Identity and Access Management(IAM)

A framework of policies and technologies that ensures the right individuals have appropriate access to technology resources, encompassing authentication, authorization, and identity lifecycle management.

What Is IAM?

Identity and Access Management (IAM) is the security discipline responsible for managing digital identities and controlling what resources each identity can access. IAM answers three fundamental questions:

  1. Who are you? (Authentication)
  2. What can you do? (Authorization)
  3. What did you do? (Audit)

Core IAM Capabilities

  • Single Sign-On (SSO): One login for all applications, reducing password fatigue
  • Multi-Factor Authentication (MFA): Verify identity with multiple factors (knowledge, possession, biometrics)
  • Directory Services: Centralized identity store (Active Directory, LDAP, cloud directory)
  • Provisioning/Deprovisioning: Automate account creation and removal across systems
  • Role-Based Access Control (RBAC): Assign permissions based on job function
  • Adaptive Authentication: Adjust authentication requirements based on risk signals
  • Federation: Trust relationships between identity providers for cross-organization access

IAM vs. PAM vs. IGA

| Discipline | Focus | Example | |---|---|---| | IAM | All user authentication and access | SSO into Salesforce | | PAM | Privileged/admin access | Admin SSH to production server | | IGA | Access governance and certification | Quarterly access review campaigns |

These disciplines are complementary — most organizations need all three.

Cloud IAM Considerations

Modern IAM must handle:

  • Workforce identity — Employees and contractors accessing corporate apps
  • Customer identity (CIAM) — End users logging into customer-facing applications
  • Machine identity — Service accounts, API keys, workload identities
  • Multi-cloud identity — Consistent access across AWS, Azure, and GCP

Evaluating IAM Solutions

Key factors:

  1. Protocol support — SAML 2.0, OIDC, OAuth 2.0, SCIM
  2. MFA options — FIDO2/WebAuthn, push notification, TOTP, SMS
  3. Application catalog — Pre-built integrations with SaaS applications
  4. Developer experience — APIs, SDKs, and customization capabilities
  5. Scalability — Authentication throughput for your user base
  6. Passwordless support — Passkeys, biometric, certificate-based authentication

Leading IAM Vendors

Major IAM providers include Okta, Microsoft Entra ID, Ping Identity, Auth0, ForgeRock, OneLogin, JumpCloud, and Duo Security.

Related on CyberSecTool

Buying guides

Related tools