Security News

Who Are You and What Do You Need? Introduction to Identity and Access Management (IAM) Systems

{This is the first installment of a mini-series on Identity and Access Management (IAM). In this first post, we introduce the basic elements comprising an IAM framework and provide some historical background.}


Research firm Gartner defines identity and access management (IAM) as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. In this article we’re going to define the fundamental elements of modern IT identity and access management systems; but first we’re going to look back at the history of making sure the “right individuals” have the “right resources”.

Historical background

Restricting access to information is older than humankind – even animals keep secrets, such as the location of their den or their food supply.

One obvious way to restrict access to information is to keep it physically secure and only share it with authorized individuals whom you can physically, personally identify. However, even in the ancient world, other techniques were developed to verify identity and control access.

Identity Verification

The first step in controlling access to sensitive information is to verify that the people transmitting and receiving the information are who they claim to be (i.e., the “right person”). Different techniques have evolved over time to address these needs.


Passwords have been used at least since Roman times, over 2,000 years ago, as a way to verify identity. Sentries would challenge those who wanted access to a protected area; entry would be denied if you didn’t know the password.

Military use of passwords traditionally took the form of a challenge and response: one password would be called out as a challenge; it needed to be answered with the correct response. Not knowing the correct response could have tragic consequences. American Colonel Mickey Marcus was killed a day before the cease fire ending Israel’s War of Independence when he was challenged by a sentry. Marcus did not speak enough Hebrew to give the password, and the Israeli guard did not speak English.


Even among people who understand the same language, different ways of pronouncing a word or phrase has historically served as a way to identify people. This technique for identity management is called a “shibboleth,” after a story that appears in the Bible. Residents of a particular region in ancient Israel, Gilead, were in a fight against men from another tribe, Ephraim. The Bible shares the story:

When any fugitive from Ephraim said, “Let me cross,” the men of Gilead would ask him, “Are you an Ephraimite?”; if he said “No,” they would say to him, “Then say shibboleth”; but he would say “sibboleth,” not being able to pronounce it correctly. Thereupon they would seize him and slay him by the fords of the Jordan.

In 16th century Netherlands, a shibboleth “Bûter, brea, en griene tsiis; wa't dat net sizze kin, is gjin oprjochte Fries” (“Butter, rye bread and green cheese, whoever cannot say that is not a genuine Frisian”) was used to identify outsiders. Ships whose crews couldn’t pronounce the phrase correctly were plundered and the crewmen were killed.

More recently (2017) when a bunch of outsiders showed up in New Orleans to protest the city’s decision to remove the Robert E Lee monument, locals identified outsiders by asking them to pronounce “Tchoupitoulas Street” or “get out.”


Identifying the sender in ancient times often relied on a seal. The use of seals to verify the authenticity of a text predates pen and paper – it goes back to ancient Mesopotamia when scribes had cylindrical seals that were used to make an impression on the clay tablets used for writing hieroglyphics.

Those ancient seals evolved into signet rings, which the owner would use to seal documents. In Roman times, letters would be sealed with bitumen, and stamped with the seal. This served two purposes – it identified the sender, and it verified that the contents had not been read or tampered with by unauthorized persons. In the Middle Ages, bitumen was replaced by sealing wax, but it accomplished the same purposes.

Passports and Identity Documents

The first passports were issued by the English King Henry V in 1414. They were called “safe conduct” documents and were intended to ensure the person’s safety when traveling in a different kingdom. Passports have evolved over time in an attempt to make sure the person presenting the document is who he says he is. Pictures were a first step; modern passports may also contain biometric information.

Biometric Identification

Fingerprints first came to be used for identification purposes in the 1870s when Sir William Heschel used them as a verifiable “signature” that could be used to sign wills and deeds.

Access Management

In ancient times, access management was mainly accomplished by means of encryption, ensuring that sensitive information did not fall into the wrong hands.

The oldest known use of cryptography to restrict access to information goes back 3,500 years to Mesopatamia, when a craftsman encrypted a presumably valuable recipe for a pottery glaze. Simple forms of cryptography were also used in ancient India, Israel, Greece, and Rome.

The Arabs in the 8th century made important developments in both cryptography and cryptanalysis (techniques for breaking codes). Cryptography was regularly used by monarchs in Renaissance Europe.

Cryptography became increasingly important in the late 19th century and early 20th century with the advent of the telegraph and radio communications.

In WWII, the Colossus, the world’s first electronic digital programmable computer was used by the British to crack the German’s Enigma code.

Fundamentals of Modern-Day Identity and Access Management (IAM)

Identity and Access Management systems have always been a central element of corporate computing. And as cyberthreats become more sophisticated, the demands on IAM have become greater. Consequently, instead of looking at different components of IAM in a piecemeal fashion, IT professionals now relate to IAM as an integrated framework. This is important because data security is only as secure as the weakest link in your system.

The basic elements of IAM are:

  • Authentication (Identification): Is a user who they claim to be?
  • Authorization: Is that user authorized to access a particular resource on the system?
  • User Management: The process for creating, updating, deleting users and user groups, as well as updating user information
  • Data Security: Protecting the sensitive data within the system

All of the historical techniques discussed in the beginning of this article have digital counterparts that are used in IAM systems today:

  • Passwords: Passwords remain an important factor in authentication.
  • Shibboleth: In modern IT terms, a shibboleth is a password that is shared among members of a community and used to gain access to a shared resource. The shared password is served to an “origin” server, which provides the actual password to the “target server.” The user doesn’t know the actual password, and the target server doesn’t know who the user is.
  • Seals: Hardware tokens serve a similar function to ancient seals: a physical device that helps identify the sender.
  • Passports and identity documents: Some countries now issue “eIDs” that serve to identify a person in the digital realm as well as in the physical realm.
  • Biometric identification: Since many smartphones are now equipped with fingerprint ID and facial recognition, biometric identification is increasingly being incorporated as a part of user authentication.
  • Cryptography: Cryptography remains the essential technology ensuring session privacy and data security.


Look out for our next article in this series, describing the core policies, procedures, and tools underlying current IAM systems.

Nick Kael

Nick Kael

CTO | Ericom
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.