IT Knowledge
July 9, 2024

Fundamental Concepts of Identity Access Management

Nikolai Fomm
COO and co-founder

Fundamental Concepts of Identity Access Management

In the life time of any company comes the point where questions get asked on the management of new users that arrive or the handling of accesses. In the early days of a company life cycle this is often being done ad-hoc or by sharing accesses between colleagues. This can work for a while but there comes the moment where things get messy, cyberrisks increase and the first audit reveals how much your are overpaying your software subscriptions because you have no idea about your user identities.

Sounds relatable? I feel you. This is a very common pain in companies. No idea where to start? Well, then this article is for you. Understanding the core concepts of Identity and Access Management (IAM) is essential for effectively implementing and managing IAM systems within your company. Otherwise you risk that actionism will not solve the problem but just increase the complexity and confusion for your team. Here’s a deeper dive into each of these fundamental concepts:

Digital Resources

This is the most theoretical part of the article. Afterwards, it is getting hands-on, promise! Digital resources are the assets that an organization aims to protect and manage access to through IAM. These resources can be varied and include:

  • Web Applications: Online platforms that provide various services to users, such as email, document storage, or e-commerce sites. This is commonly known as SaaS. You probably use already a lot and certainly there are even more that you are not even aware of. (This is called Shadow IT, but this is another story).
  • APIs (Application Programming Interfaces): Interfaces that allow different software systems to communicate with each other, often exposing specific functionalities or data to be used by other applications. APIs are key for automations but you better make sure that you know where your data is flowing!
  • Databases: Structured collections of data that can be accessed electronically. You want to make sure that they are easily accessible so your tea can make data-driven decisions. At the same time a leak here would be a massive risk for your company.
  • Devices: Physical or virtual devices that interact with an organization's network, including smartphones, laptops, IoT devices, and servers.

By protecting these digital resources, organizations can ensure that sensitive data and critical systems remain secure and accessible only to authorized users. This should be an intrinsic motivation for you to keep your company safe and sounds but sooner or later an information security certification (like ISO 27001 or SOC 2) could force you to act on this.

Identity, the i in IAM

In the context of IAM, identity refers to the digital representation of a user or an entity within a system. This concept is crucial for distinguishing between different users and controlling their access to resources. Key aspects of identity include.

  • User Accounts: Individual profiles created for human users, such as employees, customers, or contractors. Each account typically includes unique identifiers like usernames and email addresses. But having an alias (or several one) can significantly complicate this when you use several emails but you are still the same person.
  • Non-Human Identities: Accounts created for entities that are not human, such as applications, services, IoT devices, or robotic systems. These identities are crucial for automated processes and machine-to-machine interactions. This can be the email account you use to collect invoices or a user group.
  • Attributes: Additional information associated with an identity, such as roles, permissions, group memberships, and personal details (e.g., job title, department).

Effective identity management involves creating, maintaining, and securing these identities to ensure accurate authentication and authorization processes. This can get quite complicated once you can easily connect an email to a person. For instance under you could collect all invoices, but should this email have access to your financial planning tool given that some finance team members work on it but others are only working on invoice collection? Initially, this is manageable, but as the complexity in the team grows with different teams, departments, locations, countries grows, understanding Identity becomes key.

Authentication for secure access

Authentication is the process of verifying that a user or entity is who they claim to be. It serves as the first line of defense in IAM by ensuring that only legitimate users gain access to digital resources. Common methods of authentication include:

  • Passwords: The most traditional form of authentication, where users enter a secret combination of characters to prove their identity.
  • Security Tokens: Physical or digital devices that generate a unique code used to verify identity. Examples include hardware tokens, mobile authentication apps, and one-time password (OTP) systems. This is typically only used in highly sensitive industries or maybe by specific security teams as it is expensive and complicated to establish and maintain.

Modern IAM systems often employ multi-factor authentication (MFA), which requires users to provide two or more verification methods, significantly enhancing security. This is by now a standard technique that massively contributes to a secure organisation.

Authorization for automated provisioning

Authorization is the process of determining what resources a user or entity can access and what actions they can perform after their identity has been authenticated. This happens every month when new joiners get onboarded or team members switch team and need a different set of tools to do their work. This process involves:

  • Access Control Policies: Rules that define what resources are available to different users based on their roles, groups, or other attributes. Policies can be coarse-grained (broad access levels) or fine-grained (specific permissions).
  • Role-Based Access Control (RBAC): A method where access permissions are assigned based on user roles within the organization. For example, a manager might have access to different resources compared to a regular employee.
  • Fine-Grained Authorization (FGA): A more detailed approach to access control that considers specific conditions, relationships, or attributes to determine access rights. This allows for highly customized access control policies.
  • Authorization ensures that users can only interact with the resources they are permitted to, thereby preventing unauthorized access and potential security breaches.

    Why Understanding These IAM Concepts Matters

    With the right IAM system in place, organizations can manage user identities and access rights efficiently, reducing the risk of data breaches and maintaining the integrity and confidentiality of their digital resources. At the same time, it can help you run the company more smoothly and efficiently. Believe it or not, a good IAM can save you money!

    Those are just the basics and establishing IAM over night is not easy. Corma is here to help and guide you in the process. By first centralising all your digital resources around SaaS in one space, it allows you to automatically provision user and conduct review accesses. Reach out if you want to understand what IAM setup would be a good fit for your organisation.

    Ready to get back in control of your SaaS?

    Experience the benefits of digital transformation. Cut you software spend by 30% through managing the contract lifecycle of your SaaS, secure your business through automated provisioning in identity and access management, all while boosting software stack with our vendor management system.

    Get started with Corma

    Thank you! Your submission has been received!
    Oops! Something went wrong while submitting the form.

    Related blog