Every website, every app and every online service with a login functionality needs to allow its users to authenticate and authorize themselves, i.e., to verify their identity and must assign them appropriate rights and privileges: decide what those users can do, what data they can read, write, modify, and delete.
This is what Identity and Access Management (IAM) is all about.
Why Identity & Access Management (IAM) Matters: If It Fails, Everything Falls Apart
We have all seen the hacker set-pieces in the movies: the hacker, trying to access a computer system, uses the name or e-mail address of a person he pretends to be, then “guesses” the password, and voila: they are in. A little later, they might try to gain elevated privileges or find a user with more rights on the system they are trying to control.
This may only be a movie, but it shows why IAM is so important: If access management isn’t implemented or used correctly, the consequences can be serious. Criminals can steal, delete, or create new identities. And they can do things they should not be able to do: access trade secrets, change records, plant logic bombs or encrypt entire systems using ransomware. Or, most often, conducting transactions on behalf of others.
IAM is the real access point to everything that can be done with a system, to all the data that is stored and to all the actions that are possible. It is like a house key plus code for the alarm system: If the IAM is insufficiently secured or incorrectly configured, in the worst case the entire system or platform is wide open.
What Identity and Access Management (IAM) Must Do
IAM is a broad and not precisely defined term. Therefore, other terms are often used that cover similar aspects, such as “authentication solution” or “user management,” even though these terms typically only describe parts of IAM. IAM encompasses both the management of identities and the control of access rights throughout the entire lifecycle.
Furthermore, there are different forms of IAM. For example, Customer Identity and Access Management (CIAM) includes solutions specifically designed for external users and consumer-oriented websites and applications, while classic IAM solutions often target internal use cases within organizations.
However, there are some basic functions that every IAM solution should fulfill:
- Centralization & Identity Management: An IAM solution should be centralized, seamlessly connecting various resources and subsystems and providing a unified overview of user identities and their access rights. This also includes managing the entire identity lifecycle (creating, modifying, and revoking digital identities).
- Single Sign-On (SSO): Users should be able to access multiple systems and applications with a single identity, without having to authenticate multiple times.
- Strong authentication (MFA): An IAM solution must reliably authenticate users and should support advanced methods such as multi-factor authentication (MFA) - especially for privileged or security-critical access.
- Self-service functions: Users should be able to perform basic functions independently, such as resetting passwords or managing their access data.
- Authorization management (RBAC / Least Privilege): Access rights should be structured and assigned based on roles, so that users only receive the permissions they actually need (“Least Privilege” / “Need-to-Know”).
- Mapping complex access rules: The solution should be able to map even complex organizational requirements and access logics (e.g., context-based or attribute-based rules).
- Compliance & Auditability: Access and changes should be logged in a traceable manner to meet compliance requirements and support audits.
- Scalability & Performance: The IAM solution should be able to keep pace with growing user numbers and increasing requirements without losing performance or reliability.
- Integration & Standards (OIDC, OAuth, SAML): An IAM solution should integrate seamlessly with existing directory services, cloud and on-premise applications, while relying on established industry standards such as OpenID Connect (OIDC), OAuth 2.0 and SAML.
Where Data Protection and Privacy Enter the Picture
This set of functions shows that the IAM service is the key to the whole system: all the data, all the identities, everything that can be done on the platform. Therefore, if there are deficiencies in technical data protection, the entire system is non-compliant and can easily be compromised.
This is why, for example, the German Federal Office for Information Security (BSI) devotes an entire section of its IT-Grundschutz compendium to IAM (ORP.4 - Identity and Access Management).
- First, it states that the responsibility for IAM lies with the C-level (Section 3).
- Second, the IAM service should be a core network service (ORP.4 A18).
- And third, the service should meet all the criteria listed in the comprehensive section of the Compendium.
The regulatory picture has expanded significantly, too. The NIS2 Directive, applicable since October 2024, lists “the use of multi-factor authentication or continuous authentication solutions” as a minimum risk management measure for essential and important entities. In the financial sector, the Digital Operational Resilience Act (DORA) goes further: it requires “strong authentication mechanisms”.
For most services beyond a certain size and complexity, it is nearly impossible to meet all of these criteria with a homegrown solution. This is especially true for distributed systems that require a cloud-based IAM solution. A provider is needed, which in data protection terms means: outsourced data processing according to Art. 28 GDPR (or in some cases: joint control, Art. 26 GDPR).
Since authentication data is personal data, and since it is the key to access even more data, a data transfer to and from the IAM provider will take place, triggering the complex set of rules laid down in the GDPR.
- The IAM provider must be carefully selected, and the rationale should be documented.
- A Data Processing Agreement (DPA) is needed between the parties to govern the processing of personal data on behalf of the controller.
- Data transfers to third countries / countries without an adequacy decision are only permitted if suitable safeguards exist, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs).
- Data transfers to the USA are a special case. The EU Commission has issued an adequacy decision based on the EU-US Data Privacy Framework (DPF), which allows the transfer of personal data to certified US companies without additional safeguards. A first legal challenge against the DPF was dismissed by the General Court of the European Union (EGC) in September 2025. However, it is possible that the case will end up before the European Court of Justice (ECJ) and be reviewed again, as similar arrangements have been deemed inadequate in the past. And in the US, the transfer mechanism is under review, too. The DPF may only work until it stops working.
Action Required
IAM systems do not always get the attention they deserve. They operate in the background, are technically complex, and are therefore often perceived as intangible. Yet they are the central point between a system and the outside world. If they are weak, compromised, or simply not compliant, the entire system is affected. Again: IAM is a C-level responsibility.
The good news is that choosing the right cloud-based IAM system makes life easier for the business, IT and users alike. Well-defined roles and easy-to-use self-service functions minimize administration and make processes transparent. Maintenance and further development are outsourced to a provider who works centrally and efficiently and who constantly follows the latest developments in technology, administration and legislation. Especially in complex IT landscapes, IAM thus becomes a crucial factor for security, efficiency and scalability.
At Engity, we are convinced that a well-designed and reliably operated IAM is the foundation for secure and efficient digital processes.
Note: This article was first published in March 2022 and last updated and corrected in May 2026.