What is Identity and Access Management (IAM)?

Keyboard with a green enter button named IAM Identity & Access Management which is pressed by user.

In our blog and on our website we discuss all aspects of IAM - Identity and Access Management. Let's clarify some terms and highlight some important aspects.

IAM Definition

IAM is short for Identity and Access Management. Rules, policies, processes and technologies are combined to an IAM platform to allow entitled users getting access to IT resources (e.g., to an application, a portal, an Intranet, a device, etc.) The purpose is to manage digital identities and enable the right persons to access the right resources. Often similar expressions like IdM (Identity Management) are used interchangeable.

Tasks of an IAM solution

Any IAM solution has at its core three tasks: to

  • identify,
  • authenticate, and
  • authorize (control)

entitled users.

Why do you need an IAM system?

Nowadays, no company or business can any longer survive without the secure management of data, no matter if personal data of employees, customers, suppliers, and partners are processed. Firms need to make sure that only authorized persons and entities have access to those data. Unauthorized access can damage a company's intellectual property, reputation, and can subject the company to digital extortion and fraud. A well working IAM system protects against such threats and ensures compliance and proper data security.

IAM and compliance

Companies do not only store their own data but also personal data of third parties. Furthermore, they may even process data for other organizations. Such data may be subject to non-disclosure agreements, may be proprietary, or constitute a trade secret. In all these cases, the data needs to be protected in such a way that only authorized persons have access to them and can only use them for lawful purposes.

General compliance

Compliance is the task of observing applicable laws, rules, and regulations. When we think about digital Identity and Access Management this comprises of course data protection laws and regulation, but also laws protecting trade secrets and intellectual property, guaranteeing freedom of expression or freedom from surveillance. Another aspect is to prevent information from leaking out, such as insider information or other data not meant for the public.


The GDPR is the data protection regulation of the European Union (EU) and is concerned with personal data. One main focus of the GDPR are data transfers, in particular to third countries. Those are countries where the GDPR is not applicable. Such data transfers are only permitted if the third country ensures an adequate level of protection. According to the EU commission this is the case for countries like Japan, Switzerland, or Israel.

The USA is not a country with an adequate level of protection. However, password verification always requires data transmission. The use of cloud based IAM solutions whose providers are based in the USA is therefore problematic. This is the case even if these providers store their data on servers in the EU. Because here, too, US security services have access to this data under the US Cloud Act.

What is the difference between identity management and access management?

Identity Management is concerned with identifying who the user is and to which groups of users they belong or which role or other properties they have.

Access Management on the other hand is about which resources the user can access and which rights they have. That decision in turn is made based on existing policies as to which role, group or identity has access to an application or storage space and what they are allowed to do with it.

Very often the identity and access part are taken together in one term: Identity and Access Management, shortly IAM.

What is Customer Identity and Access Management (also known as User Identity and Access Management)?

Customer Identity and Access Management (CIAM) is a subtype of IAM. It gives the user control over their identity. Typically, users can sign themselves up in CIAM-solutions by choosing their own username and password. They may also be able to reset and change their access credentials themselves. Thus, they have agency in administering their own digital identity. At the same time the organization using the CIAM system can save on manual processes. CIAM is used by all digital companies with a customer facing interface for which a login is needed by end-users

What differentiates an Enterprise Identity and Access Management system from a Federated Identity Management software?

Federated IAM solutions can handle one identity across multiple identity management systems. A user that has access to certain domains or systems may use their respective digital identity also to access other domains or systems. Thus, the "federation" makes an identity portable. Typically, federated IAM systems are offered by social login providers, e.g. Facebook. In this case, the user can use his Facebook credentials to login to other third parties' applications which support the Facebook federation.

In contrast, enterprises often prefer to manage their IAM themselves. On a technical level, such Enterprise IAM may still span multiple domains or system within a company or conglomerate but typically does not reach out to other organizations. Consequently, employees of a firm use their credentials to access several enterprise applications (e.g. CRM, e-mail, Intranet)

What are the differences between a cloud-based, cloud-native and on-premise Identity and Access Management solution?

Identity and Access Management systems may be deployed in different manners. The traditional way is to run the solution on premise or with other words "in-house" or within a rented shelf of a data center. This means, however, that own computers (servers) are needed, software has to be customized and installed, and kept up to date. In addition, security and IT devops engineers have to take care of the proprietary IT landscape. Finally, scaling on premise solutions in an environment with ever increasing complexity may become challenging the faster the company growth and the bigger the firm gets.

An IAM solution can also work in the cloud. A third-party provider offers its customers a scalable and secure platform providing an identity solution that business and organizations can use to implement within their application land-scape. The clear advantages for enterprises are that they do not have to worry about hardware, software, and specialized teams to manage them. Very often the term being used to describe this is Identity-as-a-Service (IDaaS).

Cloud native solutions are a subset of cloud-based IDaaS solutions. In contrast to traditional solutions that were just tweaked to work in the cloud, cloud-native applications have the cloud in mind from the beginning. This includes developing and packaging IAM applications in a way that makes them easily to deploy across multiple servers anywhere. This in turn makes a cloud based IAM solution extremely flexible, scalable, and resilient.

What are the different possibilities to authenticate using an IAM system?

There are multiple ways for an IAM system of authenticating users, and they are ever expanding.

The most basic case is simply verifying a combination of user name (or e-mail) and password. Multifactor authentication (MFA) asks for more credentials such as a code received on a phone or created by a separate device, or a biometric marker such as a fingerprint.

Are there any Identity and Access Management challenges?

Like every complex system, IAM solutions have their own challenges.

Over time and in a dynamic environment, IAM systems may increase in cost and complexity. This is especially true for on-premise systems that may not scale easily. They also may not be easy to customize or being implemented without specialized knowledge. But more importantly, it is often difficult to operate them in a legally compliant way. This involves the maintenance of the platform with continuous data protection assessments, penetration tests, and risk analyses.
Cloud-based IAM or IDaaS solutions have their own compliance pitfalls though. Mostly because data transfers to US-providers may not be permitted under the GDPR.