Identity and access management (IAM)

What is identity and access management (IAM)?

Identity and Access Management (IAM) is a framework of policies, processes, and technologies that ensures the right individuals (or machines) have appropriate access to resources at the right times​.

In practice, IAM covers the entire lifecycle of digital identities and how those identities authenticate and what they’re authorized to do. It includes components such as identity provisioning (creating user accounts and roles), authentication (verifying identity, e.g. via passwords or keys), authorization (granting access rights based on identity attributes or roles), and auditing (tracking and logging access). 

By implementing IAM, organizations manage user identities in a centralized way: one user might have a single identity that gains access to many systems under defined constraints. IAM systems help enforce security policies (like strong authentication, least privilege, and separation of duties) consistently across an enterprise’s IT environment.

How does it affect identity security

IAM is essentially the front line of defense for identity security. Without a strong IAM program, user accounts can proliferate without proper oversight, privileges may be mis-assigned or never revoked, and detecting misuse becomes much harder. 

A good IAM program ensures every user is uniquely identified, properly authenticated, and limited to the minimal set of permissions required – greatly reducing the risk of insider threats or external attackers escalating privileges. It’s also crucial for compliance (meeting standards like GDPR, HIPAA, etc., which require controlling and logging access to personal or sensitive data). In short, IAM is important because it enforces security principles (like least privilege and need-to-know) at scale. 

When identity security incidents occur, often a flaw in IAM is to blame – such as an account that wasn’t deprovisioned or a lack of MFA on an admin account. Thus, robust IAM is synonymous with robust identity security, as it touches authentication, authorization, and accountability for every user and device.

Case study

A classic case underscoring IAM importance is the 2016 Uber data breach. Attackers gained access to Uber’s GitHub code repository and found hardcoded AWS credentials, which they then used to access Uber’s Amazon S3 storage containing sensitive user data​. 

In this breach, the failure was an IAM one: secrets (access keys) were not properly managed and were tied to an identity that had broad access to data. The attackers did not exploit a software vulnerability; instead, they exploited poor identity and access management practices. As a result, personal data of 57 million riders and drivers was stolen. This incident led to Uber overhauling its IAM practices – including stricter credential management (no plaintext keys in code), use of a password manager and IAM roles, and more vigilant access monitoring. 

‍