identity-and-access-management-(iam)
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Identity and Access Management (IAM) is a comprehensive framework encompassing policies, processes, and technologies that manage digital identities and control user access to resources within an organization's IT environment. Its core functions include: Identity Governance: Defining and managing user identities throughout their lifecycle (creation, modification, deletion). This involves user provisioning and deprovisioning, ensuring that accounts are created and removed promptly and accurately. Authentication: Verifying the identity of a user or system attempting to access resources. This can range from simple password-based authentication to multi-factor authentication (MFA) methods like biometrics, hardware tokens, or one-time passcodes. Authorization: Determining what actions an authenticated user is permitted to perform on specific resources. This is typically managed through role-based access control (RBAC), attribute-based access control (ABAC), or access control lists (ACLs), enforcing the principle of least privilege. Access Management: Enforcing the policies defined by governance, authentication, and authorization. This includes managing access requests, approvals, and periodic access reviews. IAM systems aim to enhance security by preventing unauthorized access, reduce operational costs through automation, and improve user productivity by simplifying access to necessary resources. Trade-offs involve the complexity of implementation and ongoing management, potential performance impacts from stringent authentication/authorization checks, and the need for robust auditing capabilities.
graph LR
Center["identity-and-access-management-(iam)"]:::main
Rel_firewall["firewall"]:::related -.-> Center
click Rel_firewall "/terms/firewall"
Rel_algorithms["algorithms"]:::related -.-> Center
click Rel_algorithms "/terms/algorithms"
Rel_concurrency["concurrency"]:::related -.-> Center
click Rel_concurrency "/terms/concurrency"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧠 Knowledge Check
🧒 Explain Like I'm 5
IAM is like a master key system and a guest list for a giant office building. It knows exactly who works there, what floor they are allowed to go to, and which doors their keycard can open. It makes sure a person from the kitchen can't walk into the secret server room by mistake.
🤓 Expert Deep Dive
Modern IAM architectures often leverage federated identity protocols like SAML (Security Assertion Markup Language) and OAuth 2.0/OpenID Connect (OIDC) to enable Single Sign-On (SSO) and delegated authorization across different security domains. Centralized identity stores, such as LDAP directories or cloud-based identity providers (IdPs like Azure AD, Okta), serve as the authoritative source of truth for user identities. Authorization models are evolving from static RBAC to more dynamic ABAC, which uses context-aware attributes (e.g., time of day, location, device posture) for finer-grained access control. A significant challenge lies in managing privileged access (PAM), which requires specialized solutions to monitor, control, and audit high-risk accounts. Vulnerabilities can arise from weak credential management, misconfigured authorization policies, or insecure integration points between systems, potentially leading to privilege escalation or data breaches.