What is IAM (Identity & Access Management)?

Cybercriminals look for the most straightforward entry points when breaching networks. That’s why compromised user credentials are so commonly the initial access point.

But there’s a way to mitigate this risk: identity & access management. Or, to its friends, IAM.

What is identity & access management?

IAM is a security framework that combines policy, processes and tools to ensure the right people can access the right resources at the right time and for the right reasons.

In fact, it goes further than this: it’s not only people but also devices that are encompassed within an IAM solution. Furthermore, the “people” involved are not limited to employees but also contractors and business partners.

Similarly to the principle of zero trust, IAM brings the mantra of “never trust, always verify” to your organisation. And does so without erecting barriers to workflow and productivity.

Who needs IAM?

Every organisation that cares about the security of its data needs an IAM solution of some kind.

Whether you employ a handful of people or thousands, cybercriminals will look to compromise credentials and use this access to install malware. That includes ransomware, too.

They will then move around your networks looking for valuable data to steal or encrypt.

The risks of not having an IAM solution increase when employees work from home, or external contractors, vendors and business partners require network access.

Why does IAM matter now?

Whether your workforce is on-premises, remote, or a combination of both, they will still require the same access to resources. That could networks, data, apps.

This changes the security picture from when the office was a fortress, protected by perimeter defences such as firewalls, to one where there is no perimeter. The cloud, internet of things (IoT) devices, and hybrid working models have fed into this perimeter-less reality.

Cybercriminals most often initially look to compromised user credentials (identity) to breach (access) your networks. Managing both aspects, identity and access, is crucial if you are to defend against ever-evolving, ever more complex and ever more costly attacks.

By largely automating the authentication and authorisation process, IAM represents a significant mitigation measure against data breaches.

How does identity & access management work?

IAM, as the name implies, brings together identity and access. Another way to think of it is authentication and authorisation. And it’s all done within a single and primarily automated management solution.

Although the precise make-up of an IAM solution will vary between vendor products and organisational needs, these two factors remain the foundation stones.

Authentication is handled by IAM checking every attempted login, from either a human or device source, against a database of those with access allowed. This database is dynamic, changing as people join or leave the organisation, but it makes it easy for IT admin to manage.

IAM will aim to authenticate identity without impacting workflow, which is where single-sign-on (SSO) functionality comes in. This will enable secure authentication just once per identity, and allow access to all permissible resources without needing to re-authenticate.

Authorisation takes care of which resources and data an authenticated user can access. This is achieved through the granularity of policy-defined permissions and changes over time.

It brings context into the access equation, only allowing access to what is needed to perform the defined role and no more.

Next, find out why IAM should be the top layer of your cybersecurity stack.

summary: What is IAM?

  • IAM is important because cybercriminals most often initiate an attack with the use of compromised credentials. 
  • IAM helps mitigate this risk by securing both identity and access of users and devices. 
  • It does this using secure authentication and contextual authorisation methods that are mostly automated. 
  • While different IAM solutions will vary in scope and design, they will all aim to have minimum impact upon users. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.