Identity and Access Management (IAM): Definition, Examples
IAM is the framework for who can access what — authentication + authorization + audit. Least privilege, MFA, RBAC, SSO are core IAM concepts.
What is Identity and Access Management (IAM)?
Identity and Access Management (IAM) is the discipline of managing digital identities and controlling what those identities can access. IAM combines authentication (proving who someone is), authorization (deciding what they can do), and audit (tracking what they did). It's foundational to security: every breach involves IAM failure at some level.
Modern IAM spans cloud platforms (AWS IAM, Azure AD/Entra ID, Google Cloud IAM), workforce identity (Okta, OneLogin, Microsoft Entra), customer identity (Auth0, Cognito), and on-prem directory services (Active Directory, LDAP).
The three pillars of IAM
| Pillar | Question Answered | Mechanisms |
|---|---|---|
| Authentication (AuthN) | Who are you? | Passwords, MFA, biometrics, SSO, certificates |
| Authorization (AuthZ) | What are you allowed to do? | Roles, policies, ACLs, ABAC, RBAC |
| Audit | What did you do? | Logs, SIEM, access reviews, anomaly detection |
Core IAM concepts
Identity
A unique reference to a user, service, or device. Format depends on system: email, username, UUID, certificate, etc.
Authentication
Proving the identity is who they claim to be. Methods range from single-factor (password) to multi-factor (password + TOTP code + biometric).
Authorization
Deciding which actions the authenticated identity can perform on which resources. Determined by roles, policies, or attribute-based rules.
Role
A named collection of permissions (e.g., "admin", "viewer", "billing-manager"). Identities are assigned roles instead of individual permissions.
Policy
A document specifying allowed and denied actions on resources (in AWS IAM, JSON-based; in OPA, Rego language).
Group
A collection of identities. Permissions can be granted to a group; new members inherit the permissions.
Single Sign-On (SSO)
One login session unlocks multiple applications. Implementations: SAML, OIDC, OAuth 2.0.
Multi-Factor Authentication (MFA)
Requires multiple authentication factors (something you know + something you have + something you are). Standard for sensitive accounts.
RBAC vs ABAC vs PBAC
| Model | Decision based on | Use case |
|---|---|---|
| RBAC (Role-Based) | User's role(s) | Most common; simple if role count manageable |
| ABAC (Attribute-Based) | Attributes of user, resource, environment | Fine-grained, dynamic — "allow if user.dept == resource.dept" |
| PBAC (Policy-Based) | Centralized policy engine evaluation | Modern, decoupled — OPA-style |
| ACL (Access Control List) | Per-resource user/permission mapping | File systems; small-scale apps |
IAM best practices
- Least privilege. Grant only the minimum permissions needed. Default deny.
- Enable MFA everywhere. Especially for admin and root accounts. Hardware tokens (YubiKey) for highest-value accounts.
- Use SSO for workforce. Centralizes deprovisioning when employees leave.
- Audit access regularly. Quarterly access reviews; remove unused permissions.
- Rotate credentials. Long-lived API keys are a leak risk. Use short-lived tokens (OAuth, AWS STS).
- Separate duties. No one person should be able to commit fraud single-handedly. Multi-approver workflows for high-risk actions.
- Log everything. Authentication attempts, authorization decisions, sensitive actions. Send to SIEM for anomaly detection.
- Use service accounts properly. Each service has its own identity; no shared credentials between humans and services.
- Federate identities. Don't duplicate user accounts across systems; use SSO + identity federation.
- Plan for offboarding. Automated deprovisioning on employee termination is critical.
Major IAM platforms
| Platform | Best for | Pricing |
|---|---|---|
| AWS IAM | AWS resources access control | Free (included) |
| Microsoft Entra ID (Azure AD) | Workforce IAM, Microsoft ecosystem | Per-user, free tier available |
| Okta | Workforce SSO + lifecycle | Per-user/month |
| Auth0 (now Okta) | Customer IAM, B2C/B2B login | Free up to 7,500 MAU; usage-based |
| Google Cloud IAM | GCP resources | Free (included) |
| JumpCloud | Cross-platform directory | Per-user |
| Ping Identity | Enterprise SSO + MFA | Quoted |
| Active Directory | On-prem Windows environments | With Windows Server license |
Common IAM failures
- Over-privileged accounts. Developers given admin access "temporarily" that's never revoked.
- Shared accounts. Multiple humans using one credential. No accountability when something goes wrong.
- Hardcoded credentials. AWS access keys committed to git, leaked in screenshots.
- Stale accounts. Former employees still have access months after leaving.
- No MFA on admin accounts. Single password compromise = total breach.
- Weak password policies. 8 characters with no rotation = brute-forceable.
- No access reviews. Permissions accumulate over years without audit.
- Phishing-based bypass of SSO. Attacker steals SSO session token; access granted without re-authenticating.
FAQ: IAM
What's the difference between authentication and authorization?
Authentication = proving who you are (password, MFA). Authorization = deciding what you can do once authenticated (RBAC, policies). You authenticate first, then are authorized.
Is RBAC enough for modern apps?
For most: yes. For complex multi-tenant SaaS or fine-grained data access: ABAC or PBAC may be needed. Start with RBAC, evolve as needed.
What's IAM in cloud (AWS IAM)?
The control plane for who/what can access AWS resources. Users, roles, policies, groups. Critical to get right — IAM misconfig = top cloud security risk.
Should I use Okta or build my own SSO?
Buy. Okta/Auth0/Microsoft Entra solve a hard problem (security, compliance, integrations). Building IAM from scratch is the worst kind of security debt.
What's least privilege?
Grant only the minimum permissions someone needs. Default deny everything; explicitly grant specific actions on specific resources. Reduces blast radius of compromised credentials.
How does IAM differ from PAM?
IAM covers all identities + access. PAM (Privileged Access Management) is a subset focused on highly-privileged accounts (root, admin, DBAs). PAM tools (CyberArk, BeyondTrust) add session recording, just-in-time access, vault credentials.
Test IAM-protected APIs with LoadFocus
If you're load testing APIs that use SSO/OAuth/SAML for authentication, LoadFocus runs JMeter and k6 scripts that handle multi-step auth flows + token refresh from 25+ regions with up to 12,500 VUs. Sign up free at loadfocus.com/signup.
Related LoadFocus Tools
Put this concept into practice with LoadFocus — the same platform that powers everything you just read about.