What is Identity and Access Management (IAM)?

IAM is crucial for ensuring that the right people have access to the right systems and data at the right time. What does it entail, and why is it so critical?

Previously, it was common to only have access to company data when physically present at the workplace. Firewalls and centralized infrastructure with data centers in the basement ensured that users had access as long as they were at work. Anyone outside the building was considered an outsider and was blocked from accessing services.

With cloud solutions, mobile devices, and remote work, complexity has increased, and digital identity has become crucial for users to access the right systems. This puts IAM at the forefront, both for securing systems and providing services effectively to the users who need them. CW_illustrasjon_IAM-2

What is IAM?

IAM stands for Identity and Access Management.

The core of IAM is about ensuring that users can log in and use various IT services, getting access to do what they need and exactly what they are allowed to do—nothing more.

In short, this often includes ensuring:

Correct and complete user data

A good overview of active user accounts

The right user has the right access

Secure identification of the user

User-friendly login to applications and services

Maximum automation of the creation, maintenance and deletion of user data and access

What is Identity Management?

Identity management is about being able to identify and describe a user. What are first and last names? What is the job title? What does that person look like? In which department does the person work? You then have to ensure that the information is correct and kept up to date, and that it is sent out to the various systems and applications that need this insight.

Although not all companies have dedicated IAM systems, all organizations conduct some form of identity management. That means routines and processes for registering and creating user accounts and access for new employees, and - hopefully - removing them again when the person in question leaves. And then there is quite a wide range in how good these processes are, how well they take account of different situations and scenarios and how well they work in practice.

When do companies need identity management?

Companies should start to have a conscious view on the management of identities and access at the latest when they reach 20 employees. Then you start to lose track of who is doing what, and you should start thinking about how to solve it. Whether you should look at dedicated IAM systems will depend on how complicated the company's services are, and how high the security requirements are.

Companies should start thinking about the management of identities and access already when they reach 20 employees.

What is Access Management?

Access management is about which services and applications users should be able to log in to, as well as what the person concerned should be allowed to do and what data they should gain insight into when they are inside the services.

In some services, one should be able to log in and edit their own documents, while another person should perhaps have the opportunity to log in as a super user and have further privileges and rights to do things. With an ever-growing number of services and applications, this is becoming more and more complex logistics.

Vulnerable using one username and password for all systems

Before, it was often the case that you had access to eight systems with eight usernames and passwords. It was not unusual to see bouquets of post-it notes hanging around the office space so that people would be able to remember which username and which password went to which system.

Eventually, the systems began to be linked together so that you only needed one username and password, which was then distributed to all the systems. In this way, you achieve much better user-friendliness, but security decreases and you have greater vulnerability. Because if you lose the password, the intruder suddenly has access to all the other systems as well. Security is thus never stronger than the weakest system.

Just as a chain is never stronger than its weakest link, security was never stronger than its weakest system.

Central identity service for increased security and user-friendliness

A better solution is a central service, an identity provider (IdP), which carries out the identification in a secure way on behalf of the different systems. When the central IdP approves the user, a message is sent back to the system. Since the system has no knowledge of how the user has authenticated or what password the user has, there is no risk that the information can be used to log in elsewhere in the event of a break-in in one of the services. Thus, we have obtained the best of both worlds: both increased user-friendliness and increased security. CW_illustration

Freeing up resources, increased efficiency and improved security

As you gain control, you will see that the work you do frees up resources and does things more efficiently. For example, the company can save money because licenses are released when you don't pay for old users, and because users and the service desk don't have to spend a lot of time on password resets.

It is easier to set aside resources for further development and rollout of solutions that support good identity and access management, when you see that you are saving resources and improving security. Especially when the benefits for both the business and the end users are made clear.

Done correctly, IAM will be a "force multiplier" for your company. Both in the work to ensure solid security around services and data, as well as to effectively provide good services to your end users!