The Definition of IAM and Its Criticality to Good Security Hygiene

This is Part 2 of our ‘What is IAM’ blog series. Read Part 1 here.

Written by Paul Mezzera, Ravi Erukulla, and Ramesh Gupta of the CSA IAM Working Group.

What exactly is identity and access management (IAM)? It is the overall discipline that encompasses not only tools and technologies, but processes through which a digital identity is defined and managed to provide access to digital resources. Traditionally, it had to do with identities that represent humans, but more recently it is also representing non-human or what is also known as 'machine' identities.

IAM is essential for defining a digital identity profile and managing its entire lifecycle (the "IM" in IAM). It also ensures that an entity is who they say they are (authentication) and has the proper access to the resources they are attempting to access (authorization), which is also referred to as access management (the 'A' in IAM). The industry has coalesced these concepts, in addition to the 'governance' of identities, which enables organizations to demonstrate compliance and also support a continuous process of reviewing access to ensure that digital identities do not unnecessarily accumulate access. The merging of these is known as identity governance and administration (IGA).

IAM is essential in securing digital assets by enabling the appropriate access to a resource for the right amount of time it is needed to accomplish a specific task. IAM defines the rules and policies that define which digital identities have access to which digital resources. Given the critical nature of IAM, it is also an essential component of cybersecurity. Good security hygiene includes a sound IAM strategy where all identities are managed with consistent policies and tools that provide security leaders with an understanding of who has access to its resources (especially the critical ones).

Learn about the different components of IAM in Part 3.