Identity & Access Management (IAM)
Cybersecurity Foundations
Part 2 of 13
Identity & Access Management (IAM) Explained
Who Are You, and What Are You Allowed to Access?
A Practical Guide for Students, Fresh Graduates, and
Early Career Cybersecurity Professionals
"Identity is the foundation of modern cybersecurity.
Before any system grants access, it must answer two simple questions: Who are
you? What are you allowed to do?"
1. Introduction
Imagine arriving at work on a Monday morning.
You unlock the office entrance using your employee access
card.
You sign in to your laptop using Windows Hello.
Your email opens automatically through Single Sign-On.
You connect to the corporate VPN.
You access Microsoft Teams, SharePoint, and internal
business applications without entering another password.
Later, you attempt to open the payroll system—but access is
denied.
Nothing appears unusual.
Yet every one of these actions depends on one cybersecurity
domain:
Identity & Access Management (IAM).
Before any application grants access, it must answer two
important questions:
- Who
are you?
- What
are you allowed to access?
Identity & Access Management ensures that the right
people have access to the right resources at the right time—and only for as
long as they need that access.
Without IAM, organizations would have no reliable way to
distinguish legitimate users from attackers or to control access to sensitive
information.
2. Why Identity Is the New Security Perimeter
Years ago, organizations relied heavily on a network
perimeter. Employees worked primarily from the office, systems were hosted in
on-premises data centers, and security focused on protecting the corporate
network.
Today, the workplace has changed.
Employees work from offices, homes, airports, and customer
locations. Business applications run in the cloud. Mobile devices, remote
access, and Software-as-a-Service (SaaS) platforms have become part of everyday
operations.
In this environment, identity has become the new security
perimeter.
Whether someone is accessing email, cloud storage, a
financial application, or an internal system, the first question is no longer "Are
you inside the corporate network?"
Instead, it is:
Who are you, and should you have access?
This shift makes Identity & Access Management one of the
most important cybersecurity domains in modern organizations.
3. Understanding Identity & Access Management
Identity & Access Management (IAM) is the set of
policies, processes, and technologies used to ensure that the right individuals
can access the right resources under the right conditions.
IAM has two primary objectives:
- Verify
the identity of users.
- Control
what those users are permitted to access.
Every login, every application, and every access request
depends on these two principles.
4. Authentication vs Authorization
These two concepts are often confused, but they perform
different roles.
|
Authentication |
Authorization |
|
Confirms who
you are |
Determines
what you can access |
|
Occurs before
access is granted |
Occurs after
identity is verified |
|
Username,
password, MFA, biometrics |
Roles,
permissions, policies |
|
Answers:
"Who are you?" |
Answers:
"What are you allowed to do?" |
Simple analogy:
Imagine entering an airport.
Your passport confirms your identity. That is authentication.
Your boarding pass determines which flight you may board and
whether you can enter certain areas. That is authorization.
Authentication proves your identity. Authorization
determines your level of access.
5. The Identity Lifecycle
Every employee follows an identity lifecycle throughout
their time with an organization.
(Insert Identity Lifecycle Diagram Here)
The typical stages include:
Joiner
A new employee joins the organization.
An identity is created, accounts are provisioned, and access
is granted according to the employee's role.
Mover
The employee changes roles, departments, or
responsibilities.
Access is updated to reflect the new position, ensuring
permissions remain appropriate.
Leaver
When employment ends, accounts are disabled or removed, and
access is revoked promptly to reduce security risk.
Managing this lifecycle effectively helps prevent
unauthorized access and supports compliance requirements.
6. Core Components of IAM
Identity & Access Management consists of several
interconnected capabilities.
- Identity
– Establishing and managing digital identities.
- Authentication
– Verifying a user's identity through passwords, biometrics, MFA, or
passwordless methods.
- Authorization
– Determining what resources a user may access.
- Single
Sign-On (SSO) – Allowing users to access multiple applications after a
single authentication.
- Multi-Factor
Authentication (MFA) – Requiring more than one method of verification.
- Privileged
Access Management (PAM) – Securing administrative and high-privilege
accounts.
- Identity
Governance & Administration (IGA) – Managing identity lifecycles,
access reviews, and compliance.
Each component addresses a specific aspect of identity
security while working together as part of a comprehensive IAM program.
7. IAM in Everyday Life
Identity management exists far beyond the workplace.
Think about checking into a hotel.
You present identification at reception to confirm who you
are.
Your room key gives you access to your assigned room.
It does not allow you to enter every room in the hotel.
Similarly, employees receive access only to the systems and
information necessary for their responsibilities.
This reflects the Principle of Least Privilege, one of the most important concepts in cybersecurity.
8. IAM Inside an Organization
Consider a new employee joining a bank.
HR creates the employee record.
IT creates a digital identity.
A laptop and email account are assigned.
Access to business applications is granted based on the
employee's role.
If the employee transfers to another department, permissions
are adjusted.
When the employee leaves the organization, all accounts and
access rights are revoked.
This entire process is coordinated through Identity &
Access Management.
9. Common Identity Risks
Even mature organizations face identity-related risks.
Some of the most common include:
- Weak
or reused passwords
- Shared
user accounts
- Excessive
privileges
- Dormant
accounts
- Orphaned
accounts
- MFA
fatigue attacks
- Privilege
creep
- Stolen
credentials
Effective IAM reduces these risks through strong governance,
continuous monitoring, and appropriate access controls.
10. IAM and Zero Trust
Modern cybersecurity increasingly follows a Zero Trust
approach.
Zero Trust assumes that no user, device, or application
should be trusted automatically.
Every access request must be verified based on identity,
context, and risk.
Identity & Access Management provides the foundation
that makes Zero Trust possible.
11. Career Opportunities
Identity & Access Management offers a wide range of
career opportunities.
Typical roles include:
- IAM
Engineer
- IAM
Consultant
- Identity
Administrator
- PAM
Engineer
- Identity
Governance Analyst
- Identity
Architect
- Security
Engineer
Professionals in this domain combine technical expertise
with business processes, governance, and risk management.
12. Check Your Understanding
- What
is the difference between authentication and authorization?
- Why
is Multi-Factor Authentication more secure than passwords alone?
- What
is the Principle of Least Privilege?
- Why
are privileged accounts considered high risk?
- What
is the purpose of Single Sign-On?
13. Key Takeaways
- Identity
is the foundation of modern cybersecurity.
- Authentication
verifies identity; authorization determines access.
- Effective
IAM ensures the right people have the right access at the right time.
- Managing
the identity lifecycle reduces security and compliance risks.
- Strong
identity controls are essential for Zero Trust and modern cybersecurity.
14. Continue Your Learning
Previous Article
Part 1 – Understanding the Cybersecurity Technology Landscape
Next Article
Part 3 – Endpoint Security Explained
Business Question
Is this device trusted?
15. About Cybersecurity Foundations
Cybersecurity Foundations is a practical learning
series designed to help students, fresh graduates, co-op trainees, and early
career professionals understand cybersecurity through structured learning,
real-world examples, and business-focused explanations.
Rather than focusing on individual products, the series
explains the purpose of each cybersecurity domain, how technologies work
together, and how they contribute to protecting modern organizations.
Comments
Post a Comment