What is Identity Access Management and What Does It Take to Implement?

May 2, 2022
Business Technology, IT and Security
3 min read

Successful businesses naturally grow. A small business with a couple of employees and one shared email alias can suddenly grow to have dozens of employees, dozens of SaaS-based applications and management platforms, and scores of connected devices, all connected to a cloud infrastructure.

How can you manage that? And how do you control who has access to what?

The answer is an old term that is getting a lot of attention in the tech industry right now: Identity Access Management (IAM).

What is IAM? Well, simply put, it’s a security process of codifying identities and groups inside of a network and associating each identity with corresponding access permissions and functions within the network. It’s controlling who gets access to what based on the identity of the user.

IAM addresses scaling and administrative concerns with a conceptual breakout known as the three As of IAM:

  1. Authentication (verifying identity/WHO you are, this includes your user, credentials, MFA and other considerations to verify you such tokens, Certificates and keys), often abbreviated as authn
  2. Authorization (verifying what access that identity has to applications, resources, services, networking, and other items, even things like physical access), often abbreviated as authz
  3. Accounting (logging and tracking)

However, what was once a focus on managing user information technology accounts in the enterprise space is now a lot more complicated. With the rise of several types of accounts and identities such as cloud, mobile and other devices, e-commerce, and social networks, there’s more to consider now than ever.

There is not a single type of identity, identity token, or IAM.

Some security experts encourage strategically detailing a “fourth A” by the conceptual splitting of authorization from Access Control (AC). This establishes a distinction from Authorization, which is a component of data security that dictates which users are allowed to access company information, resources, applications, and even physical building spaces, where Access Control would be the implementation of the restrictions. You can consider one defining what is permitted while the other enforces what is premised.

But instead of slipping further into the weeds on all of that, consider some existing forms of IAM that you may already use.

Do you access Spotify by logging into Facebook? Or do you rely on a Google or Microsoft login to access your favorite notation app?

These are both common forms of identity access management. There are a number of benefits in using these. For example, if you’re first signing up for a service and using Facebook to log in, a lot of your personal information automatically populates from Facebook.

You also have fewer usernames and passwords to remember. And you may be thinking, “Isn’t fewer passwords a bad thing?” Well, actually, having fewer, longer passwords is currently the recommended posture by the National Institute of Standards and Technology.

Working toward a cohesive identity solution that incorporates vital security tools, such as multi-factor authentication (MFA) and single sign-on (SSO), is an essential part of any security stack. If you don’t have the capacity to undertake this implementation, contact Tigunia today.