Identity and Access Management (IAM)
Home /
Glossary Index /
Alphabet I
Identity and Access Management (IAM)
60% of cloud breaches involve compromised identity credentials. Attackers are not breaking in anymore. They are logging in. Identity and Access Management (IAM) determines who gets access to what, when, and for how long. Get IAM wrong, and you essentially hand attackers the keys to your kingdom. Get it right, and you stop breaches before they start.
What Is Identity and Access Management?
Identity and Access Management (IAM) is a framework of policies, technologies, and processes for managing digital identities and controlling access to resources. IAM ensures the right individuals access the right resources at the right times for the right reasons. The framework covers both human users (employees, contractors, customers) and non-human entities (applications, APIs, service accounts). IAM systems authenticate who users claim to be and authorize what they can do after proving their identity.
The Two Core Components
Identity Management
Identity management handles the lifecycle of digital identities. This includes creating user accounts, updating attributes as roles change, and deactivating access when employees leave. Identity management answers the question: who are you? Common components include user directories, identity providers (IdP), and synchronization with HR systems.
Access Management
Access management controls what authenticated users can do. This includes enforcing policies, managing sessions, and applying rules like role-based access control (RBAC). Access management answers the question: what can you do? Components include single sign-on (SSO), multi-factor authentication (MFA), and policy enforcement points.
Gartner's Definition of IAM
Gartner defines IAM as the discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM solutions include Identity Governance and Administration (IGA), Privileged Access Management (PAM), and Access Management (AM).
5 Essential IAM Capabilities
Capability 1: Authentication
Authentication verifies user identity through something the user knows (password), something the user has (token), or something the user is (biometric). Modern IAM requires multi-factor authentication (MFA) combining at least two factors.
Capability 2: Authorization
Authorization determines access rights after authentication. Role-based access control (RBAC) assigns permissions based on job function. Attribute-based access control (ABAC) considers user attributes, resource attributes, and environmental conditions.
Capability 3: User Lifecycle Management
IAM automates account creation, modification, and deletion. When an employee joins, IAM provisions appropriate access. When they change roles, IAM updates permissions. When they leave, IAM revokes all access immediately.
Capability 4: Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple applications. This reduces password fatigue and eliminates dozens of separate logins. SSO also centralizes security controls and audit trails.
Capability 5: Privileged Access Management (PAM)
PAM secures administrative accounts with the highest permissions. These accounts require just-in-time access, session recording, and regular password rotation. PAM prevents attackers from using stolen admin credentials to take over your entire infrastructure.
4 IAM Deployment Models
On-Premises IAM
Traditional IAM running on your own servers. You control everything, including hardware, software, and security. This model offers maximum control but requires significant operational overhead.
Cloud IAM / IDaaS
Identity-as-a-Service (IDaaS) delivers IAM from the cloud. Providers like Okta, Microsoft Azure AD, and AWS IAM handle infrastructure management. This model scales easily and reduces operational costs.
Hybrid IAM
Organizations with both on-premises and cloud applications need hybrid IAM. The system synchronizes identities across environments while maintaining separate control planes.
Customer IAM (CIAM)
CIAM manages external user identities for customer-facing applications. Unlike workforce IAM, CIAM prioritizes user experience and consent management.
Real-World IAM Examples
A new employee joins your company. IAM provisions their account based on role. The sales role gets access to CRM and email but not to financial systems. When the employee logs in through SSO, MFA requests a second factor. Behind the scenes, IAM checks device health, location, and behavior patterns. When the employee leaves, IAM deactivates all access automatically within minutes. No manual tickets. No orphaned accounts. No forgotten permissions.
The Cost of Poor IAM
Organizations without proper IAM face data breaches, compliance fines, and operational chaos. Ex-employees keep access to sensitive systems. Contractors accumulate permissions they no longer need. Shadow IT creates unmanaged identities. Attackers compromise weak passwords and move laterally through the network. Modern IAM is not optional. It is foundational to every security strategy.
