Identity and access management

In this day and age when hybrid working is the norm, enforcing digital security is a top priority. Identity and access management (IAM) is a set of policies and practices that can help keep your organization’s resources and information safe. In this article, we examine IAM’s benefits and some of the best practices for implementing it.

An identity is how an entity is represented online. Identities can be expressed as a social media login, work email address, personal email address, or just a username. Identity isn’t reserved for individuals, either — devices, servers, and applications can also have an identity.

Identity and access management, or IAM, is a set of policies and procedures that helps ensure only authorized individuals or applications can gain access to your organization’s resources and information. It also helps ensure that resources are accessed securely, and that they’re being accessed at the right time, for the right reasons. Identity and access management helps organizations securely share information and resources with its employees, customers, and other stakeholders.

In this article, you’ll learn more about what identity and access management is and why it’s crucial. You’ll also look at some best practices for implementing IAM.

What is identity and access management?

IAM can be split into two components: identity management and access management.

Identity management

Identity management confirms that the user or application is who they claim to be by verifying information provided by the user against information in the organization’s identity database, which contains user and device information. The process of confirming whether the identity of the user matches the identity stored in the database is called authentication. Authentication is usually done with one or more of the following three factors:

  1. Knowledge factor: Authentication that relies on the knowledge factor uses something that the user knows. This includes passwords, PINs, security codes, backup codes, and passphrases.
  2. Possession factor: Possession-based authentication requires verifying possession of something the user has previously registered with the system. This includes things such as smartphones, which can be verified through an authenticator application; phone connections, which can be verified through a one-time passcode sent via SMS; and hardware keys, which require that the physical key be presented.
  3. Inherence factor: Inherence factors used for authentication are intrinsic aspects of the user’s identity. Biometric information such as fingerprints, iris data, and voice information can be used to authenticate users.

Much less frequently, location factors (such as IP addresses or GPS coordinates) and behavioral factors (such as typing speed or finger pressure on a touchscreen) can be used either as additional factors for authentication or, more commonly, as inputs to determine if an authentication attempt is being performed by a real human.

Access management

Once an identity is established via identity management methods, access management comes into play to ensure that particular user can access only the resources they have permission to access. For example, consider access to the human resources application of an organization. All employees need access to the application for some basic functions, such as requesting leave, submitting expenses, and viewing pay stubs. But most employees shouldn’t have access to information on the payroll details of their colleagues. Access to this sensitive information has to be reserved for HR administrators or other managers. Determining who can access what in the digital infrastructure is the job of access management.

Access management uses the identity information of the user to determine the resources and applications the user should be permitted to access. The process of checking whether a user has the permission to access a particular resource is called authorization.

Identity access management offers many tools to support this process. User roles are one such tool, and are used to grant access to users. If there is a group of users that requires access to the same set of data and applications, those users can be bundled into a single user role, and users can be assigned to or removed from that role easily. In the example of the HR platform mentioned above, all employees could be assigned to the role “employee,” which allows them to access the basic functionality of the platform, while HR administrators could be assigned to the role “HRAdmin,” which allows them greater permissions within the platform.

Security policies are another tool to manage access control with improved security. For example, you could set a policy that certain user roles can access resources only during pre-established work hours. Another example of a strong security policy is limiting access to resources to devices registered and assigned to respective users, and requiring users to connect securely when accessing resources. This can be accomplished by using something like Tailscale, a zero configuration VPN, that forms a secure connection between authorized devices of your organization.

The need for IAM

Identity and access management is a term coined in the digital age, but the concepts of IAM for security have been around for a long time. Access to sensitive locations has long been protected by access controls, such as physical keys or more modern digital RFID cards used to represent either an individual or role-based access.

In the modern era, most organizations have an extensive digital infrastructure to manage their information and resources. Managing digital identities and using them to control access to resources is an imposing challenge. Malicious actors who wish to exfiltrate data from your organization can gain access through stolen identities. Cybercriminals can use unauthorized access to manipulate, leak, or delete data, or to execute a ransomware attack.

According to the Cost of a Data Breach 2021 report, data breaches involving compromised credentials take an average of 250 days to detect, and an additional 91 days to contain. Thanks in part to this often lengthy delay in discovery, cybercriminals have not only plenty of time to collect data, but also time to wreak havoc with it.

Weak security policies introduce loopholes in identity and access management that cybercriminals can exploit. Suboptimal processes and software for IAM are also culpable for security lapses. Identity and access management concerns have been exacerbated by the unprecedented increase in remote work in the last few years, obligating companies to provide secure connections to business-critical resources from anywhere. One solution to this challenge is to use a private VPN, such as Tailscale, that only allows access to authorized devices in your organization.

