Authentication Fundamentals

What is Identity & Access Management? Your Questions, Answered


Identity and access management (IAM) is a critical way to protect the systems and data that your organization relies on by ensuring that only properly-authorized users can access your technology and information. As a leading IAM solution provider, we’re often asked what identity and access management is, how it works, and why it’s needed. We’ll answer these questions and more in today’s post.

What is identity and access management?

IAM is a discipline that actually preceded cybersecurity, but has taken on a new dimension in the digital transformation age. IAM essentially ensures only authorized users with the proper credentials and authentication are able to access, manage, and use the technology, software, systems, and data in your business. It protects systems from unauthorized access by criminals, hackers, and other bad actors.

How does identity and access management work?

An IT security team deploys an IAM platform and integrates it into your organization. The IAM platform then requires all users who attempt to access systems and data to properly authorize themselves so they can prove who they are. The IAM system will compare their credentials against a known, good baseline, and if those credentials match, will provide access. Once access is provided, the IAM system makes sure the user has the right level of access – not too little and definitely not too much – so that the job at hand can be accomplished.

Why does my organization need identity and access management?

Cybersecurity risks are increasing all the time. Every organization needs robust security in place to protect their systems and data. Data breaches and attacks on systems can cause significant reputational and financial damage and expose the data of your business and your users. IAM, when done right, provides a consistent, proven way to reduce the risk and impact of cybersecurity attacks.

What environments does identity and access management work across?

Ideally, an IAM platform should work with your systems, software, and infrastructure wherever it’s located. This means it should protect local devices, data centers, cloud environments, users and more by default.

Will identity and access management help me meet compliance requirements?

Many agencies and regulatory bodies require organizations to protect customer and business data. As a result, an IAM platform is a key part of securing sensitive information. Correct IAM implementations can reduce the risk of breaching PCI DSS, HIPAA, GDPR, Sarbanes-Oxley, and other regulatory frameworks. It can also help demonstrate compliance, avoid costly negative audit consequences, and ensure business processes run smoothly.

Does identity and access management work across all end-user devices?

We are in a post-BYOD (Bring Your Own Device) world where employees are accessing systems and data from a variety of computers, tablets, smartphones, and other devices. A good IAM platform will be device agnostic and provide proper, robust authentication, regardless of how a user is accessing business systems.

What are the authentication factors used by identity and access management platforms?

There are several types of authentication techniques used by IAM tools. These include two-factor or multifactor authentication. This means that in addition to a username and password, an end user must also provide other unique credentials like a one-time security code or biometrics like a fingerprint or voice recognition. In fact, more flexible and secure authentication methods like behavioral biometrics are proving to help facilitate user access better than many traditional methods. The bottom line, organizations shouldn’t limit themselves to just traditional authentication methods.

Do user-required credentials change, depending on authentication needs?

One way to implement IAM is through adaptive authentication. This approach uses various factors like who is accessing the system, the device they’re using, the time and date, their location, and various other information. The IAM system will then use predefined security policies to request specific additional credentials to verify users before granting access.

Does identity and access management cause frustration for end users?

Ultimately, an organization needs to balance ease-of-use with the right level of security. A good IAM platform will request proper credentials and then provide seamless, easy access through tools like single sign-on (SSO) and integration with other systems.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

Authentication Fundamentals
Adaptive, Risk-Based Authentication — Your Questions, Answered
Authentication Fundamentals
EU General Data Protection Regulations. What You Need to Know
Authentication Fundamentals
Stopping a Microsoft Office 365 Attack — What Are Your Options?