Identity Management (IAM)

Identity management (Identity and Access Management, IAM) is the framework and technologies that govern digital identities and control access to systems and data. IAM ensures that the right people have the right access to the right resources at the right time.

Back to Dictionary

What is identity management?

Identity management is about governing who has access to what in the organisation’s IT environment. It encompasses the creation of user accounts, assignment of rights, authentication of users and revocation of access when it is no longer required.

IAM is closely linked to access control, but the two concepts cover different aspects. Identity management addresses "who are you?", while access control addresses "what are you permitted to do?". Together with multi-factor authentication and privileged access management, IAM forms the foundation of the organisation’s security architecture.

In a zero trust architecture, IAM is particularly important because every access request is verified regardless of location. Without strong identity management, zero trust cannot function.

IAM components

An IAM system typically comprises several components:

Directory service: The central database of users, groups and their attributes. Active Directory and Azure AD are the most widely used.
Authentication: Verification of the user’s identity. Combine passwords with multi-factor authentication (MFA) for stronger security.
Single Sign-On (SSO): Gives users access to multiple systems with a single login. Improves user experience and reduces password fatigue.
Role-based access control (RBAC): Assigns access based on roles rather than individual rights. Simplifies administration of access rights.
Provisioning and deprovisioning: Automated creation and removal of user accounts and rights.
Access governance: Regular review of access rights to ensure they are still necessary and appropriate.

The identity lifecycle

A digital identity passes through several phases:

Onboarding: A new employee is created in the directory service. Based on role, access to relevant systems is assigned automatically. Security training is completed before access to sensitive systems is granted.

Role change: When an employee changes role, old access must be removed and new access added. This is often the weakest point, as old access is forgotten and the employee gradually accumulates excessive rights (privilege creep).

Offboarding: Upon departure, all accounts and access are deactivated immediately. Automated offboarding via integration with HR systems ensures nothing is overlooked.

Access review: Regular reviews in which managers verify that their employees hold the correct access. Logging of access changes and monitoring of abnormal access behaviour support governance.

For service accounts and automated processes, the same principles apply. Privileged access management is especially important for accounts with elevated rights.

Regulations and standards

GDPR requires that only authorised persons have access to personal data. IAM is the primary mechanism for ensuring this and documenting who has access to what.

ISO 27001 and Annex A contain several controls for identity management: access control policy (A.5.15), user registration (A.5.16), privileged access (A.8.2) and access rights (A.5.18). An ISMS must define IAM processes as part of technical and organisational measures.

NIS2 and DORA impose requirements on access management and authentication. CIS 18 dedicates Controls 5 and 6 to account management and access control.

Frequently Asked Questions about Identity Management (IAM)

What is the difference between identity management and access control?

Identity management is about creating, maintaining and decommissioning user identities. Access control is about determining what a given identity has access to. Together they constitute IAM (Identity and Access Management).

What is SSO (Single Sign-On)?

SSO gives users the ability to log in once and then access multiple systems without logging in again. It improves user experience and reduces the risk of weak passwords, since users only need to remember one strong password.

Why is offboarding important in IAM?

When an employee leaves the organisation, all access must be deactivated quickly. Forgotten accounts (orphaned accounts) are a security risk, as they can be misused without being detected. Automated offboarding reduces this risk.

What is role-based access control (RBAC)?

RBAC assigns access based on the user’s role in the organisation rather than individual rights. An HR employee automatically receives access to HR systems. It simplifies administration and ensures consistency.