IAM (Identify Access Management)
Here's what IAM actually does:
Identify and manage identities
- Create, update, and terminate user accounts for employees, consultants, partners, and sometimes system accounts.
- Manage the identity lifecycle: Onboarding → Changes → Exit (Joiner-Mover-Leaver processes).
- Synchronize identities across systems through directory services such as Active Directory or Azure AD.
Control access and permissions
- Define roles (Role-Based Access Control) or more granular policies (ABAC – Attribute-Based Access Control).
- Ensure that users only get the access they need (principle of least privilege).
- Manage group membership, security roles, and application permissions
Authentication (proving identity)
- Setting up and maintaining authentication methods:
-
- Password policies
- MFA(Multi-Factor Authentication)
- Certificates and smart cards
- SSO (Single Sign-On)Integrate authentication with both on-premises systems and cloud services.
Authorization (granting access)
- Ensure that systems verify that the user has the correct permissions before access is granted.
- Implement policies that control access based on things like location, device, or time.
- Manage temporary (just-in-time access).
Monitor and revise
- Run access reviews to verify that users still need their rights.
- Track and log access attempts for audit and security analysis.
- Automate account suspensions at the end of employment, for example.
Ensure compliance
- Ensure that access management complies with regulations such as GDPR, NIS2, ISO 27001, or SOX.
- Document processes and report to internal/external audit.
Examples of tools and platforms within IAM:
- Microsoft Entra ID (formerly Azure AD)
- Okta
- Ping Identity
- SailPoint
- CyberArk (for privileged access)
- ForgeRock