Editorial coverage
Topics
Six pillars of Identity & Access Management. Each links to our standing coverage on that topic — articles, breach analyses, and architectural guidance.
Zero Trust
Stop trusting the network. Start verifying every identity, every request, every time.
Zero Trust is the security model in which no user, device, or workload is trusted by default — every request is authenticated, authorized, and continuously evaluated against current context (identity, device posture, location, behavior). NIST SP 800-207 codified the principles in 2020; CISA and the U.S. federal government have adopted it as the baseline for federal security since 2022.
Privileged Access Management
The accounts attackers want most. The hardest to govern.
Privileged Access Management (PAM) is the discipline of securing, controlling, and auditing the accounts that hold elevated permissions — administrators, root, service accounts, application credentials, and infrastructure secrets. These accounts are the primary target for ransomware operators, nation-state intruders, and insider threats because they collapse the attack chain: one compromised privileged credential can mean a full domain takeover in hours.
Customer Identity
Identity for the people who pay you. Lower friction, higher trust, regulatory compliance baked in.
Customer Identity and Access Management (CIAM) is the set of identity capabilities that face external users — your customers, applicants, members, citizens. Unlike workforce IAM, CIAM is judged on conversion rate as much as on security. Every additional step in registration drops sign-ups; every false-positive in fraud detection costs a real customer. The market leaders (Okta CIC, Auth0, Microsoft Entra External ID, Ping, ForgeRock Identity Cloud) compete largely on developer experience and time-to-launch.
Identity Governance
Who has access to what, why, and is that still appropriate?
Identity Governance and Administration (IGA) is how an organization answers the question "who has access to what, why, and is that still appropriate?". It owns the lifecycle of access — provisioning when people join or change roles, de-provisioning when they leave, periodic certifications when nothing changes, and the audit evidence that proves the controls are working.
Cloud IAM
AWS, Azure, GCP. Same problems with three different naming conventions.
Cloud IAM is the set of identity primitives each major cloud provider exposes — AWS IAM, Azure (Entra) RBAC, GCP IAM — plus the cross-cloud capabilities that have become tablestakes: federated workforce access, workload identity for service-to-service auth, secrets management, and detective controls (CloudTrail, Entra audit logs, GCP audit logs). Each provider models the same problems differently, and the gap between "permissions configured" and "least privilege actually achieved" is where most cloud breaches happen.
MFA & Passwordless
Phishing-resistant authentication. Passkeys. The end of "remember 47 passwords".
Multi-factor authentication is the single most effective control against credential-stuffing and phishing — when implemented with phishing-resistant factors. SMS-based MFA, push-notification fatigue MFA, and TOTP-only MFA have all been bypassed at scale (LAPSUS$, Scattered Spider, the wave of MFA-fatigue attacks against Microsoft Entra in 2022-2024). The current bar is FIDO2 / WebAuthn — passkeys, security keys, platform authenticators — which are bound to the legitimate site origin and cannot be relayed by a man-in-the-middle.