What is Identity & Access Management (IAM)?

IAM is a fitting acronym for "Identity & Access Management", because it’s all about verifying who you are before being granted access to critical IT systems. It’s a digital “Yes, I am allowed to be here.”

Gartner® defines IAM as "the systems that ensure only the right people and devices can access the right IT resources, at the right times, for the right reasons." IAM is especially important to government entities, and to financial and healthcare organizations that must adhere to strict privacy rules stemming from Gramm-Leach-Bliley, HIPAA, or Sarbanes-Oxley legislation. In the event of a breach, leak, or cyberattack, IAM provides traceability to the source, aiding in compliance.

In this article, we’ll define IAM and review how it works, as well as some challenges and key terms to know when considering IAM options.

How Identity & Access Management (IAM) works?

Chances are you already perform some degree of IAM in your personal life. You use passwords on your phone and PC and have probably set some limits on who can view the details of your social media profiles. Maybe you’ve even unfriended a few people.

In the world of enterprise IT, IAM is the practice of specifying which employees and devices have access to mission-critical IT systems and resources and managing the various levels of control and permissions for hundreds if not thousands of users.

Just as importantly, IAM tracks how users are using that access, and manages the off-boarding of users and devices when they leave the organization.

What is an IAM System?

IAM systems define and manage roles not just of people, but also applications and devices accessing the network infrastructure from anywhere in the organization, whether on-premises or the cloud. The goal is to establish a singular, universal digital identity per user or asset so that all activity can be monitored. Once established, that identity must be maintained and updated as rights and systems evolve over time.

Examples of people include employees, customers, suppliers, and business partners like accountants and consultants. Each may have varying levels of access to different company systems.

Examples of devices include PCs, laptops, smartphones, routers, servers, and sensors. With the growing complexity of the Internet of Things (IoT) in which devices and software apps communicate autonomously with one another, levels of permission must be managed between them as well, or they may become unguarded gateways into the IT infrastructure.

An IAM system contains these components:

• A centralized database of the information used to define each user or device.

• An administrative portal with the necessary tools to control access rights by individual title, job function, or device type, and to add users, modify roles, and delete assets as needed.

• A front-end gatekeeper system that checks, verifies, and enforces permissions of each asset against the IAM database. These can include single sign on (SSO), passwords, two-factor or multi-factor authentication systems, pre-shared digital keys and certificates, software tokens, and today, even biometrics like fingerprints, retinal scans, and facial recognition.

• An audit and reporting solution that tracks activity by individual user or asset.

There’s more to IAM than enabling strong passwords. Upon attempting a login, the IAM system will authenticate the user or device against pre-determined levels of permission. It will then deny or grant access to the resource and track its use for every single request. 

Related content

Article: What is shadow IT? The risks, costs and benefits.

The Challenges of IAM

The challenge of effective IAM is maintaining consistent rules and policies at scale. Managing large populations of identities (people and objects) and their ever-changing rights across multiple business units is not possible with a spreadsheet. Cleaning up outdated identities and revoking extra privileges requires constant vigilance. A tool that unifies and automates these tasks is required.

Every time someone is hired, promoted, or assigned to a new project or location…every time the organization retires an asset, or an employee leaves the company…every time a new device or application is installed on the network…every time a password is changed…all credentials must be updated across all systems.

COVID has only highlighted the need for effective IAM, as an increasing number of employees now require access to corporate IT systems when working from home, making remote identity tracking more critical than ever.

Maintaining IAM also means ensuring compatibility with all aspects of your IT environment, from edge to cloud to on-premises, so properly vetted users can access information wherever, whenever they need it. Many IAM solutions employ open standards so they can be modified by customers to meet unique needs.

There’s a lot to know about IAM, and a lot to keep pace with – especially in large organizations where high volumes of people and assets are always on the move. There are many commercially available IAM solutions available, but not all are created equal. Some now employ artificial intelligence, while others are password-less.

Our IT professionals have the experience and solutions to help you manage the complexities of identity and access management with granular control. Speak with one of our data security experts to learn more about what you can do to minimize risk with IAM solutions.