Understanding Identity and Access Management (IAM)
Why it matters: IAM ensures the right people, devices, and software access the right resources at the right time. It’s foundational to protecting data, maintaining privacy, and supporting efficient operations.
Key Concepts
Identity
A digital identity is a unique set of attributes representing a person, system, or device in a computer system.
Examples:
- Human identities: Employees, students, contractors
- Workload identities: Apps, scripts, containers
- Device identities: Laptops, mobile devices, IoT sensors
Authentication (AuthN)
Verifies who or what you are.
Common methods:
- Username and password
- Biometric data (e.g., fingerprint)
- One-time passcodes or security tokens
Best practices:
- Multifactor Authentication (MFA) adds layers of security
- Single Sign-On (SSO) allows a single login to access multiple systems
Authorization (AuthZ)
Controls what you can access after your identity is verified.
Example: You can log into the ERP system (authentication), but only see HR data if your role allows it (authorization).
Best Practices for Users
- Create long and complex passwords—use phrases or passcodes.
- Never reuse college passwords on other websites or services.
- Avoid sharing your password with anyone, including coworkers or support staff.
Enable and Respect Multifactor Authentication (MFA)
- MFA adds a second layer of protection beyond your password.
- Use a phone-based app or security token if required.
- Approve login prompts only when you are actively logging in—never approve a prompt you didn’t initiate.
Understand the Principle of Least Privilege
- You’ll be granted access only to the data and systems required for your role.
- This is intentional—it protects sensitive information and limits potential harm if accounts are compromised.
- If you believe you need access to something outside your role, follow the proper request process.
Respect Role-Based Access Control (RBAC)
- Your access is tied to your job function, not your individual preferences.
- Role-based access reduces manual errors and simplifies audits.
- Do not request “all access” or try to share roles informally.
Be Prepared for Regular Access Reviews
- Periodic reviews will confirm that your access still fits your current job.
- You may be asked to verify your access or confirm changes.
- Please help keep our systems secure by reporting any outdated or incorrect permissions.
- No one person should be able to initiate, approve, and complete a sensitive transaction alone—this reduces the risk of fraud or error.
- Permissions should be assigned so incompatible duties (e.g., approving and paying invoices) are clearly divided.
- SoD controls must be reviewed during access audits and after role changes to ensure continued compliance.
Don’t Share Accounts or Credentials
- Every user should have their own unique credentials.
- Shared accounts prevent auditing, tracking, and accountability.
- If multiple people need the same access, they will each be granted appropriate permissions.
Report Suspicious Access or Behavior
- Report unusual access patterns, errors, or if someone else is accessing resources they shouldn’t.
- Notify IT if your role changes, you’re transferring departments, or if someone leaves the college.
- Notify us by emailing [email protected]
What Is an Identity Provider?
An Identity Provider (IdP) is a service that verifies identities and manages authentication. It helps centralize access controls and enforce consistent security policies.
Examples: Microsoft Entra, Google, Amazon, GitHub
- Staying at a hotel:
- Authentication: Showing your ID at check-in to get your room key
- Authorization: Using the key to access your room, not others
- Your access is based on your role (e.g., guest, staff), not just your identity