IAM (Identity & Access Management)
IAM
Identity and Access Management
1. Overview: An Identity Management System That Controls Access by Consistently Managing Users, Resources, and Permissions
flowchart LR
A["Account management is fragmented<br/>Excessive privilege grants<br/>Access history is untraceable"] --"Unify identity<br/>standardize access policy"--> B["Integrated IAM system:<br/>authentication, authorization, auditing"] --"Least-privilege principle<br/>linked to Zero Trust"--> C["Strengthened security<br/>compliance achieved"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A security framework that manages an organization’s digital identities and controls access by users, systems, and applications to resources under the 3A principles — Authentication, Authorization, and Auditing — ensuring “the right person accesses the right resource for the right reason.”
Characteristics: (Principle of Least Privilege, PoLP) Grants only the minimum privileges needed to perform a job, preventing insider threats and privilege abuse. (Single Identity) SSO and directory integration let a user access many systems with one identity. (Linked to Zero Trust) A core component of Zero Trust architecture — “Identity is the new perimeter.”
2. Core Structure of IAM
A. Authentication and Authorization Framework
flowchart TD
subgraph AUTHN["Authentication — verifying identity"]
direction LR
A1["Knowledge-based<br/>Password/PIN<br/>Security questions"]
A2["Possession-based<br/>OTP/smart card<br/>Authenticator app"]
A3["Biometric-based<br/>Fingerprint/face/iris<br/>Behavioral biometrics"]
end
subgraph AUTHZ["Authorization — determining access rights"]
direction LR
B1["RBAC<br/>Role-based access control<br/>By title/department"]
B2["ABAC<br/>Attribute-based access control<br/>Multi-dimensional policy"]
B3["PBAC<br/>Policy-based access control<br/>Dynamic context"]
end
AUTHN -->|"after identity is verified"| AUTHZ
style AUTHN fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
style AUTHZ fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
Strengthening Authentication — MFA (Multi-Factor Authentication)
| Authentication Factor | Method | Examples |
|---|---|---|
| Knowledge factor | Something you know | Password, PIN, security questions |
| Possession factor | Something you have | OTP token, smart card, authenticator app (TOTP) |
| Biometric factor | Something you are | Fingerprint, facial recognition, iris, vein pattern |
| Location factor | Somewhere you are | IP range, GPS location, network zone |
Comparison of Access Control Models
| Model | Characteristics | Suitable Environment |
|---|---|---|
| RBAC | Grants permissions to roles and assigns users to roles | Enterprises with a clear organizational hierarchy |
| ABAC | Determines policy from attributes of users, resources, and environment | Complex access policy, cloud environments |
| PBAC | A centralized policy engine decides in real time based on context | Zero Trust, dynamic access control |
| DAC | Resource owners set access permissions directly | Small scale, file-system sharing |
| MAC | Mandatory access control based on security classification (labels) | Defense, government, high-security environments |
B. IAM Implementation Models and Key Technologies
flowchart TD
subgraph R1[" "]
direction LR
T1["Directory services<br/>Active Directory<br/>LDAP / Azure AD<br/>Central identity store"]
T2["SSO (Single Sign-On)<br/>Authenticate once,<br/>access many systems<br/>SAML / OAuth / OIDC"]
end
subgraph R2[" "]
direction LR
T3["PAM (Privileged Access Management)<br/>Control admin accounts<br/>Session recording, Just-in-Time<br/>CyberArk / BeyondTrust"]
T4["IGA (Identity Governance & Administration)<br/>Automate account lifecycle<br/>Access certification<br/>SailPoint / Saviynt"]
end
style T1 fill:#E3F2FD,stroke:#1976D2,color:#000
style T2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style T3 fill:#FFEBEE,stroke:#D32F2F,color:#000
style T4 fill:#E8F5E9,stroke:#388E3C,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
Key IAM Protocols and Standards
| Protocol/Standard | Purpose | Key Use |
|---|---|---|
| SAML 2.0 | Enterprise SSO — exchanges XML-based authentication assertions | SSO across enterprise applications, IdP-SP integration |
| OAuth 2.0 | Delegated authorization — delegates resource access to third-party apps | Social login, issuing API access tokens |
| OpenID Connect | An identity layer on top of OAuth 2.0 — provides an ID token | Mobile/web app authentication, JWT-based identity verification |
| FIDO2/Passkey | Passwordless authentication — public-key-based biometric authentication | Secure login without passwords |
| SCIM | A standard for automating user account provisioning | Account synchronization between an IdP and SaaS apps |
3. Expected Benefits and Practical Application of Adopting IAM
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Stronger security | Reduces risk of account takeover, insider threats, and privilege abuse | Enforce MFA org-wide and centralize control of privileged accounts via PAM |
| Operational efficiency | Reduces IT operational burden through automated provisioning/deprovisioning | Automatically manage joiner/leaver accounts via HR system integration |
| Zero Trust | Overcomes the limits of perimeter security through identity-based access control | Use IAM as the Policy Enforcement Point when implementing ZTNA |
| Compliance | Meets regulatory requirements through access history auditing and periodic access certification | Addresses access-control requirements of ISMS-P, SOX, and privacy laws |