What is identity and access management (IAM)?

Identity and access management (IAM) systems verify user identities and control user privileges.

Learning Objectives

After reading this article you will be able to:

  • Learn what 'identity' means in a computing context
  • Understand what user access is
  • Explore why identity and access management is so important for the cloud

Copy article link

What is identity and access management (IAM)?

Identity and access management (IAM or IdAM for short) is a way to tell who a user is and what they are allowed to do. IAM is like the bouncer at the door of a nightclub with a list of who is allowed in, who isn't allowed in, and who is able to access the VIP area. IAM is also called identity management (IdM).

Identity and access management IAM - Bouncer stands in front of the cloud

In more technical terms, IAM is a means of managing a given set of users' digital identities, and the privileges associated with each identity. It is an umbrella term that covers a number of different products that all do this same basic function. Within an organization, IAM may be a single product, or it may be a combination of processes, software products, cloud services, and hardware that give administrators visibility and control over the organizational data that individual users can access.

What is identity in the context of computing?

A person's entire identity cannot be uploaded and stored in a computer, so "identity" in a computing context means a certain set of properties that can be conveniently measured and recorded digitally. Think of an ID card or a passport: not every fact about a person is recorded in an ID card, but it contains enough personal characteristics that a person's identity can quickly be matched to the ID card.

To verify identity, a computer system will assess a user for characteristics that are specific to them. If they match, the user's identity is confirmed. These characteristics are also known as "authentication factors," because they help authenticate that a user is who they say they are.

The three most widely used authentication factors are:

  • Something the user knows
  • Something the user has
  • Something the user is

Something the user knows: This factor is a piece of knowledge that only one user should have, like a username and password combination.

Imagine that John wants to check his work email from home. To do so, he will first have to log in to his email account by establishing his identity, because if somebody who wasn't John accessed John's email, then company data would be compromised.

John logs in by entering his email, john@company.com, and the password that only he knows – for example, “5jt*2)f12?y”. Presumably, no one else besides John knows this password, so the email system recognizes John and lets him access his email account. If someone else tried to impersonate John by entering their email address as “john@company.com,” they wouldn't be successful without knowing to type “5jt*2)f12?y” as the password.

Something the user has: This factor refers to possession of a physical token that is issued to authorized users. The most basic example of this authentication factor is the use of a physical house key to enter one's home. The assumption is that only someone who owns, rents, or otherwise is allowed into the house will have a key.

In a computing context, the physical object could be a key fob, a USB device, or even a smartphone. Suppose that John's organization wanted to be extra sure that all users really were who they said they were by checking two authentication factors instead of one. Now, instead of just entering his secret password – the something the user knows factor – John has to show the email system that he possesses an object that no one else has. John is the only person in the world who possesses his personal smartphone, so the email system texts him a one-time code, and John types in the code to demonstrate his possession of the phone.

Something the user is: This refers to a physical property of one's body. A common example of this authentication factor in action is Face ID, the feature offered by many modern smartphones. Fingerprint scanning is another example. Less common methods used by some high-security organizations include retina scans and blood tests.

Imagine John's organization decides to tighten security even more by making users verify three factors instead of two (this is rare). Now John has to enter his password, verify possession of his smartphone, and scan his fingerprint before the email system confirms that he really is John.

To summarize: In the real world, one's identity is a complex mix of personal characteristics, history, location, and other factors. In the digital world, a user's identity is made up of some or all of the three authentication factors, stored digitally in an identity database. To prevent impostors from impersonating real users, computer systems will check a user’s identity against the identity database.

What is access management?

"Access" refers to what data a user can see and what actions they can perform once they log in. Once John logs into his email, he can see all the emails he has sent and received. However, he should not be able to see the emails sent and received by Tracy, his coworker.

In other words, just because a user's identity is verified, that doesn't mean they should be able to access whatever they want within a system or a network. For instance, a low-level employee within a company should be able to access their corporate email account, but they should not be able to access payroll records or confidential HR information.

