Principles and Identity

Identity and Access Management (IAM)

Processes and tools to manage digital identities and access to resources.

Where you will see it: Used when designing and operating access control, authentication, authorization, and identity lifecycle.

What it is

Identity and Access Management is the set of processes and technologies used to create and manage identities, authenticate them, and control what they are allowed to access. In enterprise environments it covers users, devices, and service identities.

Key points
  • Automate joiner‑mover‑leaver workflows.
  • Federate identities with standards like SAML/OIDC.
  • Audit access and enforce policy.

How it works in broad strokes

  1. Define authoritative identity sources and lifecycle processes for joiner, mover, and leaver events.
  2. Use strong authentication and session controls, then issue short lived credentials or tokens for access.
  3. Enforce authorization through roles or attributes, and log access and policy changes centrally.

Concrete example

A company uses a central identity provider for workforce access. Employees authenticate with MFA, receive short lived tokens, and access cloud apps through federation. When someone changes role, group membership updates automatically and permissions follow the new role.

Why it matters

Most modern security decisions depend on identity. Strong IAM reduces unauthorized access, supports least privilege, and makes investigations and audits far easier because actions are tied to a clear identity and policy.

Security angle

  • Treat identity data as sensitive and protect directories, IdPs, and credential stores as high value assets.
  • Use federation and single sign on to reduce password sprawl and to centralize policy enforcement.
  • Design recovery and lifecycle flows carefully because attackers often target enrollment and account recovery.

Common pitfalls

  • Letting identity sources drift, creating duplicate accounts and orphaned access.
  • Relying on shared accounts or unmanaged service credentials that bypass governance.
  • Underestimating account recovery and enrollment as prime fraud and takeover paths.

DEEP DIVE

Identity as the control plane

In many environments the network is no longer the primary boundary. SaaS, remote work, and APIs mean that identity is the common thread across access decisions. IAM becomes the control plane that determines who, what, and under which conditions access is allowed.

NIST describes IAM as the administration of individual identities and the management of roles and access privileges in enterprise IT. That framing is important because IAM is not just login. It is identity creation, change management, and access governance across the lifecycle.

Lifecycle design that prevents privilege buildup

The difference between good and bad IAM is usually lifecycle discipline. Joiner processes create accounts with the right baseline. Mover processes adjust permissions when roles change. Leaver processes revoke access promptly and cleanly across systems.

In practice, lifecycle is a combination of HR or authoritative data sources, provisioning automation, and periodic reconciliation. Without reconciliation, systems drift and access accumulates, which undermines least privilege no matter how strong authentication is.

Authentication, sessions, and modern threats

Authentication is not just about proving identity once. Modern threats include phishing, token theft, and session hijacking. Strong IAM treats sessions as assets: tokens should be short lived, bound to devices when possible, and re evaluated when risk changes.

NIST digital identity guidance emphasizes risk based assurance for identity proofing, authentication, and federation. That is the mindset to adopt: pick an assurance level that matches the risk of the resource, not a one size fits all policy.

Authorization that stays understandable

Authorization is where complexity can explode. Role based models work well for common job functions, while attribute based models handle context like device trust, location, or data sensitivity. The key is to keep the policy language consistent and to avoid ad hoc exceptions.

A useful rule is that every permission should be traceable to a business need and a named owner. If you cannot explain why a role exists or who approves it, it will eventually become a security liability.

How to start building IAM the right way

Start by inventorying identity systems: directories, identity providers, privileged accounts, and service accounts. Pick one critical application and route all access through the central IdP with MFA, then enforce a clear role model with least privilege.

Next, standardize lifecycle events and automate deprovisioning. Once offboarding is reliable, expand to provisioning, access reviews, and service identity governance. That sequence reduces risk early and builds confidence in the program.