Identity and Access Management (IAM)

Identity and Access Management (IAM)

Definition:
Identity and Access Management (IAM) is a framework of policies, processes, and technologies that ensures the right individuals (or machines) have the appropriate access to resources in an organization. Essentially, it controls who can access what, and under what conditions.

IAM is crucial for security, compliance, and operational efficiency.

Core Functions of IAM:

  1. Authentication: Verifying that a user is who they claim to be.
    • Example: Logging in with a username/password, or using multifactor authentication (MFA).
  2. Authorization: Determining what resources or actions a user can access after authentication.
    • Example: A user can view files but cannot delete them.
  3. User Management: Creating, updating, and deleting user identities.
    • Example: Adding a new employee to company systems.
  4. Policy Management: Defining access rules and roles.
    • Example: Role-Based Access Control (RBAC).
  5. Audit and Compliance: Tracking who accessed what and when.
    • Example: Logs for regulatory audits like GDPR or HIPAA.

IAM Examples (Products & Services):

  • Cloud IAM: AWS IAM, Azure Active Directory, Google Cloud IAM
  • Enterprise IAM: Okta, Ping Identity, IBM Security Identity Manager
  • Open-source IAM: Keycloak, FreeIPA

IAM Protocols

IAM relies on standard protocols to enable authentication, authorization, and secure identity exchange between applications, users, and services. Here are the main ones:

1. LDAP (Lightweight Directory Access Protocol)

  • Purpose: Query and modify directory services (like a corporate user directory).
  • Use Case: Centralized user authentication in enterprises.
  • Example: Microsoft Active Directory uses LDAP for user authentication.

2. SAML (Security Assertion Markup Language)

  • Purpose: Single Sign-On (SSO) for web applications using XML-based assertions.
  • How it works: A user logs in once, and SAML tells other applications “this user is authenticated.”
  • Example: Logging into Salesforce using your company’s Google Workspace credentials.

3. OAuth 2.0

  • Purpose: Delegated authorization, allowing apps to access resources without sharing passwords.
  • How it works: User authorizes an app to act on their behalf (e.g., “allow this app to access your Google Drive files”).
  • Example: A third-party calendar app accessing your Google Calendar.

4. OpenID Connect (OIDC)

  • Purpose: Authentication layer on top of OAuth 2.0.
  • How it works: Confirms the user’s identity and provides basic profile info.
  • Example: Logging into apps like Reddit or Medium using your Google or Facebook account.

5. Kerberos

  • Purpose: Network authentication protocol for secure identity verification.
  • How it works: Issues “tickets” to allow users to access services without re-entering passwords.
  • Example: Windows domain environments use Kerberos for secure login.

Summary Table

ProtocolPurposeExample
LDAPDirectory queries & authenticationActive Directory
SAMLSingle Sign-OnSalesforce login via Google Workspace
OAuth 2.0Authorization/delegated accessThird-party apps accessing Google Drive
OpenID ConnectAuthentication + user infoLogging in via Google/Facebook
KerberosNetwork authenticationWindows domain login

In short:

  • IAM = managing who has access to what.
  • Protocols = the mechanisms that enforce secure authentication and authorization across systems.

Leave a Reply