researchHQ’s Key Takeaways:
- Gartner defines identity and access management (IAM) as ‘the discipline that enables the right individuals to access the right resources at the right times for the right reasons.
- IAM systems authenticate the identities of network users and authorize their access and permissions to digital resources accordingly.
- Customers, employees and business partners all require distinct IAM approaches on account of their different identities and access rights.
- A sophisticated IAM system may include tools such as multi-factor authentication (MFA), federated identity, single sign-on (SSO) and anomaly detection.
- Third-party IAM systems often have the edge over systems built in-house, offering reduced costs, greater adaptability and superior security and legal compliance.
Identity and Access Management (IAM) is the branch of IT concerned with verifying users’ identity and controlling their access to digital resources. Or, as Gartner defines it: “IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
IAM Key Concepts: Authentication vs. Authorization
As the name indicates, IAM concerns both verifying users’ identity (authentication) and granting them access to data based on that identity (authorization). These concepts are interrelated but not interchangeable, and understanding each is critical to grasp the larger meaning of IAM.
Authentication refers to the methods you use to determine that someone is who they claim to be. The classic authentication method is the username-password combination. However, using passwords alone for authentication is increasingly regarded as insecure since passwords are easy for hackers to guess or steal via credential stuffing attacks.
Today’s gold standard for verifying identity is multi-factor authentication (MFA), which supplements passwords with authentication methods that are harder to fake, such as a biometric scan or a code sent to a user’s personal device.
For a real-world metaphor, imagine going to a nightclub where you’re on the list. The bouncer checks your ID to make sure you’re really you (authentication). Then the bouncer lets you in and tells you that there’s an asterisk next to your name, which means you’re allowed into the VIP section (authorization).
Authorization is the allocation or delegation of permissions to a particular individual or type of user. For example, in the nightclub, a regular patron has access to the dance floor, a VIP is allowed behind the velvet ropes, but only the owner can get into the back office with the safe.
A modern IAM platform lets admins control authorization from a central user dashboard and via APIs, saving time and preventing security incidents. For instance, you could log into your IAM dashboard and grant a specific freelancer the ability to edit their own pieces. Likewise, if an administrator leaves the company, you can revoke access, so they don’t walk away with valuable intellectual property.
Types of IAM
Most organizations have multiple classes of users with different identity needs: their workforce, their business partners, and their customers. Even if you’re using the same IAM platform for all three, you’ll need to take a different approach for each.
The average business makes use of a wide variety of applications. Say you buy and provision to your employees (like Slack or WordPress) and some you build in-house. In either case, you need a workforce IAM approach that integrates with all these disparate apps. As in our earlier example of the library, you use this to allocate permissions based on roles or individual identities.
Customer Identity (CIAM)
Customer identity and access management (CIAM)is its own branch of IAM and is used to control access to your external applications. You’re most likely to use social logins here and generally focus on reducing friction (while still implementing appropriate security). CIAM is rapidly expanding as people log in on more devices, like smart TVs and wearables.
A CIAM platform is concerned not just with the end user’s login experience, but with gathering information about them into a data-rich identity profile. The greater your understanding of your users, the greater your ability to provide value for them.
With this valuable data comes a huge responsibility: of obeying data privacy laws regarding data collection and storage, and sensitive data against breaches. Given that, a major (though often invisible) element of CIAM is controlling access to customer data by your own employees and third parties.
IAM for enterprise customers might be the most specialized branch of identity management. It’s also one of the most complex since large enterprises operate on different back-end technology stacks.
Custom-made identity solutions often falter here and struggle to scale when onboarding multiple large customers. That’s why startups often switch to third-party IAM platforms when they begin to move upmarket, so they can quickly federate identity using any provider and on any technology stack.
An old-fashioned approach to IAM might be as simple as a login box and some basic, role-based permissions. For instance, a public library with a digital card catalog just needs to let patrons log in and ensure they can’t access functions reserved for the librarians.
But that limited understanding of IAM is ill-suited to a post-digitization world. These days, most organizations utilize a vast number of applications, and personal data can be both a valuable asset and a dangerous legal liability. If that same public library wants to let patrons log into all nearby branches with the same credentials, interface with local school software to connect students with books, and simultaneously protect those students’ data, they’ll need a much broader set of tools than a simple login box.
Today, most IAM platforms provide some combination of the following tools and features, albeit with varying levels of customizability and extensibility.
Single Sign-On (SSO)
SSO is an IAM tool that enables a user to log into one of an organization’s properties and automatically be logged into a designated set of other properties. For example, when you log into Google, you’re automatically logged into your Gmail and YouTube accounts. For users, SSO reduces friction since they don’t have to keep track of different credentials for every application. For organizations, SSO helps in collecting valuable insights about user behavior and preferences since it tracks them as they move from one application to another, connected by a single login.
While SSO lets users log into different properties or brands owned by a single organization, federated identity does the same thing across multiple organizations.
Most people are familiar with federated identity through social login, in which you can use your Google, Facebook, or Apple ID to log into a wide range of apps. Federation is built on trust, so when you order from a food delivery app with your Apple ID, you’re not ordering from Apple but indicating that the app trusts Apple enough to take their word that you are who you claim to be.