What Is Identity Access Management (IAM)?

With an IAM system, businesses can apply the same security policies across the enterprise. Using tools such as a NAC solution allows them to restrict which users can access resources and when. That helps greatly reduce the chance that unauthorized parties will see--or accidentally or intentionally misuse--sensitive data.

IAM methods like single sign-on (SSO) and MFA also reduce the risk that user credentials will be compromised or abused, as users don't need to create and keep track of multiple passwords. And because users need evidence-based authorization--like security questions, one-time passwords, or inherent factors like thumbprints--to access protected resources, there is less chance a malicious actor will gain access to critical resources.

IAM systems can help organizations meet the requirements of many compliance mandates related to data security and privacy. For example, IAM can aid in Health Insurance Portability and Accountability Act (HIPAA) compliance, which requires organizations that handle protected health information to implement secure electronic access to health data.

Businesses can use IAM methods like SSO, MFA, role-based access control (RBAC), and "least privileges" (giving users and entities such as software applications the minimal amount of access required to perform a task) to meet the HIPAA mandate.

IAM is also useful to financial services institutions, which need to comply with the Sarbanes-Oxley Act (SOX). Section 404 mandates that businesses implement, test, and document adequate internal controls for preparing financial reports and protecting the integrity of the financial data in those reports. Enforcement of segregation of duties (SoD) policies is one of the many ways that IAM tools and systems can help businesses adhere to SOX requirements.

With security measures like SSO, MFA, or RBAC, organizations can enhance security while also reducing barriers that prevent workers from being productive. Employees get fast access to the resources they need to do their jobs from wherever they need to work. With IAM, employees can feel more confident they are working in a secure environment.

An IAM system that enables automated user provisioning also makes it easy for employees to request and gain authorized access to different resources when needed--without burdening IT or making IT a bottleneck to employee productivity.

IAM solutions can automate and standardize many tasks related to identity, authentication, and authorization management. That means IT administrators can devote their time to more value-adding tasks for the business. Additionally, many IAM services are now cloud-based, so the need to purchase, implement, and maintain on-premises infrastructure for IAM can be greatly reduced or eliminated.

With MFA, users are asked to provide a combination of authentication factors to verify their identities. In addition to usernames and passwords, enterprises commonly use the time-based one-time password (TOTP) method, which requires users to provide a temporary passcode that has been sent via SMS, phone call, or email. Other MFA systems require users to provide biometric authentication of their identity--also referred to as inherent factors--such as a fingerprint or facial ID scan.

SSO is an identification system commonly used in enterprises to verify users' identities. It allows an authorized user to securely log in to multiple SaaS applications and websites using only one set of credentials (username and password). SSO can be viewed as an automated version of MFA. SSO systems authenticate users with MFA and then, using software tokens, share that authentication with multiple applications. SSO can also be used to prevent access to designated assets or locations, such as outside websites and platforms.

The upside of using the SSO approach for IAM--aside from a more seamless login process for end users--is that it gives IT administrators the ability to set permissions, regulate user access, and provision and deprovision users with ease.

Federation allows for SSO without passwords. Using a standard identity protocol, like Security Assertion Markup Language (SAML) or WS-Federation, a federation server presents a token (identity data) to a system or application with which it has an established trust relationship. Because of that trust, users can then move freely between connected domains without having to reauthenticate.

Many large enterprises use RBAC, which is a method for restricting access to networks, sensitive data, and critical applications based on a person's role and responsibilities within an organization. RBAC is also known as access governance. Defined roles in RBAC may include end users, administrators, or third-party contractors. A role can be based on a user's authority, location, responsibility, or job competency. Sometimes roles are grouped together--for example, Marketing or Sales--so users with similar responsibilities in an organization who frequently collaborate can access the same assets.

By applying a zero trust security framework as part of RBAC, where very strict access controls are maintained with all users who request access to work assets, businesses can further prevent unauthorized access--and even contain breaches and reduce the risk of an attacker's lateral movement through the network.