance. Security mandates such as the General Data Protection Regulation (GDPR), the Sarbanes-Oxley (SOX) Act and the Payment Card Industry Data Security Standard (PCI DSS) require organizations to restrict user access rights in certain ways. Auditing tools and processes help organizations ensure that their IAM systems meet requirements, and audit trails can help prove compliance or pinpoint violations as needed.

Organizations rely on technology tools to streamline and automate key IAM workflows, such as authenticating users and tracking their activity. Some organizations use point solutions to cover different aspects of IAM, while others use comprehensive IAM platforms that do everything or integrate multiple tools in a unified whole.

Core components and functions of identity and access management solutions include:

Directory services are where IAM systems store and manage data about users’ identities, credentials and access permissions. IAM solutions can have their own centralized directories or integrate with external directory services such as Microsoft Active Directory and Google Workspace.

Some IAM implementations use an approach called “identity federation,” in which disparate systems share identity information with one another. One system acts as the identity provider, using open standards such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) to securely authenticate users to other systems.

Social logins—when an app allows a person to use their Facebook, Google or other account to log in—are a common example of identity federation.

In addition to MFA and 2FA, many IAM solutions support advanced authentication methods such as single sign-on (SSO), adaptive authentication and passwordless authentication.

Single sign-on (SSO) allows users to access multiple apps and services with one set of login credentials. The SSO portal authenticates the user and generates a certificate or token that acts as a security key for other resources. SSO systems use protocols such as SAML and OIDC to share keys between service providers.

Adaptive authentication, also called risk-based authentication, changes authentication requirements in real time as risk levels change. Adaptive authentication schemes use artificial intelligence (AI) and machine learning (ML) to analyze the context of a login, including factors such as user behavior, device security posture and timing. The riskier a login is, the more authentication the system requires.

For example, a user logging in from their usual device and location might need to enter only their password. That same user logging in from an untrusted device or trying to view especially sensitive information might need to supply more factors, as the situation now presents more risk to the organization.

Passwordless authentication schemes replace passwords—notoriously easily to steal—with more secure credentials. Passkeys, such as those based on the popular FIDO standard, are one of the most common passwordless forms of authentication. They use public key cryptography to verify a user’s identity.

Access control tools allow organizations to define and enforce granular access policies on human and nonhuman users. In addition to RBAC, common access control frameworks include:

• Mandatory access control (MAC), which enforces centrally defined policies on all users based on clearance levels or trust scores.
  
  
• Discretionary access control (DAC), which enables the owners of resources to set their own access control rules for those resources. 
  
  
• Attribute-based access control (ABAC), which analyzes the attributes of users, objects and actions—such as a user’s name, a resource’s type and the time of day—to determine whether access will be granted.

Privileged access management (PAM) tools oversee account security and access control for highly privileged user accounts, like system admins. Privileged accounts are afforded special protections because they are high-value targets that malicious actors can use to cause serious damage. PAM tools isolate privileged identities from the rest, using credential vaults and just-in-time access protocols for extra security.

Credential management tools allow users to securely store passwords, passkeys and other credentials in a central location. Credential management tools can mitigate the risk of employees forgetting their credentials. They can also encourage better security hygiene by making it easier for users to set different passwords for each service they use.

Secrets management tools protect credentials—including certificates, keys, passwords and tokens—for nonhuman users, such as apps, servers and workloads. Secrets management solutions often store secrets in a secure central vault. When authorized users need access to a sensitive system, they can obtain the corresponding secret from the vault. 

Identity governance tools help organizations audit user activity and ensure regulatory compliance.

Core functions of identity governance tools include auditing user permissions to remediate inappropriate access levels, logging user activity, enforcing security policies and flagging violations.

Identity threat detection and response (ITDR) tools automatically discover and remediate identity-based threats and security risks, such as privilege escalation and account misconfigurations. ITDR tools are relatively new and not yet standard in all IAM implementations, but they are an increasingly common component of enterprise identity security strategies.

Customer identity and access management (CIAM) governs the digital identities of customers and other users who sit outside of an organization. Core CIAM functions include capturing customer profile data, authenticating users and facilitating secure access to digital services, such as e-commerce sites.

Cloud-based identity and access management solutions, also called “identity-as-a-service” (IDaaS) tools, take a software-as-a-service (SaaS) approach to IAM.

