Jan 25, 2024

What Is IAM (Identity and Access Management)?

What Is IAM (Identity and Access Management)?

Table of contents

Employees, customers, supply chain members, and contractors must have access to digital resources for work. Identity and access management (IAM) or IAM services manage and control the who, what, and when of resource access. The National Institute of Standards and Technology (NIST) considers IAM to be a “cornerstone of data protection, privacy, and security.” As such, IAM identifies individuals and manages access to resources based on their identity, thereby protecting sensitive data and other assets.

A history of identity and access management

As a concept, IAM has a long history; for example, the Romans used “watchwords” to identify Roman soldiers and prevent enemies from entering certain areas. More recently, computer-based IAM has emerged. In the 1960s, computer scientist Fernando Corbató applied passwords to secure access to computer files. Since then, the humble password has become associated with access to computer-based assets.

Before cloud computing, the network perimeter was the ideal way to contain access, and on-premise tools, such as Active Directory, worked well as IAM systems. However, the Internet changed the requirements of IAM. Cloud computing smashed the network perimeter, making it much harder to identify users and control access. Visibility and monitoring became more complex as the network expanded to include BYOD; remote working and internet-enabled devices eventually made identity and access control even more challenging. Today, modern IAM solutions cover an array of use cases and requirements. A modern cloud-based IAM system must offer many features, including identity governance, access management, and privileged access management (PAM), with massive scalability and robust security.

Types of identity and access management

Various types of IAM solutions have different use cases. Three of the most common applications of IAM are:

Workforce IAM: Workforce identities are typically used for internal identity management and access control. Workforce user identities cover employees and non-employees, such as contractors. Workforce IAM is designed to handle remote workers, and it provides a framework for differentiated access control based on roles and privileges. Functionality like single sign-on (SSO) is often a part of workforce IAM systems and used to improve employee productivity — with SSO, a single click allows access to multiple digital resources.

Customer IAM (CIAM): CIAM provides identity management and access control for external digital identities, such as customers. A CIAM system captures and manages customer identities. CIAM platforms use customer identities to authorize and authenticate access to online resources. CIAM has functionality above and beyond authentication and authorization: it uses data analytics and business intelligence to generate great customer experiences and deliver marketing insights.

Citizen IAM: Governments must provide online services to citizens. And a government has to know who it’s dealing with in order to facilitate secure access to these services. Many governments onboard citizens to government services using IAM. Citizen IAM uses personal data verification checks before issuing an identity account or access to government services.

Other types of IAM include device IAM (identity for devices, including IoT [internet of things] and robotics).

Key concepts in identity and access management

IAM provides a range of capabilities, often supplied as part of a holistic IAM solution, that manage the entirety of identity lifecycle management:

Identity Provider (IdP)

IDPs store and manage user identities and handle access requests. An identity comprises the credentials that define an individual (or device). These credentials are sometimes known as authentication factors, claims, or verified credentials. Authentication factors are a mix of:

  • Knowledge-based (something you know)

  • Something you own (for instance, phone number or hardware token)

  • Something you are (for instance, biometric data or a verified identity claim)

When an individual attempts to access digital resources, they will be asked to present one or more of these credentials. If the identity provider does not recognise the credentials, unauthorized access will be enforced.

Identity Governance and Administration (IGA)

IGA is a technology layer that automates creating and managing user accounts within an organization to simplify identity lifecycle management. IGA governs the access rights associated with individuals and employee roles in that organization. IGA provides visibility of accounts across expanded networks, provisions users and devices, facilitates account administration, and manages access entitlements and attestation. IGA platforms also provide dashboards for analytics and reporting.


When attempting to access resources, such as a company app, you’ll be asked to supply something to prove that you have the right to access. Methods such as passwords, authenticator codes, and biometrics prove that you have the right to access a resource. Access control policies are used to determine the user access requirements of an organization. Sometimes, these methods are used together and are known as two-factor or multifactor authentication (2FA or MFA).


Decisions about what resources a user has access to are made using authorization. Authorization sets access privileges once authentication has been successful. Typically, authorization decisions depend on identity attributes, such as your assigned role in an organization. Authorization uses protocols such as OAuth 2.0 to handle authorization.

Privileged access management (PAM)

Privileged access requires a mix of strategy, policy, and technology. PAM solutions will monitor access attempts and enforce privileges based on policies. This ensures need-to-know access. The principle of least privilege is achieved by deploying PAM.

Single sign-on (SSO)

SSO is a scheme that allows users to log into multiple apps and services using a single authentication event. SSO is based on identity federation.

Role-based access control (RBAC)

RBAC bases access to company resources and networks on an employee’s role. All staff roles are assigned access permissions, and employees who perform those role(s) in a company each have the same access rights to network resources.

Identity verification

Verification of an individual is used to assure that they are who they say they are. The credentials or attributes of an identity, such as a user’s address, may need to be cross-checked or “verified.” Verification then adds weight to the ownership of an identity or account. This can be used with PAM to assign access rights based on the identity attributes. Identity verification is often used in consumer or citizen identity services.

Identity protocols

Identity and access management tools use standard protocols to transfer information between the components of an IAM system. The two main protocols used are OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). Examples of large technology providers that support OIDC are AWS Identity and Google. Access to AWS resources can be controlled with an IDP that uses OIDC or SAML.

What is the difference between IAM and access management?

Identity management pertains to creating accounts, while access management pertains to assigning and enforcing permissions.

Access management is a subset of IAM. Identity management is the part of IAM that controls user identity and verification. Access management controls user access rights and privileges.

How to use Google Workspace for IAM

Google Workspace is an IAM solution that has capabilities including:

  • Manages users and acts as an IDP

  • Provisions access permissions

  • Enforces security policies

  • Single Sign On (SSO)

  • Integrates with Active Directory or Azure Active Directory

Google Workspace is suitable for small-to-medium-sized organizations, as it provides easy identity provisioning and management of employee accounts. Google Workspace also enforces multifactor authentication and can be used for SSO to control access to applications in the Google Workspace suite: using identity federation, a user can then access multiple Google apps with a single login.

Benefits of using IAM technologies

IAM tools offer an organization many benefits:


IAM and privileged access control help prevent cyber-ttacks, including data breaches, phishing attacks, and malware infections.

Zero trust

IAM supports zero trust strategies across people, devices, and applications.

Reduces IT overhead

IAM helps implement and enforce policies across the organization.

Improves employee experience and productivity

SSO and passwordless authentication make logging in faster and simpler.

Privacy controls

IAM enforces need-to-know access to sensitive data.

Adherence to regulations and standards

Robust IAM controls help to improve data security and reduce noncompliance events.