What is Identity and Access Management (IAM)?
Learn about identity and access management (IAM), how IAM works, and why organizations should have IAM in Data Protection 101, our series on the fundamentals of information security.
Identity and access management (IAM) is a collective term that covers products, processes, and policies used to manage user identities and regulate user access within an organization.
“Access” and “user” are two vital IAM concepts. “Access” refers to actions permitted to be done by a user (like view, create, or change a file). “Users” could be employees, partners, suppliers, contractors, or customers. Furthermore, employees can be further segmented based on their roles.
How Identity and Access Management Works
IAM systems are designed to perform three key tasks: identify, authenticate, and authorize. Meaning, only the right persons should have access to computers, hardware, software apps, any IT resources, or perform specific tasks.
Some core IAM components making up an IAM framework include:
- A database containing users’ identities and access privileges
- IAM tools for creating, monitoring, modifying, and deleting access privileges
- A system for auditing login and access history
With the entry of new users or the changing of roles of existing users, the list of access privileges must be up-to-date all the time. IAM functions usually fall under IT departments or sections that handle cybersecurity and data management.
Examples of Identity and Access Management
Here are simple examples of IAM at work.
- When a user enters his login credentials, his identity would be checked against a database to verify if the entered credentials match the ones stored in the database. For example, when a contributor logs into a content management system, he’s allowed to post his work. However, he’s not allowed to make changes to other users’ works.
- A production operator can view an online work procedure but may not be allowed to modify it. On the other hand, a supervisor may have the power not only to view but also to modify the file or create a new one. If there’s no IAM in place, anyone can modify the document, and this could lead to disastrous effects.
- Through IAM, only specific users in the organization are allowed to access and handle sensitive information. If there’s no IAM, anyone (like outsiders) could access confidential company files, leading to a possible data breach. In this aspect, IAM helps companies meet stringent and complex regulations that govern data management.
Many IAM systems use role-based access control (RBAC). Under this approach, there are predefined job roles with specific sets of access privileges. Take HR employees as an RBAC example. If one HR officer is in charge of training, it makes little sense if that officer is given access to payroll and salary files.
Some IAM systems implement Single Sign-On (SSO). With SSO, users only need to verify themselves one time. They would then be given access to all systems without the need to log separately into each system.
Whenever extra steps are required for authentication, it’s either a two-factor authentication (2FA) or multi-factor authentication (MFA). This authentication process combines something the user knows (like a password) with something the user has (like a security token or OTP) or something that’s part of the user’s body (like biometrics).
Benefits of Identity and Access Management
Here’s a look at a few of the primary benefits and why identity and access management is important.
- IAM enhances security. This is perhaps the most important benefit organizations can get from IAM. By controlling user access, companies can eliminate instances of data breaches, identity theft, and illegal access to confidential information. IAM can prevent the spread of compromised login credentials, avoid unauthorized entry to the organization’s network, and provide protection against ransomware, hacking, phishing, and other kinds of cyber attacks.
- IAM streamlines IT workload. Whenever a security policy gets updated, all access privileges across the organization can be changed in one sweep. IAM can also reduce the number of tickets sent to the IT helpdesk regarding password resets. Some systems even have automation set for tedious IT tasks.
- IAM helps in compliance. With IAM, companies can quickly meet the requirements of industry regulations (like HIPAA and GDPR) or implement IAM best practices.
- IAM allows collaboration and enhances productivity. Companies can provide outsiders (like customers, suppliers, and visitors) access to their networks without jeopardizing security.
- IAM improves user experience. There's no need to enter multiple passwords to access multiple systems under SSO. If biometrics or smart cards are used, users may have no more need to remember complex passwords.
Best Practices for Identity and Access Management
Following relevant ISO standards would be a good starting place to ensure organizations meet the best IAM practices. Some of these standards are:
- ISO/IEC 24760-1:2019 IT Security and Privacy - A framework for identity management - Part 1: Terminology and concepts
- ISO/IEC 24760-2:2015 Information technology - Security techniques - A framework for identity management - Part 2: Reference architecture and requirements
- ISO/IEC 24760-3:2016 Information technology - Security techniques - A framework for identity management — Part 3: Practice
- ISO/IEC 29115:2013 Information technology - Security techniques - Entity authentication assurance framework
- ISO/IEC 29146:2016 Information technology - Security techniques - A framework for access management
- ISO/IEC 29100:2011 Information technology - Security techniques - Privacy framework
- ISO/IEC 29101:2018 Information technology - Security techniques - Privacy architecture framework
- ISO/IEC TS 29003:2018 Information technology - Security techniques - Identity proofing
- ISO/IEC 29134:2017 Information technology - Security techniques - Guidelines for privacy impact assessment
Note that no matter how robust identity management solutions are, they can still crack with simple mistakes, like in cases of risky employee habits. That’s why basic cybersecurity practices – like using authorized devices for sensitive files, not sharing passwords, using secured networks – remain relevant as ever.