AlignTrust
Identity & Access

Identity and Access Management (IAM)

The framework of policies, processes, and technologies that manage digital identities and control access to systems and resources.

What Is IAM?

Identity and Access Management (IAM) is the discipline of ensuring that the right people — and only the right people — can access the right resources, at the right time, for the right reasons. It encompasses the processes, technologies, and policies used to manage digital identities and control access across your organisation.

IAM answers two fundamental security questions:

  1. Who are you? (Identity and Authentication)
  2. What are you allowed to do? (Authorisation and Access Control)

Core IAM Components

Identity providers (IdP): Centralised systems that store and manage user identities — Microsoft Entra ID (Azure AD), Google Workspace, Okta, Ping Identity.

Single Sign-On (SSO): Allows users to authenticate once and access multiple applications without logging in separately to each.

Multi-Factor Authentication (MFA): Adds a second verification step beyond passwords.

Role-Based Access Control (RBAC): Assigns access permissions based on organisational roles rather than individual users.

Provisioning and deprovisioning: Automated workflows to create accounts when someone joins, update them when roles change, and disable them immediately when someone leaves.

Privileged Access Management (PAM): Specialised controls for high-privilege accounts — admin accounts, service accounts, emergency access.

Why IAM Is the Foundation of Security

Identity has become the primary security perimeter. Traditional network perimeters have dissolved with cloud and remote work — but every access request still requires an identity. An attacker who compromises an identity with broad permissions can move laterally, exfiltrate data, and persist undetected.

According to Verizon's DBIR, over 80% of breaches involve compromised credentials.

IAM for SMBs: Where to Start

  1. Centralise identity in a single directory (Microsoft Entra ID or Google Workspace)
  2. Enforce MFA organisation-wide
  3. Implement SSO for SaaS applications
  4. Automate offboarding — terminated accounts are a critical risk
  5. Review privileged access quarterly
  6. Use conditional access policies (block logins from unusual locations or unmanaged devices)

Related Terms

Access ControlPrinciple of Least PrivilegeMulti-Factor Authentication (MFA)Zero Trust ArchitectureAuthentication

Related Articles

← Back to Security Glossary