IAM (Identity and Access Management)
Identity and Access Management (IAM) encompasses technologies and processes for managing digital identities and controlling who is permitted to access which resources.
Identity and Access Management (IAM) is a fundamental security component that ensures the right people can access the right resources at the right time—and no one else.
Core IAM Functions
Identity Lifecycle Management: Provisioning, modifying, and deactivating user accounts throughout the employee lifecycle (Joiner-Mover-Leaver process)
Authentication: Verification of identity via passwords, MFA (TOTP, FIDO2, push), biometrics, or certificates
Authorization: Access decisions based on roles (RBAC), attributes (ABAC), or policies
Single Sign-On (SSO): One login for all applications—increases convenience and enables centralized session management
Privileged Access Management (PAM): Special controls for administrative accounts: just-in-time access, session recording, password vaults
Identity Governance: Regular access recertification, segregation of duties (SoD), compliance reporting
IAM Standards and Protocols
| Protocol | Use |
|---|---|
| SAML 2.0 | Federation, Enterprise SSO |
| OAuth 2.0 | Authorization for APIs |
| OpenID Connect | Authentication via OAuth 2.0 |
| SCIM | Automated user provisioning |
| FIDO2/WebAuthn | Passwordless authentication |
Zero Trust and IAM
IAM is the foundation of every Zero Trust architecture: identity is the primary access control factor. Without strong IAM, Zero Trust cannot be implemented.
In the NIST SP 800-207 framework, Identity & Access Management is the first and most important of the five Zero Trust pillars.
