An Overview of Identity and Access Management (IAM)

June 17, 2016 | Views: 7610

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Assets are categorized as information, systems, devices, facilities and personnel. Any entity, whether it’s an individual, a group of individuals or a corporation wants to protect these assets from failures, accidents and bad actors by using Identity and Access Management (IAM).

In any given IAM situation, there’s the concept of subject and object. The subject can be a person, a group of people, a process or a system that’s trying to access the object.

Another concept is authentication and authorization. Having privileges to open a file share is authentication and being restricted from deleting a file is authorization.

You’re authenticated using: something you know, something you have, something you are or somewhere you are. E.g. username, password, fingerprint and your location, respectively. You are authorized to take an action only after you pass authentication.

There are various controls to manage IAM. These controls can be physical, technical/logical (virtual) and administrative:

  1. Preventative Controls – Fences, locks, security cameras, lights, watch dogs, smart card scanners, retina scanners, guards asking for proof of identity, background checks, job rotation, etc. are controls used to prevent or stop unauthorized access and activities.
  2. Detective Controls – Network monitoring, auditing, logging, security cameras, motion sensors, etc. are controls uses to detect an unauthorized activity.
  3. Corrective Controls – Password changes, failovers to other systems, reboots of a system, removal of viruses and quarantine, flattening and rebuilding of a computer system etc. are controls used to correct the system after an unauthorized activity occurs.
  4. Recovery Controls – Restoring from a backup, redeploying the system on a new drive, database or fileserver clustering, high availability systems etc. are controls used to recover from an unauthorized activity.
  5. Directive Controls – Turnstiles, entry and exit signs, security warnings, group policies etc. are controls used to enforce compliance and prevent unauthorized activity.
  6. Compensation Controls – Backup personnel, secondary systems that can be brought online when a primary fails, keeping a guard at the door when power fails and smart cards cannot be authenticated, etc. are controls used to compensate for a primary control used to prevent unauthorized access.

Once you have these controls in place, you need to decide on how to implement them by a centralized, distributed or decentralized IAM approach.

An example of a centralized IAM system is Single Sign On (SSO). Your Google username and password provides one authentication to authorize to all Google properties: Gmail, Hangouts and YouTube.

Federated Identity Management like a Facebook login or Open ID used to authenticate on third party sites and apps is a decentralized approach to IAM.

Depending on the organizations risk appetite and their needs, they may choose between centralized or decentralized IAM solutions. Both solutions have their pros and cons when it comes to administration and applying physical and logical controls.

 Here are a few challenges that you’ll come across implementing IAM:

  • User Provisioning – Ability to validate, add, modify and remove access for users, system accounts, etc.
  • Distributed Users and Systems – With a mobile global workforce and cloud-based Software as a Service (SAAS) solution, many organizations are facing the challenge of managing identity and access across the large suite of applications and services.
  • Bring Your Own Devices (BYOD) – With the low cost of ownership of personal computers, more and more people want to use their personal devices for both professional and personal work.
  • Policies and Compliance – Changes in security policies and compliance need to be propagated as quickly as possible centralized or distributed systems.

I promised this was going to be a quick overview on IAM; so far, I’ve only touched the basics. As a security professional, you want to know the various protocols and architecture used for implementing the systems, various options for implementing SSO, understand PKI, Kerberos, Biometrics, Multifactor authentication and more. Also, understanding physical security is equally important.


Here are some links to help you think through and implement IAM:

Harvard University IT Identity and Access Management Program Plan –

NIST Cybersecurity Practice Guide, Special Publication 1800-2: “Identity and Access Management for Electric Utilities” –

NISTIR 7817 – A Credential Reliability and Revocation Model for Federated Identities


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks for spending your time in writing useful article. Thank you very much for the effort you put for this articles. Kindly write many articles. Its really useful for me.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 744 / December 14, 2019
How do I Get MTA Certified?
Views: 1315 / December 12, 2019
How much does your PAM software really cost?
Views: 1752 / December 10, 2019
How Do I Get into Android Development?
Views: 2142 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?