Identity Management (IAM)
What is Identity and Access Management (IAM)?
IAM (Identity and Access Management) is a framework of policies, processes and technologies that ensures the right people have the appropriate access to the right resources, at the right time. It is fundamental to security, compliance and operational efficiency.
Core Components of IAM
1. Authentication
The process of verifying the identity of a user, system or entity.
- Authentication Factors:
- Something you know (password, PIN)
- Something you have (token, smartphone)
- Something you are (biometrics)
- Modern Methods:
- Passwordless authentication (FIDO2, WebAuthn)
- Risk-based authentication
- Continuous authentication
2. Authorization
Determining which resources and operations an authenticated user can access.
- RBAC (Role-Based Access Control): Permissions based on roles
- ABAC (Attribute-Based Access Control): Decisions based on attributes
- PBAC (Policy-Based Access Control): Dynamic policies
- ReBAC (Relationship-Based Access Control): Based on relationships
3. Provisioning and Deprovisioning
- Automated account creation
- Role-based permission assignment
- User onboarding and offboarding
- Synchronization across systems (HR → IAM → Apps)
Multi-Factor Authentication (MFA)
MFA adds extra layers of security by requiring multiple forms of verification before granting access.
Types of MFA
- SMS/Voice: Code sent via text or call (less secure)
- Authenticator Apps: TOTP (Google Authenticator, Authy)
- Push Notifications: Approval via smartphone
- Hardware Tokens: YubiKey, RSA SecurID
- Biometrics: Fingerprint, facial recognition
- FIDO2/WebAuthn: Modern passwordless standard
MFA Implementation
- Mandatory MFA for privileged accounts
- Conditional, risk-based MFA
- Backup options for recovery
- User education on its importance
Single Sign-On (SSO)
SSO allows users to access multiple applications with a single set of credentials, improving experience and security.
SSO Protocols
- SAML 2.0: Enterprise standard, XML-based
- OAuth 2.0: Authorization, used with OpenID Connect
- OpenID Connect (OIDC): Identity layer on top of OAuth 2.0
- Kerberos: Network authentication protocol
Benefits of SSO
- Reduced password fatigue
- Less password-reset helpdesk
- Better user experience
- Centralized authentication and auditing
Privileged Access Management (PAM)
PAM protects and monitors accounts with elevated privileges, which are critical to security.
PAM Capabilities
- Password Vaulting: Secure storage of privileged credentials
- Session Management: Recording and monitoring of privileged sessions
- Just-in-Time Access: Temporary privilege elevation
- Password Rotation: Automatic password changes
- Secrets Management: Management of API keys, tokens, certificates
Zero Trust Architecture
Zero Trust eliminates implicit trust, continuously verifying every access regardless of its origin.
Zero Trust Principles
- Verify explicitly (always authenticate and authorize)
- Use least-privilege access
- Assume breach (limit the blast radius)
- Micro-segmentation
- Continuous monitoring and logging
Zero Trust Implementation
- Identity-centric security perimeter
- Continuous and adaptive authentication
- Device trust and posture assessment
- Network segmentation and microsegmentation
- Encrypted traffic inspection
Identity Governance (IGA)
IGA ensures that the right people have the right access to the right resources, with full auditing.
IGA Capabilities
- Access Certification: Periodic access reviews
- Access Request Workflow: Requests with approvals
- Segregation of Duties (SoD): Conflict prevention
- Analytics and Reporting: Access visibility
- Policy Enforcement: Automation of access policies
Directories and Identity Providers
Corporate Directories
- Active Directory (AD): Microsoft, on-premises
- Azure AD (Entra ID): Microsoft, cloud
- Okta: Identity provider as a service
- Auth0: Identity platform for developers
- Ping Identity: Enterprise IAM
Open Source
- Keycloak: Open source IAM, Red Hat
- FreeIPA: Identity management for Linux/Unix
- OpenLDAP: Lightweight directory
Best Practices
Password Management
- Adequate complexity policies (12+ characters)
- Periodic rotation only for privileged accounts
- Prohibit password reuse
- Detect compromised passwords (Have I Been Pwned)
- Encourage the use of password managers
Principle of Least Privilege
- Grant only essential permissions
- Review access regularly
- Remove unused access
- Use groups/roles instead of individual permissions
Auditing and Compliance
- Logging of all identity activities
- Quarterly access reviews
- Privileged access reports
- Alerts for anomalous activity
Common Challenges
- Shadow IT: Applications not managed by IAM
- Orphaned Accounts: Active accounts of former employees
- Over-Privileged Users: Users with more access than needed
- Credential Stuffing: Use of leaked credentials
- Phishing: Credential theft via social engineering
Future Trends
- Passwordless Authentication: Elimination of passwords
- Decentralized Identity: Self-sovereign identity (SSI)
- AI-Powered IAM: Anomaly detection with ML
- Blockchain Identity: Distributed identities
- Biometrics Evolution: Behavioral biometrics
Effective identity and access management is critical to modern security. A robust strategy combines strong authentication (MFA), granular authorization (RBAC/ABAC), continuous governance (IGA) and Zero Trust architecture. With the shift to remote work and cloud, IAM has become the new security perimeter, requiring careful implementation and ongoing maintenance.
