IAM what I AM

Tim Smith
5 min readDec 10, 2020

The Fundamentals Identity and Access Management

Who gets in? And where can they go?

Part of data privacy and protection in an enterprise environment involves Identity and Access Management (often shortened to IAM). Despite the many variations and complexities of IAM systems in corporate setups, the fundamental principle is pretty basic: IAM is about controlling who has who has access to what (and, usually, under what circumstances). IAM has been foundational to information systems from the very beginning. In fact, if you’ve ever signed in to a computer that’s had more than one user, you’ve (perhaps unknowingly) participated in a form of IAM. In this case, the operating system validates who you are via your profile sign in and gives you access to your particular environment (and all the assets therein, like your Documents). Crucially, signing in to your profile does not give you access to someone else’s assets on that computer (unless you’re an administrator — more on that in a bit). While this is a simple example, you can easily imagine how complex tracking profiles and privileges can get in enterprise environments with hundreds or thousands of computers and devices, with many running on disparate networks and with differing operating systems. Because of this increasing complexity, IAM is considered its own domain of information security, and it’s not uncommon to find entire positions within companies dedicated to this single responsibility.

The concept that certain roles and positions have more responsibilities (and, therefore, more privileges) than others has been around for a lot longer than computers. Think about a retail environment where only certain employees can access the register or remove money from them at the end of the day. Or how about in a bank, where only certain employees are allowed to enter the vault? In both of these cases, we’re dealing with things that have tangible value (money), but, in our modern day and age, information contained digitally within systems is just as valuable — maybe even more so — and just because an employee may think what they know or have access to isn’t valuable, that doesn’t automatically make it the case (this is also why employee training is so critical: many people simply aren’t aware that what they interact with on a day-to-day basis could be valuable in certain hands). The larger a company, the more important it is that a system is established to help take care of the function of IAM, and, indeed, one of the benefits of dedicated IAM systems is automation. Adding a new employee or new privileges to an account after someone gets a promotion may be fine on an individual level if your organization is tiny, but this immediately becomes cumbersome and time-consuming once your company employs more than a handful of people. And if there’s one thing companies hate wasting, it’s time!

Additionally, you can’t just give blanket privileges to everyone — not everyone is trustworthy or properly trained or even needs full access in the first place. Giving everyone admin access to a computer, for instance, unnecessarily opens up an organization to a lot more risk. Aside from the obvious risk of a careless or untrained user accidentally altering or deleting important data, you’d be surprised just what admin access can get you — that’s why “privilege escalation” is one of the key tactics in cyber attacks. It may be tempting to do the ol’ chmod 777 when a privilege issue pops up, but, while that will briefly save you some time in debug, it’s extraordinarily risky and not worth the headache that may follow if it’s not fixed shortly thereafter. The concept of “least privilege” plays an important role here in IAM. “Least privilege” is the foundational idea that someone should only possess the least amount of privilege necessary to do their job — and no more than that. If you spend any time around information security, you will hear about and interact with this principle.

While a variety of IAM systems exist at both hardware and software levels, all IAM tools essentially perform two key functions to make sure that data is accessed responsibly: Authentication and Authorization. Authentication is validating that you are who you say you are. This can be with passwords or other sign-in tools (like multifactor authentication, for instance). Authorization, on the other hand, verifies that you have the privilege (or, the authority) to access whatever you’re trying to gain access to in the first place. From there, IAM tools can deviate from each other in terms of detail and implementation, but good IAM tools will allow for alerts, monitoring, configuration and management, and more. Among other benefits, IAM tools can allow analysts to see whether privileged access is being abused, whether information systems are complying with regulation (essential for any healthcare-adjacent industry or any company subject to PCI-DSS, for example), and IAM tools can even streamline processes (provided you tune your automation appropriately).

IAM asks, “Who gets in? And where can they go?” Especially in 2020, a lot of companies have had to ask these questions less about their physical environments and more about their networks and digital environments. Ultimately, IAM is one of the first-line defense tools that every company can implement to protect its data and make their processes work better for employees and the organization.