What is IAM - Identity and access management?

Let's talk about Identity and Access Management (IAM) - something that can either make your architecture incredibly secure or frustratingly unusable. This article will walk you through what modern IAM looks like. You’ll learn what it is, what the components are, and how they intersect to support different security needs. By the end, you'll have a solid understanding of how to choose and implement access management practices that safeguard systems, without compromising on user experience.

What is identity management?

In the context of IAM, the identity portion is all about creating, managing, and authenticating identities. These are the foundation user (or non-human) profiles that exist inside an application or organization.

At the most simple level, they hold the user credentials and basic profile information but can be expanded to hold roles, groups, teams, associations, and other identity attributes.

It is this system that becomes a system of record for not only the user profile but also the authentication layer for verifying a user is who they say they are, and acts as this first line of defense in front of any application.

What is access management?

Here's how we’d explain it - if identity management answers "Who are you?", access management handles "What can you do?". These systems work hand in hand, but understanding the distinction helps us build more focused, maintainable solutions.

Once the identity is verified, the access management portion controls what actions authenticated users are permitted to perform once inside a system at a coarse-grained level - such as ensuring a user belongs to a particular group before letting them access a particular application. Without the proper identity management system in place first, this access management is pointless.

Key components of an IAM system

Authentication

Verifying a user is who they say they are is a complex process these days - what used to be a simple username and password check is now evolved to be much more secure and one could argue complex. With the introduction of biometric authentication, passkeys and regulatory requirements around MFA, a solid IAM system will allow these to be adopted and users enrolled as seamless components of the stack.

Authorization

A centralized IAM system is the best place to handle the first level of authorization. This is typically the directory information - which groups or locations in a hierarchy an identity belongs to. This is a coarse-grain level of authorization but maps very well to an organization's business structure. When it comes to the more fine-grained authorization, the upstream IAM system is a key input for Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).

Single sign-on

Single sign-on (SSO) is where security meets user experience. SSO solves multiple problems at once. It reduces password fatigue for users, simplifies access management for admins, and when implemented correctly, can actually enhance security.

SSO allows users to log in once to access multiple applications or systems within a network. Once authenticated through SSO, users can move between authorized systems without needing to log in repeatedly. SSO is commonly implemented in enterprise environments to improve usability and simplify account management.

Audit & compliance

It is the IAM systems that become the digital manifestation of the joiners-movers-leavers process which every identity in a system goes through. Having rigorous audit logging around both these lifecycles of identity as well as the profile and directory updates, is a key requirement for regulatory and compliance needs.

Conclusion

Identity and access management isn't just about security - it's about enabling your organization to work effectively while maintaining appropriate controls. At Cerbos, we've built our solution to work alongside IAM systems - using them as an upstream source of truth for who the user is, when handling authorization checks. This makes it easier for developers to implement sophisticated access controls without getting bogged down in complexity.

Remember, the best IAM system is one that's actually used correctly. Keep it as simple as possible while meeting your security requirements, and always consider the user experience. Your future self (and your team) will thank you.