Skip to content
IAM (Identity & Access Management)

IAM (Identity & Access Management)

IAM

Identity and Access Management

1. Overview: An Identity Management System That Controls Access by Consistently Managing Users, Resources, and Permissions

    flowchart LR
    A["Account management is fragmented<br/>Excessive privilege grants<br/>Access history is untraceable"] --"Unify identity<br/>standardize access policy"--> B["Integrated IAM system:<br/>authentication, authorization, auditing"] --"Least-privilege principle<br/>linked to Zero Trust"--> C["Strengthened security<br/>compliance achieved"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A security framework that manages an organization’s digital identities and controls access by users, systems, and applications to resources under the 3A principles — Authentication, Authorization, and Auditing — ensuring “the right person accesses the right resource for the right reason.”

Characteristics: (Principle of Least Privilege, PoLP) Grants only the minimum privileges needed to perform a job, preventing insider threats and privilege abuse. (Single Identity) SSO and directory integration let a user access many systems with one identity. (Linked to Zero Trust) A core component of Zero Trust architecture — “Identity is the new perimeter.”


2. Core Structure of IAM

A. Authentication and Authorization Framework

    flowchart TD
    subgraph AUTHN["Authentication — verifying identity"]
        direction LR
        A1["Knowledge-based<br/>Password/PIN<br/>Security questions"]
        A2["Possession-based<br/>OTP/smart card<br/>Authenticator app"]
        A3["Biometric-based<br/>Fingerprint/face/iris<br/>Behavioral biometrics"]
    end

    subgraph AUTHZ["Authorization — determining access rights"]
        direction LR
        B1["RBAC<br/>Role-based access control<br/>By title/department"]
        B2["ABAC<br/>Attribute-based access control<br/>Multi-dimensional policy"]
        B3["PBAC<br/>Policy-based access control<br/>Dynamic context"]
    end

    AUTHN -->|"after identity is verified"| AUTHZ

    style AUTHN fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
    style AUTHZ fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
  

Strengthening Authentication — MFA (Multi-Factor Authentication)

Authentication FactorMethodExamples
Knowledge factorSomething you knowPassword, PIN, security questions
Possession factorSomething you haveOTP token, smart card, authenticator app (TOTP)
Biometric factorSomething you areFingerprint, facial recognition, iris, vein pattern
Location factorSomewhere you areIP range, GPS location, network zone

Comparison of Access Control Models

ModelCharacteristicsSuitable Environment
RBACGrants permissions to roles and assigns users to rolesEnterprises with a clear organizational hierarchy
ABACDetermines policy from attributes of users, resources, and environmentComplex access policy, cloud environments
PBACA centralized policy engine decides in real time based on contextZero Trust, dynamic access control
DACResource owners set access permissions directlySmall scale, file-system sharing
MACMandatory access control based on security classification (labels)Defense, government, high-security environments

B. IAM Implementation Models and Key Technologies

    flowchart TD
    subgraph R1[" "]
        direction LR
        T1["Directory services<br/>Active Directory<br/>LDAP / Azure AD<br/>Central identity store"]
        T2["SSO (Single Sign-On)<br/>Authenticate once,<br/>access many systems<br/>SAML / OAuth / OIDC"]
    end
    subgraph R2[" "]
        direction LR
        T3["PAM (Privileged Access Management)<br/>Control admin accounts<br/>Session recording, Just-in-Time<br/>CyberArk / BeyondTrust"]
        T4["IGA (Identity Governance & Administration)<br/>Automate account lifecycle<br/>Access certification<br/>SailPoint / Saviynt"]
    end

    style T1 fill:#E3F2FD,stroke:#1976D2,color:#000
    style T2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style T3 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style T4 fill:#E8F5E9,stroke:#388E3C,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
  

Key IAM Protocols and Standards

Protocol/StandardPurposeKey Use
SAML 2.0Enterprise SSO — exchanges XML-based authentication assertionsSSO across enterprise applications, IdP-SP integration
OAuth 2.0Delegated authorization — delegates resource access to third-party appsSocial login, issuing API access tokens
OpenID ConnectAn identity layer on top of OAuth 2.0 — provides an ID tokenMobile/web app authentication, JWT-based identity verification
FIDO2/PasskeyPasswordless authentication — public-key-based biometric authenticationSecure login without passwords
SCIMA standard for automating user account provisioningAccount synchronization between an IdP and SaaS apps

3. Expected Benefits and Practical Application of Adopting IAM

CategoryKey Expected BenefitApplication & Practical Use
Stronger securityReduces risk of account takeover, insider threats, and privilege abuseEnforce MFA org-wide and centralize control of privileged accounts via PAM
Operational efficiencyReduces IT operational burden through automated provisioning/deprovisioningAutomatically manage joiner/leaver accounts via HR system integration
Zero TrustOvercomes the limits of perimeter security through identity-based access controlUse IAM as the Policy Enforcement Point when implementing ZTNA
ComplianceMeets regulatory requirements through access history auditing and periodic access certificationAddresses access-control requirements of ISMS-P, SOX, and privacy laws