What is Identity and Access Management (IAM)?

Core IAM Components

Authentication

Authentication verifies that a user is who they claim to be. Traditional authentication relied on passwords — a shared secret known to the user and the authentication system. Modern authentication extends this with multi-factor authentication, biometric factors, hardware tokens, and passwordless approaches using cryptographic challenges. The identity provider — Microsoft Entra ID (formerly Azure AD), Okta, Google Workspace — is the central system that manages authentication for the organization's users and enforces authentication policies.

Authorization

Authorization determines what an authenticated user can do. Role-based access control (RBAC) assigns permissions based on job roles — a finance analyst has access to financial systems, an HR manager has access to HR systems, an IT administrator has broader system access. Attribute-based access control (ABAC) extends this with contextual attributes — a user might have different access rights depending on whether they are accessing from a managed corporate device, whether they are in the office or remote, and what time of day it is.

Identity Governance

Identity governance encompasses the processes that ensure access rights remain appropriate over time. Access reviews — periodic assessments of whether users still need the access they have been granted — identify access accumulation, orphaned accounts, and excessive permissions that accumulate as users change roles and the organization changes. Joiner-mover-leaver processes govern how access is provisioned when someone joins the organization, modified when they change roles, and revoked when they leave. In most mid-market organizations, these processes are informal and inconsistently executed, creating significant access hygiene problems.

IAM Attack Patterns

Credential Theft and Stuffing

The most common IAM attack is credential theft — obtaining valid username and password combinations through phishing, data breaches, or brute force, and using them to authenticate as the legitimate user. Credential stuffing automates the testing of credentials from one breach against other services, exploiting the widespread practice of password reuse. Organizations whose users reuse passwords across personal and corporate accounts are exposed to every breach of every consumer service their users have accounts with.

Privilege Escalation Through IAM Abuse

Attackers who gain initial access with limited credentials frequently escalate privileges through IAM configuration abuse. Misconfigured IAM policies that allow users to add themselves to privileged groups, service accounts with excessive permissions that can be compromised and used for lateral movement, and password reset flows that can be exploited to take over privileged accounts are all consistent findings in penetration tests and breach investigations.

Federated Identity Attacks

Organizations that federate identity — using a single identity provider for multiple applications — create a single point of compromise that, if breached, provides access to all federated applications. The SolarWinds attack specifically targeted the SAML token signing certificate of victims' identity providers, enabling the attackers to forge authentication tokens that provided persistent access to all federated applications without requiring credentials for each individual system.

Building Effective IAM

Least Privilege

Least privilege is the principle that users, services, and systems should have the minimum access required to perform their function — nothing more. In practice, implementing least privilege requires resisting the organizational pressure toward convenience: it is operationally easier to grant broad access than to precisely define the minimum necessary access and maintain it as roles evolve. The security benefit of least privilege is that it limits the blast radius of any single compromised account — an attacker who compromises a limited-privilege account cannot reach sensitive systems that the account was never authorized to access.

Privileged Access Management

Privileged accounts — those with administrative access to systems, databases, or infrastructure — represent the highest-value targets for attackers and require elevated controls beyond standard IAM. Privileged Access Management (PAM) solutions enforce just-in-time access to privileged functions, require explicit approval for sensitive operations, record privileged sessions for audit, and rotate privileged credentials automatically. The goal is to eliminate persistent privileged access — where an account has administrative rights available at all times — replacing it with time-limited, purpose-specific elevated access that is revoked when the task is complete.

Real-World Example: SolarWinds — IAM as the Primary Attack Surface

The SolarWinds attack targeted IAM infrastructure specifically because compromising the identity layer provides access to everything the identity layer authenticates. After gaining initial access through the SolarWinds Orion backdoor, the attackers' primary objective was compromising identity infrastructure — specifically the ADFS (Active Directory Federation Services) token signing certificate. With this certificate, they could forge SAML tokens that impersonated any user to any federated application, providing persistent, undetected access to Microsoft 365, cloud environments, and internal applications. The attack succeeded because the forged tokens appeared legitimate to all authentication systems. No password was stolen. No MFA was bypassed. The identity infrastructure itself was compromised.