Functions of identity and access management

Identity and access control technology has many functionalities that have different use cases within organizations. Some of the popular functionalities that IAM platforms and tools can perform are as follows:

  • Password management: Most IAM platforms can help store and manage users’ passwords, and can ensure users maintain password hygiene by preventing the use of common passwords and reuse of passwords.
  • API and microservices security: Modern digital architecture relies on a large number of microservices. Microservices are small applications that perform a single aspect of the functionality of an application. The microservices of an application communicate with each other using an API, and IAM technology helps secure API communication. It is also used to ensure that only authorized users and applications can access restricted microservices. Microservices can also use a zero configuration VPN, such as Tailscale, to connect different microservices securely and seamlessly.
  • Single sign on (SSO): Colloquially called “bring your own identity” (BYOID), single sign on is the use of a single identity across systems for authentication. The various systems work together behind the scenes to securely authenticate users with a single identity. IAM tools can support a single sign on feature, depending on the specific identity and access management tool used. SSO reduces the number of passwords users have to remember and manage. Tailscale requires SSO, making it simple to sign in to the VPN using your existing identity provider, such as GSuite, Okta, Microsoft, GitHub, and OneLogin.
  • Identity federation: Identity federation is the linking of multiple identities in multiple IAMs by organizations. This is made possible by trusted relationships between different organizations and third parties. Identity federation is possible if your IAM uses standard protocols, such as OAuth, SCIM, OpenID Connect, and SAML.
  • Multi-factor authentication: Using more than one authentication factor to authenticate users is multi-factor authentication (MFA). Using multiple authentication factors to verify users increases security, because even if one factor gets compromised, the remaining authentication factors act like a failsafe. Tailscale supports MFA.
  • Access control: Identity and access management can be used to manage access to different resources. Access to resources can be segregated based on user roles. Conditional access control is also possible with different IAM technologies. IAM supports scalable and extensible access control.
  • Adaptive authentication: This authentication technique grants access to resources based on context. Identity, device, and permissions are some of the factors that dynamically help authenticated users access resources. Adaptive authentication dynamically alters access, depending on the context users log in from. For example, a user will be denied access to extremely sensitive data if the login is from outside the organizational network.
  • Account management and provisioning: IAM is used to add, remove, and edit users to the organization. Provisioning is the process of allocating permission to various resources. IAM is used to provision and deprovision user access to data and applications.

IAM may at first seem like it’s only about identity management and access management, but it’s also about delivering a great user experience to end users or employees without compromising security. Well-configured access management will make users’ lives easier by making it simpler and faster for them to find the information they need to do their jobs.

Best practices

IAM technology is a powerful tool that enables secure, convenient access to resources for members of your organization. Compromised identities are the root cause of eight out of 10 data breaches. When implementing IAM, you need to make a conscious effort not to leave any security loopholes that cybercriminals can exploit. The following sections cover some IAM best practices that can secure the most common attack vectors.

Strong password policy

Weak, common, or reused passwords are often the culprits behind identity-driven data breaches. Ideally, your organization should use passphrases, which offer a higher level of security than passwords. However, if you’re still using passwords and aren’t yet ready to make this switch, enforcing strong password policies is a crucial part of securing your organization’s data. Some of the password policies to ensure password hygiene are:

  • Make sure passwords have at least eight characters.
  • Use a combination of letters, numbers, letter cases, and special characters.
  • Avoid using personally identifiable information.
  • Use unique passwords.
  • Change passwords at regular intervals.

To help manage passwords and make it easier for users to use sufficiently lengthy and complex passwords, you should consider investing in a strong password management tool.

For additional security, you can use Tailscale to ensure that only authorized devices can be used to access the private network of your organization. Tailscale uses extremely lightweight Wireguard tunnels to connect devices in a mesh network. The WireGuard encryption keys are delegated to each device via a coordination server using open source Tailscale node software. This provides your organization with strong security with less hassle.

Multi-factor authentication (MFA)

Using multiple factors for authentication increases security exponentially, as the security strength compounds. For example, you can use software-based authenticators in addition to passwords or passphrases. One-time password authenticators give users a unique, short-lived passcode that’s used to authenticate the login. Even if a cybercriminal gets hold of a login password, they wouldn’t be able to log in until they enter the one-time passcode as well. Requiring two factors for authentication decreases the probability of account compromise. Use a combination of knowledge factors, inherence factors, and possession factors to bolster security.

