IAM concepts

Identity and Access Management (IAM) concepts cover the policies, processes, and tools used to manage digital identities and regulate user access to resources. Key IAM principles include authentication, authorization, provisioning, and least privilege. Effective IAM ensures that the right users have the right access at the right time.

Categories:

Secret Versioning

IAM concepts

Secret versioning maintains multiple immutable versions of credentials rather than overwriting them on rotation. This gives security teams a rollback path after compromise, a staging mechanism for zero-downtime rotation, and the audit trail that compliance frameworks require.

Security Assertion Markup Language (SAML)

IAM concepts

Security Assertion Markup Language (SAML) 2.0 is an XML-based framework standardized by OASIS for exchanging authentication and authorization data between identity providers and service providers. SAML enables federated identity and single sign-on (SSO) by allowing users to access multiple applications across organizational boundaries with a single set of credentials.

Proxyless

IAM concepts

Proxyless architecture refers to workload identity and access management implementations that eliminate per-workload sidecar proxies, instead integrating security and traffic management capabilities through application libraries, kernel-level networking (eBPF), or shared infrastructure components.

Proxy

IAM concepts

A proxy in workload identity and access management is an intermediary component that intercepts, authenticates, and authorizes requests between workloads and resources, enabling dynamic credential injection, policy enforcement, and secure communication without requiring changes to application code

Secrets Manager

IAM concepts

A secrets manager is a centralized security system for storing, controlling access to, and managing the lifecycle of sensitive authentication credentials such as API keys, passwords, certificates, and cryptographic keys. These systems encrypt secrets at rest and in transit, enforce policy-based access controls, provide comprehensive audit trails, and automate credential rotation to reduce the risk of unauthorized access and data breaches.

Secret Rotation

IAM concepts

Secret rotation is the systematic process of periodically replacing cryptographic credentials (passwords, API keys, tokens, certificates) to limit the exposure window of any single credential and reduce the risk of compromise. According to NIST SP 800-57, rotation establishes a defined “cryptoperiod” during which a specific credential is authorized for use, after which it must be replaced with a new one.

Identity Broker

IAM concepts

An Identity Broker is an intermediary security service that facilitates federated authentication and authorization between external identity providers and internal service providers, validating identity assertions and translating them into short-lived access tokens or credentials for workload authentication across organizational and security domain boundaries.

Dynamic Secrets

IAM concepts

Dynamic secrets are temporary passwords or keys that your systems generate on-demand every time a program requests access. Unlike static secrets (which persist until someone manually changes them), dynamic secrets have a limited lifespan and automatically expire after use. This significantly reduces the risk of exposure if they are ever compromised.

Authorization

IAM concepts

Authorization is the process of verifying whether a previously authenticated identity (user, machine, or agent) is allowed to perform a specific action or access a particular resource.

Authentication

IAM concepts

Authentication is the process of verifying the identity of a user, machine, or application attempting to access a system or resource. It ensures that each access request originates from a legitimate, trusted entity before authorization and policy enforcement take place.