# What is identity and access management? Guide to IAM  ## Metadata - Author: [[Phil Sweeney]] - Full Title: What is identity and access management? Guide to IAM - Category: #articles - Summary: Identity and access management (IAM) is a framework that helps organizations manage digital identities and control user access to sensitive information. It uses technologies like single sign-on and multi-factor authentication to enhance security and ensure only the right users have access to data. Implementing IAM can reduce data breach risks and streamline user access management, providing a competitive advantage for businesses. - URL: https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system ## Highlights - Cybersecurity relies on IAM and its ever-increasing list of features, including [biometrics](https://www.techtarget.com/searchsecurity/definition/biometrics), behavior analytics and AI. With its tight control of resource access in highly distributed and dynamic environments, IAM aligns with security's transition from using traditional firewalls and inherent-trust practices to more rigid control architectures. The foremost of these stricter controls is the [zero-trust model](https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network). An organization that implements zero trust authorizes and authenticates users continuously, not merely once at the perimeter. This inverts the idea that users who've been cleared can be fully trusted. The zero-trust architecture prevents unnecessary movement between applications and systems, which, in turn, limits the damage an intruder might do. ([View Highlight](https://read.readwise.io/read/01jrbc7kx2re8r4624j1qns8r1)) - Research by Verizon found that, over the past decade, stolen credentials have played a role in nearly one-third of breaches. Credential theft is so effective that it is used by both run-of-the-mill cybercriminals and highly organized nation-state threat actors. ([View Highlight](https://read.readwise.io/read/01jrbc8srfrw45e3b35h4he72e)) - **Multifactor authentication.** [MFA](https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA) is an increasingly common type of authentication. An IAM system that requires a user to enter a code texted to their phone, for example, increases the likelihood that the access attempt is legitimate. Unless they've already gained access to -- or possession of -- the user's phone, bad actors with a stolen password won't be able to clear that second authentication hurdle. ([View Highlight](https://read.readwise.io/read/01jrbcb1vrzhkew4yegzwkcjtt)) - **Adaptive authentication.** When dealing with highly sensitive information and systems, organizations can use behavioral or adaptive authentication methods to assist in identity management. IAM tools, for example, are now more capable of noticing when someone who typically logs in from a certain place at a certain time is attempting to access systems from another location and at a time they are not normally working. These behaviors could signal that the user's credentials have been compromised. ([View Highlight](https://read.readwise.io/read/01jrbcbfykk4mdjma94w0vazgx)) - Specific [IAM risks to watch for](https://www.techtarget.com/searchsecurity/answer/What-are-some-of-the-top-identity-and-access-management-risks) include the following: • Irregular access reviews. • Weak passwords and missing MFA. • Overprivileged accounts. • Poorly integrated IAM across systems and clouds. ([View Highlight](https://read.readwise.io/read/01jrbccbk16b88340xxk1z2v1n)) - Central to IAM is an adherence to the [principle of least privilege](https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP), where users are granted only the access rights necessary to fulfill their particular work duties. This predetermined and real-time access control is necessary for security as well as compliance. ([View Highlight](https://read.readwise.io/read/01jrbccxfkcmqfgwfxfn1dzmds))