Zero trust

The principle of zero trust requires that each device and user accessing the private network of your organization needs to be authenticated and authorized. Zero trust uses multiple modern technologies for endpoint security, identity protection, multi-factor authentication, and cloud workload technology to vet every access request before access is granted. With zero trust IAM in place, you need not trust devices and users, as they are validated every time a resource is accessed. Tailscale is a zero trust networking product designed to handle the complexities of trusting and authenticating devices and users in a remote working environment. It provides safe, secure, zero trust access to users without compromising your firewall.

Privileged access management (PAM)

Privileged accounts have capabilities and access beyond regular users in your IT environment, and a compromised account that has privileged access poses a much higher threat than a compromised regular account. Privileged accounts have to be held to a higher standard than ordinary users. You need to identify accounts with privileged access and enforce strict security policies on those accounts.

Privileged access only has to be granted if the user role warrants the elevated access, and the number of privileged accounts should be kept to a minimum. Instead, access policies should be used to ensure that privileged access is granted only when it is required. Setting time limits for privileged access is a popular technique to limit the security risks of privileged accounts. You should also have robust contingency and redundancy plans in place for a scenario in which a privileged account is compromised.

The following guidelines should be adhered to for PAM:

  • Enforce greater transparency and higher accountability for privileged accounts.
  • Limit the number of privileged accounts.
  • Set time limits, locations limits, and other policy-based limitations for access with privileged accounts.
  • Only give privileged access if absolutely necessary.
  • Create robust logging and auditing of privileged account usage.

The principle of least privilege

According to the principle of least privilege, users should have accounts that can access only the minimum resources and data required to perform their tasks. This minimizes exposure to a large amount of sensitive data. Accounts with higher privileges should be limited and monitored for suspicious activities.

Logging and audits

Maintaining a detailed log of all user activities increases accountability and transparency within your organization. This comprehensive log helps you perform root-cause analysis of any security incident. You should maintain a log of all activities in your IT infrastructure that includes:

  • Logged-in users
  • Timestamps of login, logout, and other activities
  • Duration of login
  • Resources accessed
  • Metadata of user login like location and IP address

You also need to perform regular audits on log data to minimize the risk of errors. These in-depth inspections help to identify areas where you can improve your identity and access management system, which you can then evolve to shore up any weak points.


Many processes of identity and access management can be automated, which helps to reduce incidents of errors. For example, when an employee leaves your organization, all of their access should be revoked immediately. This can be automated by integration with the HR module of your organization. This prevents the occurrence of ghost accounts, which are inactive accounts that have not been deleted by the user or administrator. Ghost accounts are security vulnerabilities: If an employee leaves and the corresponding account is not deprovisioned, it can serve as a vector for attack. Many avenues for automating various processes of IAM are available according to the specific requirements of your organization. You should explore, identify, and implement all such avenues for automation.


Identity and access management is integral to making sure that users access required resources in a secure fashion. Especially with the growing prevalence of remote work and increasing identity-driven cyberattacks on companies, you need to have robust IAM practices in place.

Using a VPN alongside an existing identity provider helps to increase the security posture of your organization. Tailscale is a zero config VPN that helps protect all your services, servers, databases, and devices by ensuring that only authorized devices and users have access to the resources of your organization.

Tailscale is available for download on most platforms, including macOS, iOS, Windows, Linux, and Android. To secure your connection, all you need to do is install the Tailscale app, find your Tailscale IP, and invite your team to your private Tailscale network. You can get started by downloading Tailscale for your device.

Get started with Tailscale today.

Frequently Asked Questions

Here are the answers to some common questions about identity and access management.

What is "identity" in identity and access management?

Identity in IAM is the unique entity that represents an individual user, an application, a service, or a device. The authentication process confirms the identity of the user attempting to access the resources by matching the credentials provided by the user at login with an authority that can confirm the validity of those credentials.

What are the components of IAM?

Identity and access management has two components. The first is identity management, which verifies that the user or application is who or what they say they are, a process called authentication. Users are authenticated by providing information about themselves that matches what’s on record in the identity database.

The second component of IAM is access management. This component determines whether the authenticated user is permitted to access requested resources and data. The process of checking whether a user has the permission to access a particular resource is called authorization.

What are the benefits of IAM?

The major benefits of using IAM are:

  • Enhanced user experience
  • Easier password management
  • Security posture improvement
  • Automation of user provisioning and deprovisioning
  • Better control over users and user data