Identity Management (IAM)

What is Identity and Access Management (IAM)?

IAM (Identity and Access Management) is a framework of policies, processes and technologies that ensures the right people have the appropriate access to the right resources, at the right time. It is fundamental to security, compliance and operational efficiency.

Core Components of IAM

1. Authentication

The process of verifying the identity of a user, system or entity.

  • Authentication Factors:
    • Something you know (password, PIN)
    • Something you have (token, smartphone)
    • Something you are (biometrics)
  • Modern Methods:
    • Passwordless authentication (FIDO2, WebAuthn)
    • Risk-based authentication
    • Continuous authentication

2. Authorization

Determining which resources and operations an authenticated user can access.

  • RBAC (Role-Based Access Control): Permissions based on roles
  • ABAC (Attribute-Based Access Control): Decisions based on attributes
  • PBAC (Policy-Based Access Control): Dynamic policies
  • ReBAC (Relationship-Based Access Control): Based on relationships

3. Provisioning and Deprovisioning

  • Automated account creation
  • Role-based permission assignment
  • User onboarding and offboarding
  • Synchronization across systems (HR → IAM → Apps)

Multi-Factor Authentication (MFA)

MFA adds extra layers of security by requiring multiple forms of verification before granting access.

Types of MFA

  • SMS/Voice: Code sent via text or call (less secure)
  • Authenticator Apps: TOTP (Google Authenticator, Authy)
  • Push Notifications: Approval via smartphone
  • Hardware Tokens: YubiKey, RSA SecurID
  • Biometrics: Fingerprint, facial recognition
  • FIDO2/WebAuthn: Modern passwordless standard

MFA Implementation

  • Mandatory MFA for privileged accounts
  • Conditional, risk-based MFA
  • Backup options for recovery
  • User education on its importance

Single Sign-On (SSO)

SSO allows users to access multiple applications with a single set of credentials, improving experience and security.

SSO Protocols

  • SAML 2.0: Enterprise standard, XML-based
  • OAuth 2.0: Authorization, used with OpenID Connect
  • OpenID Connect (OIDC): Identity layer on top of OAuth 2.0
  • Kerberos: Network authentication protocol

Benefits of SSO

  • Reduced password fatigue
  • Less password-reset helpdesk
  • Better user experience
  • Centralized authentication and auditing

Privileged Access Management (PAM)

PAM protects and monitors accounts with elevated privileges, which are critical to security.

PAM Capabilities

  • Password Vaulting: Secure storage of privileged credentials
  • Session Management: Recording and monitoring of privileged sessions
  • Just-in-Time Access: Temporary privilege elevation
  • Password Rotation: Automatic password changes
  • Secrets Management: Management of API keys, tokens, certificates

Zero Trust Architecture

Zero Trust eliminates implicit trust, continuously verifying every access regardless of its origin.

Zero Trust Principles

  • Verify explicitly (always authenticate and authorize)
  • Use least-privilege access
  • Assume breach (limit the blast radius)
  • Micro-segmentation
  • Continuous monitoring and logging

Zero Trust Implementation

  • Identity-centric security perimeter
  • Continuous and adaptive authentication
  • Device trust and posture assessment
  • Network segmentation and microsegmentation
  • Encrypted traffic inspection

Identity Governance (IGA)

IGA ensures that the right people have the right access to the right resources, with full auditing.

IGA Capabilities

  • Access Certification: Periodic access reviews
  • Access Request Workflow: Requests with approvals
  • Segregation of Duties (SoD): Conflict prevention
  • Analytics and Reporting: Access visibility
  • Policy Enforcement: Automation of access policies

Directories and Identity Providers

Corporate Directories

  • Active Directory (AD): Microsoft, on-premises
  • Azure AD (Entra ID): Microsoft, cloud
  • Okta: Identity provider as a service
  • Auth0: Identity platform for developers
  • Ping Identity: Enterprise IAM

Open Source

  • Keycloak: Open source IAM, Red Hat
  • FreeIPA: Identity management for Linux/Unix
  • OpenLDAP: Lightweight directory

Best Practices

Password Management

  • Adequate complexity policies (12+ characters)
  • Periodic rotation only for privileged accounts
  • Prohibit password reuse
  • Detect compromised passwords (Have I Been Pwned)
  • Encourage the use of password managers

Principle of Least Privilege

  • Grant only essential permissions
  • Review access regularly
  • Remove unused access
  • Use groups/roles instead of individual permissions

Auditing and Compliance

  • Logging of all identity activities
  • Quarterly access reviews
  • Privileged access reports
  • Alerts for anomalous activity

Common Challenges

  • Shadow IT: Applications not managed by IAM
  • Orphaned Accounts: Active accounts of former employees
  • Over-Privileged Users: Users with more access than needed
  • Credential Stuffing: Use of leaked credentials
  • Phishing: Credential theft via social engineering

Future Trends

  • Passwordless Authentication: Elimination of passwords
  • Decentralized Identity: Self-sovereign identity (SSI)
  • AI-Powered IAM: Anomaly detection with ML
  • Blockchain Identity: Distributed identities
  • Biometrics Evolution: Behavioral biometrics

Effective identity and access management is critical to modern security. A robust strategy combines strong authentication (MFA), granular authorization (RBAC/ABAC), continuous governance (IGA) and Zero Trust architecture. With the shift to remote work and cloud, IAM has become the new security perimeter, requiring careful implementation and ongoing maintenance.