More about a career in Identity & Access Management
Identity & Access Management (IAM) is an essential part of day-to-day life in all organisations, and even more so in larger organisations with greater amounts of sensitive commercial or client information to protect.
You may be the only practitioner, managing identities and access as part of a broader role in system administration. But it's more likely you're part of a team of specialists with shared responsibility for the effective operation and development of the IAM system of your organisation.
On a daily basis you'ree conscientious, positive, comfortable working in an IT-focused environment and able to prioritise to meet changing demands. Your daily tasks range from basic user account administration and creating/auditing user access information, to conducting risk assessments on the organisation’s IAM and providing solutions to improve the IAM system.
If there's a security incident - whether a suspected accidental breach or a deliberate breach by someone within the organisation, or an attack from outside - you respond quickly as part of the investigative effort to find out what happened and who was involved.
Whether on your own or as part of a team, you look for ways to improve the management of Identity and Access management, and especially for ways to reduce the risk of breaches, usually working with other teams in the organisation such as IT and HR.
As a senior practitioner, you're likely to supervise the day-to-day activities of team members, ensuring that their individual and collective performance meets the required standard. You contribute to their development and provide line manager support and mentoring. You often work with managers in other specialist teams to ensure the overall security of the organisation’s data and its information systems.
Identity & Access Management is an essential element of the cyber security protection of an organisation, ensuring that people only access systems and data if they allowed to do so.
In detail, you might:
- perform routine administration tasks associated with accessing the Trusted ICT Network and Systems, including:
- managing users’ access credentials; and
- withdrawing and maintaining access in line with authorised service requests
- fulfil service requests for starters, movers and leavers in relation to user account management, by:
- updating user information
- creating and modifying email distribution lists; and
- creating or modifying security groups
- design, develop, deploy and maintain identity and access management services and applications, including:
- local and federated authentication and authorisation systems
- their backend directories; and
- identify opportunities for improving the IAM strategy, policies and processes
- investigate records of user actions and system processes when a security incident is suspected to have occurred
- assess and manage risks to the effectiveness and security of the IAM system
- is likely to work within a larger team supporting colleagues and managers in all aspects of IAM
- will be hands-on with the technical application of IAM
- aims to develop experience, with the aim of becoming a subject matter expert
A senior practitioner:
- may lead a team, with responsibility for managing and training that team
- is likely to be responsible for the IAM of the organisation and its clients
- is very likely to provide consultancy and expert advice on IAM, acting as a point of escalation for IAM alerts or issues
- ability to work on your own as well as within a small team
- interpersonal skills, including customer service
- communicating technical and non-technical information to a wide range of audiences
- attention to detail, with a logical and methodical working practice
- a positive, organised, and motivated approach to work, with the ability to meet deadlines
- strong IT skills, able to analyse data for reporting purposes and follow work instruction
- experience of developing new processes and ways of working
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
For the more experienced practitioner:
- experience of working and influencing cross-functionally and managing external agencies
- experience of providing expert advice and accurate analysis, complying with all relevant regulations, to senior stakeholders
- application of Authentication & Authorization principles and processes
- application of industry standard IAM protocols, such as Kerberos, OAuth, FIDO, SCIM, LDAP, SAML
- application of Identity and Authentication solutions, such as Okta, Auth0, Active Directory & Azure AD
- application of LDAP\Active Directory services, MFA, risk-based authentication and privileged access management
- application of cyber security principles such as Least Privilege and Separation of Duties
- auditing user and process access, including interpreting system logs
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs).
A6 – Legal and Regulatory Environment and Compliance
- understands the legal and regulatory environment within which the business operates
- ensures that Information Security Governance arrangements are appropriate
- ensures that the organisation complies with legal and regulatory requirements
E2 – Secure Operations & Service Delivery
- securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM)
- implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management
- undertakes routine technical vulnerability assessments
- maintains security records and documentation in accordance with Security Operating Procedures
- administers logical and physical user access rights
- monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.)
G3 – Identity and Access Management (IAM/IdM)
- directs, oversees, designs, implements, contributes to, or operates within identity and access management policies, procedures, processes and controls to ensure that access by individuals to IT and information resources is controlled effectively, operating within legal and regulatory constraints and meeting business requirements
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
You might have acquired skills that can be applied to an Identity & Access Management role from any job that involves detailed, methodical work and the application of security rules.
With the addition of specialist training, roles that may have provided a good foundation for a position in this specialism include:
- police services: communication security, data management or information security
- Armed Forces: communication security, data management or information security
- business information management
- finance, especially in compliance or KYC roles
- legal services
- security, especially personnel and technical
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in an Identity and Access Management role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to need a very good understanding of the Core Knowledge, which is essential to performing the role. You may need a good understanding of the Related Knowledge, but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
Data confidentiality, control and protection of personal and valuable information to ensure privacy is maintained and recognised as a fundamental human right.
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems.
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
The legal and regulatory topics that merit consideration when conducting various activities in the field of cybersecurity.
Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation.
You may get started in this specialism as an apprentice.
Alternatively, you may enter as a graduate, with a degree in:
- cyber security or information security
- information technology
- business information systems
- a similar discipline
Or, you may transition from another role in IT or another cyber security specialism:
From a role in Identity & Access Management, you might move to a position in one of these other cyber security specialisms:
With experience, you might progress within the Identity and Access Management specialism to become a Chief Data Protection Officer.
For practitioner roles, titles include:
- Identity & Access Management - Support Assistant
- Identity & Access Management Analyst
- Identity & Access Management Engineer
Senior practitioner roles may be titled:
- Identity & Access Management Specialist / Consultant / Director
- Digital Identity Security Consultant
- Cyber Manager - Identity & Access Management
An apprentice working in Identity & Access Management might earn between £19,000 and £20,000 a year.
An Identity and Access Management practitioner might earn between £30,000 and £63,000. The median salary in March 2021 was £33,492.
A senior Identity & Access Management practitioner might earn between £70,000 and £120,000. The median salary for an Identity & Access Management Consultant in March 2021 was £82,500.
The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.