What Is IAM? Understanding Identity & Access Management

(Image credit: Shutterstock / Sapann Design)

Identity and access management (IAM) is an umbrella term for the technical solutions, processes, and policies that organizations use to manage user identities and regulate user access to the enterprise network. The overarching goal of IAM is to protect enterprise assets by ensuring that only the right users can access them, within the right contexts.

While the word “user” may conjure up images of people sitting at computers or staring at their mobile phones, not all “users” are human. Computer hardware and Internet of Things (IoT) devices must be authenticated before accessing a network. Many applications must authenticate to other applications or services to function, such as applications that make API calls.

Whether human or a machine, an IAM system assigns each user a unique digital identity. This identity encompasses not only who or what the user is, but also what access levels they are granted within systems and applications. Because users’ roles typically change throughout their time with an organization, digital identities are not static. They must be monitored, maintained, and secured for as long as the user has network access.

About the author

Craig Lurey is CTO at Keeper Security

IAM components

At its simplest, an IAM system should include:

Password management

Since over 80% of successful data breaches are due to weak or compromised passwords, password management is at the core of any IAM system. By requiring the use of a password manager, organizations can establish and enforce robust password security throughout the organization, such as the use of strong, unique passwords for all accounts, and ensure that passwords are being stored securely.

Role-based access control (RBAC)

Password management and RBAC can be thought of as the head and the neck of an IAM system; without one, the other can’t function. While password management ensures the security of user passwords, role-based access control manages user access. Using RBAC, IT administrators can restrict user access privileges according to job role and enforce least-privilege access, which means that users should be given the minimum level of access that is absolutely necessary to perform their job roles, and no more.

For example, there’s no reason for everyone to have access to an organization’s development platform; access should be restricted to developers and IT admins. Throughout the organization, users may be granted read-only access to some documents while being permitted full edit and delete privileges to others.

Multi-factor authentication (MFA)

When a system or app is secured through MFA, the user needs more than one “authentication” factor to log in. Typically, this is something the user knows, such as a password or PIN, plus something the user has, like a key fob or a code sent to their mobile device, or something that’s part of the user’s body, such as a fingerprint. This provides an extra level of security in the event that a user’s password is compromised; cybercriminals will be unable to log in without the second authentication factor.

Single Sign-On (SSO) - Optional

While single sign-on (SSO) is not a necessity for IAM, many IAM systems include it. SSO allows users to log in to multiple websites or cloud applications using one set of login credentials. SSO is session-based; once a user logs into the SSO, they don’t have to log in again during that session.

However, not all apps support SSO, or at least not the particular SSO protocol an organization is using. This means that employees must keep track of passwords for those sites and apps that don’t support SSO or your particular SSO deployment. For this reason, SSO isn’t the best solution for every organization.

Benefits of IAM

The most obvious benefit to a robust IAM solution is enhanced security, particularly in a post-pandemic world where remote work is the norm, not the exception. IAM systems enable IT administrators to control user access regardless of where employees are working from or what devices they are using.

Similarly, IAM also enables organizations to grant systems access to users outside the organization, such as partners, contractors, and vendors, without jeopardizing security. A robust IAM system also:

  • Enhances compliance by forcing organizations to clearly define their user access policies and procedures, which are required by a number of compliance mandates, including HIPAA, Sarbanes-Oxley, and NIST guidelines. Many IAM solutions provide audit and reporting tools specifically designed for compliance audits.
  • Provides proof of compliance and due diligence if an organization is breached.
  • Reduces help desk workloads by eliminating requests for password resets and enabling IT administrators to automate many routine tasks.
  • Drives innovation by enabling organizations to securely extend network access to a variety of on-premises and SaaS apps.
  • Enhances productivity by making it easier for employees to access the systems they need to do their jobs, as well as eliminating the need for them to manually keep track of passwords.

While some small businesses may think that IAM solutions are out of their reach due to budget constraints, IAM doesn’t have to be an expensive endeavour. Many small organizations can achieve comprehensive protection using a password manager, RBAC, MFA, and possibly an SSO solution.

Craig Lurey is CTO at Keeper Security