What Is Identity and Access Management (IAM)?

Written by: Chris Tozzi

Identity and access management, or IAM, is a foundational component of virtually any modern application environment. By providing a systematic way to assign roles and permissions to users and groups, IAM plays a central role in securing resources, mitigating security vulnerabilities, and (when properly implemented) enforcing the principle of least privilege.

What Is Identity and Access Management?

Identity and access management (IAM) is a software service or framework that allows organizations to define user or group identities within software environments, then associate permissions with them. The identities and permissions are usually spelled out in a text file, which is referred to as an IAM policy.

As an example of an IAM policy, a team could create a rule that grants a specific user the right to list files within an object storage bucket in the cloud. Or, an IAM policy could grant a group of users in a branch office the ability to both read and upload files to a local database.

These are just basic examples. In a large-scale environment, a team might maintain dozens or even hundreds of different IAM policies. The policies can be used to manage access rights for any of the dozens of services that the organization may use, either on-premises or in the cloud.

Why Is IAM Important?

Identity and access management is important because it allows organizations to share IT resources among multiple users and groups. It helps organizations establish trust for who can be signed in to an account (authentication) while at the same time ensuring that each user or group has only the specific access rights that he or she requires (authorization).

Without IAM, teams would struggle to manage access rights in an efficient way. They would have to rely on alternatives such as creating an entirely separate cloud computing account for each user. That would be inefficient to manage, and would make it difficult to share cloud resources between users.

They could also simply allow every user within their team to have the same level of access to every resource in their environment. But that would be insecure because each individual typically needs to access only certain resources. For example, developers who work for the HR department may need to access databases and virtual machines associated only with their applications, while other developers who build software for the finance department require different permissions. If you were to give all developers access to all resources, you would increase the risk of security oversights and exposures.

With IAM, it’s easy to ensure that each user and group has exactly the level of access rights he, she, or they need – no more and no less. Doing so adheres to the principle of least privilege, which states that access rights should be restricted to the minimum necessary for a user to complete his or her work.

IAM vs. PAM

Identity and access management is sometimes compared to privileged access management, or PAM. The exact nature of the relationship between IAM and PAM is subjective and depends on your perspective. However, most teams treat PAM as a subset of IAM. They use PAM to manage permissions for privileged users, meaning those who fill administrative roles and require access to systems (such as the IAM framework itself) that ordinary users do not. IAM is a broader category of tool that applies to all users.

Cloud IAM vs. On-Prem IAM

Most conversations about identity and access management today focus on the cloud. That is because public cloud platforms (such as Amazon Web Services, Microsoft Azure, and Google Cloud) rely on IAM services as the foundation for user rights and access management. If you create a cloud-based IT environment of any size and complexity, you’ll need to use cloud identity and access management to control access roles and permissions within it.

That said, IAM systems can be used on-premises as well. Directory services like Active Directory and OpenLDAP, also known as Identity Providers (IdP) could be considered a form of IAM. Basic user and group permissions, such as those defined in the /etc/group file on a Linux system, could also qualify as a simple IAM system, although they are not as granular as cloud IAM, and they are not designed for use within a distributed computing environment that includes multiple servers and services.

IAM Security

While IAM provides a powerful means of helping to secure complex environments, it presents some security challenges. Misconfigured IAM policies, such as a policy that gives anyone on the Internet the ability to view the contents of a storage bucket, can create major security vulnerabilities. It can also be challenging to ensure that IAM rules remain secure as teams update them to reflect changing user roles and access needs.

Scanning IAM policies continuously can help teams manage these security risks by detecting insecure configurations before they lead to an active breach.