Access management is the process of controlling and tracking access. Each user within a system will have different privileges within that system based on their individual needs. An accountant does indeed need to access and edit payroll records, so once they verify their identity, they should be able to view and update those records as well as access their email account.

Why is IAM so important for cloud computing?

In cloud computing, data is stored remotely and accessed over the Internet. Because users can connect to the Internet from almost any location and any device, most cloud services are device- and location-agnostic. Users no longer need to be in the office or on a company-owned device to access the cloud. And in fact, remote workforces are becoming more common.

As a result, identity becomes the most important point of controlling access, not the network perimeter.* The user's identity, not their device or location, determines what cloud data they can access and whether they can have any access at all.

To understand why identity is so important, here's an illustration. Suppose a cyber criminal wants to access sensitive files in a company's corporate data center. In the days before cloud computing was widely adopted, the cyber criminal would have to get past the corporate firewall protecting the internal network or physically access the server by breaking into the building or bribing an internal employee. The criminal's main goal would be to get past the network perimeter.

However, with cloud computing, sensitive files are stored in a remote cloud server. Because employees of the company need to access the files, they do so by logging in via browser or an app. If a cyber criminal wants to access the files, now all they need is employee login credentials (like a username and password) and an Internet connection; the criminal doesn't need to get past a network perimeter.

IAM helps prevent identity-based attacks and data breaches that come from privilege escalations (when an unauthorized user has too much access). Thus, IAM systems are essential for cloud computing, and for managing remote teams.

*Network perimeter refers to the edges of an internal network; it is a virtual boundary that separates the secure managed internal network from the unsecured, uncontrolled Internet. All computers in an office, plus connected devices like office printers, are within this perimeter, but a remote server in a data center across the world are not.

Where does IAM fit in a cloud architecture?

IAM often is a cloud service that users have to pass through to get to the rest of an organization's cloud infrastructure. It can also be deployed on an organization's premises on an internal network. Finally, some public cloud vendors may bundle IAM with their other services.

Businesses using a multicloud or hybrid cloud architecture may instead use a separate vendor for IAM. Decoupling IAM from their other public or private cloud services offers them more flexibility: they can still maintain their identity and access their database if they switch cloud vendors.

What is an identity provider (IdP)?

An identity provider (IdP) is a product or service that helps manage identity. An IdP often handles the actual login process. Single sign-on (SSO) providers fit into this category. IdPs can be part of an IAM framework, but typically they don't help with managing user access.

What is Identity-as-a-Service (IDaaS)?

Identity-as-a-Service (IDaaS) is a cloud service that verifies identity. It is a SaaS offering from a cloud vendor, a way of partially outsourcing identity management. In some cases, IDaaS and IdP are essentially interchangeable – but in other cases, the IDaaS vendor offers additional capabilities on top of identity verification and management. Depending on the capabilities offered by the IDaaS vendor, IDaaS can be a part of an IAM framework, or it can be the whole IAM system.

Zero Trust identity and IAM

Zero Trust security is a model that strictly verifies identity for every user and device connecting to resources on a private network, whether the user or device is within or outside the network perimeter. Zero Trust is closely intertwined with IAM, since it relies on checking identity and restricting access.

Zero Trust uses multi-factor authentication (MFA), which checks two or three of the identity factors listed above instead of just one. It also requires implementing the principle of least privilege for access control. Most importantly, once a person's identity is confirmed, Zero Trust still does not automatically trust that person's actions. Instead, every request is monitored and inspected individually for compromised activity. Learn more about Zero Trust.

How does Cloudflare assist with IAM and the cloud?

Cloudflare Access is an IAM product that monitors user access to any domain, application, or path hosted on Cloudflare. It integrates with SSO providers and allows administrators to alter and customize user permissions. Cloudflare Access helps enforce security policies for both on-premises internal employees and remote workers.

Cloudflare can be deployed in front of any cloud infrastructure setup, allowing greater flexibility to companies with a multicloud or a hybrid cloud deployment that includes an IAM provider.