IDaaS tools can be useful in complex networks where distributed users log in from Windows, Mac, Linux and mobile devices to access resources located on site and in private and public clouds. These networks can be prone to fragmentation and visibility gaps, but cloud IAM solutions can scale to accommodate different users, apps and assets in a single identity system.

IDaaS tools also allow organizations to outsource some of the more time- and resource-intensive aspects of implementing IAM systems, such as setting up directories and logging user activity. 

As organizations embrace multicloud environments, AI, automation and remote work, they need to facilitate secure access for more types of users to more types of resources in more locations. IAM solutions can improve both user experience and cybersecurity in decentralized networks, streamlining access management while protecting against common cyberthreats.

Digital transformation is the norm for today’s enterprise, which means the centralized, wholly on-premises IT network is largely a thing of the past. Perimeter-focused security solutions and strategies cannot effectively protect networks that span on- and off-premises devices, cloud-based services, web apps and teams of human and nonhuman users spread around the globe.

As a result, organizations are making identity security a core pillar of their cybersecurity strategies. Rather than focusing on the network edge, it can be more effective to secure individual users and their activity, regardless of where it happens.

At the same time, organizations must ensure that users have the on-demand access they need to do their jobs and are not held back by overly burdensome security measures.

IAM systems give IT and security teams a centralized way to define and enforce tailored, compliant access policies for individual users throughout the organization.

IAM tools can also securely authenticate users and help track how entities use their permissions—important capabilities in defending against identity-based cyberattacks, which are the method of choice for many cybercriminals today.  

According to IBM's Cost of a Data Breach Report, credential theft is a leading cause of data breaches, accounting for 10% of attacks. These credential-based attacks—in which hackers use legitimate users’ accounts to access sensitive data—cost USD 4.67 million and take 246 days to detect and contain on average.

IAM tools can make it harder for hackers to pull off these attacks. For example, MFA makes it so that cybercriminals need more than just a password to get in. Even if they do take over an account, lateral movement is limited because users have only the permissions that they need to do their jobs and no more. And ITDR tools can make it easier to spot and stop suspicious activity on authorized users’ accounts. 

According to the Cost of a Data Breach Report, IAM technology is a key factor in reducing breach costs, lowering the cost of an attack by USD 189,838 on average.

An identity fabric is a comprehensive identity architecture that unites all the identity systems in a network in an integrated whole. Holistic IAM solutions that connect disparate apps and cover all core IAM functions are important tools in creating these fabrics.

Identity fabrics are growing more popular as organizations look to tackle the challenges that arise from using many different apps with different identity systems. According to one report, the average team uses 73 different SaaS apps. When these apps have their own identity systems, the fragmentation creates both logistical headaches and security gaps.

To combat these issues, organizations are investing in identity orchestration tools, which help disparate identity systems talk to each other.

Comprehensive IAM solutions that handle all the key aspects of IAM—identity administration, access management, governance, auditing, PAM and CIAM—help facilitate this orchestration. The goal is to create a network-wide identity fabric that allows the organization to manage identity information and access for all apps, users and assets in one platform.

In addition to simplifying IAM, the integrated approach can also boost security. According to the X-Force Threat Intelligence Index, consolidating identity solutions is one of the most effective ways to reign in identity sprawl and protect against identity-based attacks.

Traditional, rule-based AI has been part of how IAM works for a long time, automating workflows such as authentication and audit trails. However, the arrival of generative AI presents both new challenges and new opportunities.

Between new apps powered by large language models (LLMs) and autonomous AI agents, generative AI is poised to drive a significant increase in the number of nonhuman identities in the enterprise network. These identities already outnumber humans 10:1 at a typical enterprise.¹ That ratio might soon be much larger.  

These nonhuman identities are common targets for attackers because they often have relatively high access levels and poorly protected credentials.

However, IAM tools can mitigate the risks of cybercriminals taking over AI accounts. Common privileged access management techniques and tools, such as automatic credential rotation and secure credential vaults, can make it harder for hackers to steal credentials.

AI also has positive use cases for IAM. According to the IBM Institute for Business Value, many organizations already use AI to help manage user verification and authorization (62%) and to control risk, compliance and security (57%). Generative AI tools can elevate these uses.

For example, some IAM tools are rolling out LLM-powered chatbots that allow security teams to use natural language to analyze security datasets, create new polices and suggest tailored access levels for users.