Home
LITS

Understanding Identity and Access Management (IAM)

Why it matters: IAM ensures the right people, devices, and software access the right resources at the right time. It’s foundational to protecting data, maintaining privacy, and supporting efficient operations.

Key Concepts

Identity

A digital identity is a unique set of attributes representing a person, system, or device in a computer system.
Examples:

  • Human identities: Employees, students, contractors
  • Workload identities: Apps, scripts, containers
  • Device identities: Laptops, mobile devices, IoT sensors

Authentication (AuthN)

Verifies who or what you are.
Common methods:

  • Username and password
  • Biometric data (e.g., fingerprint)
  • One-time passcodes or security tokens

Best practices:

  • Multifactor Authentication (MFA) adds layers of security
  • Single Sign-On (SSO) allows a single login to access multiple systems

Authorization (AuthZ)

Controls what you can access after your identity is verified.
Example: You can log into the ERP system (authentication), but only see HR data if your role allows it (authorization).

Best Practices for Users

Use Strong, Secure Passwords

  • Create long and complex passwords—use phrases or passcodes.
  • Never reuse college passwords on other websites or services.
  • Avoid sharing your password with anyone, including coworkers or support staff.

Enable and Respect Multifactor Authentication (MFA)

  • MFA adds a second layer of protection beyond your password.
  • Use a phone-based app or security token if required.
  • Approve login prompts only when you are actively logging in—never approve a prompt you didn’t initiate.

Understand the Principle of Least Privilege

  • You’ll be granted access only to the data and systems required for your role.
  • This is intentional—it protects sensitive information and limits potential harm if accounts are compromised.
  • If you believe you need access to something outside your role, follow the proper request process.

Respect Role-Based Access Control (RBAC)

  • Your access is tied to your job function, not your individual preferences.
  • Role-based access reduces manual errors and simplifies audits.
  • Do not request “all access” or try to share roles informally.

Be Prepared for Regular Access Reviews

  • Periodic reviews will confirm that your access still fits your current job.
  • You may be asked to verify your access or confirm changes.
  • Please help keep our systems secure by reporting any outdated or incorrect permissions.

Segregation of Duties

  • No one person should be able to initiate, approve, and complete a sensitive transaction alone—this reduces the risk of fraud or error.
  • Permissions should be assigned so incompatible duties (e.g., approving and paying invoices) are clearly divided.
  • SoD controls must be reviewed during access audits and after role changes to ensure continued compliance.

Don’t Share Accounts or Credentials

  • Every user should have their own unique credentials.
  • Shared accounts prevent auditing, tracking, and accountability.
  • If multiple people need the same access, they will each be granted appropriate permissions.

Report Suspicious Access or Behavior

  • Report unusual access patterns, errors, or if someone else is accessing resources they shouldn’t.
  • Notify IT if your role changes, you’re transferring departments, or if someone leaves the college.

What Is an Identity Provider?

An Identity Provider (IdP) is a service that verifies identities and manages authentication. It helps centralize access controls and enforce consistent security policies.
Examples: Microsoft Entra, Google, Amazon, GitHub

A Simple Analogy

  • Staying at a hotel:
    • Authentication: Showing your ID at check-in to get your room key
    • Authorization: Using the key to access your room, not others
    • Your access is based on your role (e.g., guest, staff), not just your identity