Identity and Access Management (IAM)

IAM (Identity and Access Management) is a framework consisting of

• policies
• processes
• technologies

to ensure right individuals, devices and software have approriate access to resources within an organization both when working on-premise or remotely.

Key Functions of IAM:

• Identity Management: Creating Identity

  Creating and managing digital identities of users, devices, or applications.

• Authentication: Verifying identity

  Verifying that an entity is who or what it claims to be. Through protocols/standards like: MFA, OAuth 2.0, OpenID Connect, SAML, LDAP, Kerberos.

• Authorization: Granting Permission

  Granting access permissions based on roles, job functions, or policies.

• Access Control: Enforcement of Authroization

  Enforcing rules that limit resource access to authorized entities only.

• Identity Governance: Auditing and Compliance

  Tracking and auditing access permissions for compliance and security.

• Provisioning and Deprovisioning: Updating Identity and Authorization

  Adding, updating, or removing users and their permissions as roles change or when users leave the organization.

Some software for IAM are:

• Microsoft Entra
• Oracle IAM
• IBM's ISAM
• Okta
• SecureAuth

IAM is more broad than tradition on premise authentication and authorization service like Active Directory. Broad in terms of it being not just a tool but a process too, and also broad because of its support for cloud, SaaS based workflows. Features of IAM, in addition to AD are:

• Cloud Identity Management - Manages identity for SaaS platforms and mobile devices
• Conditional Access / Risk based policies - Based on location, device
• Privileged Identity Management (PIM) - time-limited, approval based privilages
• Internet Access - Access to internal resources without traditional VPNs
• Auditing and Governance - Compliance with GDPR, HIPAA