Necessity of an identity and access management system embodied by two hands holding identities in form of circles with anonymous personas inside.

Identity and Access Management (IAM) - Why It Matters and What You Need to Do

IAM systems deserve much more attention – they may work under the hood, but they are the very key to all data and functionality of an online service.

Every website, every app, every online service with a login functionality needs to allow its users to authenticate themselves and must assign them rights and privileges: decide what those users can do, what data they can read, write, modify, and delete.

This is what Identity and Access Management (IAM) is all about.

Why Identity & Access Management (IAM) Matters: If It Fails, Everything Falls Apart

We have all seen the hacker set-pieces in the movies: the hacker, trying to access a computer system, uses the name or handle of a person he pretends to be, then "guesses" the password, and voila: they are in. A little later, they may need to get elevated privileges or find a user with more privileges on the system they are trying to control.

This may only be a movie, but it shows why IAM is so important: if it fails, things fall apart, and catastrophically so. Users can steal, delete, or create new identities. And they can do things they should not be able to do: access trade secrets, change records, plant logic bombs. Or, most often, just buy stuff on someone else's account.

IAM is the real access point to everything that can be done with a system, to all the data that is stored, to all the actions that are possible. It is like a house key plus code for the alarm system: if the IAM is not working, the whole system or platform is wide open.

What Identity and Access Management (IAM) Must Do

IAM is a broad and not very precisely defined term. Therefore, other terms are often used that mean the same thing as Identity and Access Management, or IAM for short, such as “authentication solution” or “user management”. There are different kinds of sub-groups, e.g. Customer Identity and Access Management consists of services that are particularly important for all consumer-facing websites with a login, while an enterprise solution might be directed inwards to an organization's intranet.

Where Data Protection and Privacy Enter the Picture

This set of functions shows that the IAM service is the key to the whole system: all the data, all the identities, everything that can be done on the platform. Therefore, if there are deficiencies in technical data protection, the entire system is non-compliant and can easily be compromised.

This is why, for example, the German Federal Office for Information Security (BSI) devotes an entire section of its IT-Grundschutz compendium to IAM (ORP.4 - Identity and Access Management).

For most services beyond a certain size and complexity, it is nearly impossible to meet all of these criteria with a homegrown solution. This is especially true for distributed systems that require a cloud-based IAM solution. A provider is needed, which in data protection terms means: outsourced data processing according to Art. 28 GDPR (or in some cases: joint control, Art. 26 GDPR).

Since authentication data is personal data, and since it is the key to access even more data, a data transfer to and from the IAM provider will take place, triggering the complex set of rules laid down in the GDPR.

Action Required

IAM systems do not always get the attention they deserve. They work under the hood, are very technical, and are not exciting in any way. Yet they are the gatekeepers between a system and the world. If they are weak, compromised, or simply not compliant, then so is the entire system. Again: IAM is a C-level responsibility.

The good news is that choosing the right cloud-based IAM system makes life easier for the business, IT and users alike. Well-defined roles and easy-to-use self-service interfaces minimize administration and make processes transparent. Maintenance and further development are outsourced to a provider who works centrally and efficiently and who constantly follows the latest developments in technology, administration and legislation.

At Engity, we believe that this is simply good business.

Note: This article was first published in March 2022 and last updated and corrected in March 2024