identity and access management (IAM)

Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. Identity and access management products offer role-based access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise.

Content Continues Below

In this context, access is the ability of an individual user to perform a specific task, such as view, create or modify a file. Roles are defined according to job competency, authority and responsibility within the enterprise.

Systems used for identity and access management include single sign-on systems, multi-factor authentication and privileged access management (PAM). These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared. IAM systems can be deployed on premises, provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid cloud.

Basic components of IAM

On a fundamental level, IAM encompasses the following components:

  • How individuals are identified in a system.
  • How roles are identified in a system and how they are assigned to individuals.
  • Adding, removing and updating individuals and their roles in a system.
  • Assigning levels of access to individuals or groups of individuals.
  • Protecting the sensitive data within the system and securing the system itself.

What IAM systems should include

Identity access management systems should consist of all the necessary controls and tools to capture and record user login information, manage the enterprise database of user identities and orchestrate the assignment and removal of access privileges. That means that systems used for IAM should provide a centralized directory service with oversight as well as visibility into all aspects of the company user base.

Technologies for identity access and management should simplify the user provisioning and account setup process. These systems should reduce the time it takes to complete these processes with a controlled workflow that decreases errors as well as the potential for abuse while allowing automated account fulfillment. An identity and access management system should also allow administrators to instantly view and change access rights.

These systems also need to balance the speed and automation of their processes with the control that administrators need to monitor and modify access rights. Consequently, to manage access requests, the central directory needs an access rights system that automatically matches employee job titles, business unit identifiers and locations to their relevant privilege levels.

Multiple review levels can be included as workflows to enable the proper checking of individual requests. This simplifies setting up appropriate review processes for higher-level access as well as easing reviews of existing rights to prevent privilege creep, the gradual accumulation of access rights beyond what users need to do their jobs.

IAM systems should be used to provide flexibility to establish groups with specific privileges for specific roles so that access rights based on employee job functions can be uniformly assigned. The system should also provide request and approval processes for modifying privileges because employees with the same title and job location may need customized, or slightly different, access.

Benefits of identity and access management

IAM technologies can be used to initiate, capture, record and manage user identities and their related access permissions in an automated manner. This brings an organization the following benefits:

  • Access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.
  • Companies that properly manage identities have greater control of user access, reducing the risk of internal and external data breaches.
  • Automating IAM systems allows businesses to operate more efficiently by decreasing the effort, time and money that would be required to manage access to their networks manually.
  • In terms of security, the use of an IAM framework can make it easier to enforce policies around user authentication, validation and privileges and address issues regarding privilege creep.
  • IAM systems help companies better comply with government regulations by allowing them to show that corporate information is not being misused. Companies can also demonstrate that any data needed for auditing can be made available on-demand.

Additionally, by implementing identity access management tools and following related best practices, a company can gain a competitive edge. For example, IAM technologies allow the business to give users outside the organization, like customers, partners, contractors and suppliers, access to its network across mobile applications, on-premises apps and software-as-a-service apps without compromising security. This enables better collaboration, enhanced productivity, increased efficiency and reduced operating costs.

IAM in the enterprise

It can be challenging to get funding for IAM projects because they do not directly increase an organization’s profitability or functionality. However, a lack of effective identity and access management poses significant risks not only to compliance, but also overall security. These mismanagement issues increase the risk of greater damages from both external and internal threats.

Keeping the required flow of business data going while simultaneously managing its access has always required administrative attention. The business IT environment is ever evolving and the difficulties have only become greater with recent disruptive trends like bring your own devicecloud computing, mobile apps and an increasingly mobile workforce. There are more devices and services to be managed than ever before, with diverse requirements for associated access privileges.

Risks associated with IAM

Implementing proper identity and access management tools or platforms means storing all authorizations and credentials in one, unified place. When not secured correctly, this can be a huge risk because if an attacker gains access to the system, all digital identities can be compromised. Similarly, if a specific employee that is authorized to the system does not follow security or password best practices, all of the information could be easily leaked.

Another concern for adopting IAM are challenges in implementation. Legacy systems will typically already have an identity management functionality in place, therefore, converting resources to a new system could be challenging, expensive and time-consuming. However, solutions for minimizing the need of technical support, such as cloud services, are becoming more viable.

IAM vendors and tools

Rather than developing internal tools, most companies decide to purchase or subscribe to third-party IAM tools. These products can take on multiple forms, such as an identity as a service (IDaaS) cloud model, a hybrid cloud model, a traditional on-premise model or a microservices model. IAM microservices may cover only one aspect of IAM like privileged account management, account compliance management or user authorization management.

Vendors with products in the IAM space include:

This was last updated in May 2019

Continue Reading About identity and access management (IAM)

Dig Deeper on Enterprise identity and access management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization prove it is compliant with access regulations?
At the current point in time, our product uses a number of different access management approaches ranging from simple generic authentication, LDAP and iPaaS, in order of complexity and level of security desired. All have varying levels of automation capabilities, and I'd say the iPaaS solution comes the closest to the IAM approach described. generally, though, we offer the features, and let our customers choose what they want to implement and at what level.
We invest resources and personnel into developing IT regulations that govern privacy  and separation of duties and storing these data in a central platform to enable easier use as well as oversight of any risks associated with the same. This makes it easier for us to comply with complex access mandates. As part of monitoring these activities, we are able to come up with in-house applications that enforce the policies to all users.
Great article! Your readers may also find real user reviews for all the major IAM solutions on IT Central Station to be helpful:

One solution I did not see included in the list of IAM systems is Oracle Identity Manager. This user writes that the OIM features he finds valuable include, "Rich authorization engine for delegated admin, robust workflow capability with BPML engine, and extensive connector support." You can read the rest of his review, as well as explore what others have to say about Oracle Identity Manager, here:
Is there a way if you go under,  track requests, hit the show tab to see other peoples requests. It has the option to requests made by me and requests made for me just not requests made by others.
I have lot of experience with WSO2 Identity Server which is provided all the key features in IAM domain.
Hi Margaret, Thanks for sharing your views I will add up a few things from my end I believe Identity and access management are essential conditions for any modern organization. 

Understanding who has access to your sensitive data and how and when they access it is critical to prevent internal threats and improve your organization's security against cyberattacks.

Choosing the right iam solution can be problematic, last night I read an article on best iam solution which was pretty good. hope you will find it useful as I did.
Adding up I believe iam is one thing for customers to access digital attributes, but it's another to let them identify and interact with brands. Whether through traditional registration (user name and password) or social sign-in, visitors range from anonymous to known. I believe ciam is the future when it comes to protecting your digital identity online.


File Extensions and File Formats