HomeResourcesGlossaryIAM
Cybersecurity Glossary

What is IAM (Identity and Access Management)?

Identity and Access Management (IAM) is the framework of policies, processes, and technologies that ensure the right people have the right access to the right resources at the right time. It covers user provisioning, authentication, authorization, and deprovisioning across every system.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How IAM works

Three-step view of how it operates in practice.

1

Provision

New users are created with role-based access automatically when they join. No more permissions are granted than the role requires.

2

Authenticate & authorize

Users prove who they are (authentication) and are granted only the permissions attached to their role (authorization).

3

Deprovision

When users change roles or leave, access is updated or revoked everywhere — not just in email.

IAM Variants

Components of a modern IAM program

A clear breakdown of the common variants.

Component

Identity provider

Central source of truth for accounts. Usually Entra ID, Okta, or Google Workspace.

Most common

Authentication

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Authorization

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Lifecycle

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why IAM matters for SMBs

Identity and Access Management (IAM) is the framework of policies, processes, and technologies that ensure the right people have the right access to the right…

80%
of data breaches involve compromised identity credentials
Source: IBM Cost of a Data Breach Report, 2024
Pitfalls

Common IAM mistakes

  • Email is the offboarding triggerDisabling email doesn’t revoke app access. Centralized deprovisioning through the IAM is the only reliable way.
  • Manual user creationAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No privileged access strategyAdmin accounts hidden in email inboxes, shared between people. Privileged access management (PAM) separates this cleanly.
  • No periodic reviewAccess sprawl is silent. Quarterly access recertification catches stale permissions before they become breaches.
Common Questions

IAM frequently asked questions

Active Directory is one type of identity provider, commonly used on-prem. Modern IAM usually centers on cloud-first identity providers (Entra ID, Okta) that handle both cloud and on-prem apps.
IAM manages all identities and access. PAM (privileged access management) is the specialized subset for admin and service accounts — the ones attackers target first.
A baseline with MFA, SSO, and automated onboarding can be in place in 60-90 days. Full lifecycle automation across every app is a longer program, usually measured in quarters.
For most SMBs, Entra ID (in Microsoft 365 Business Premium or E3/E5) is a complete IAM platform. Dedicated tools like Okta make sense for companies with many non-Microsoft apps or stricter compliance needs.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

PAM

Policies that adapt to device, location, and risk signals.

SSO

A security model that verifies every request as if it came from an open network.

MFA

Give users only the access they need — nothing more.

Least Privilege

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Fragmented identity across your apps?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day