Historically, Identity and Access Management (IAM) implementations were designed around the principle of one person equals one account. This worked because users typically accessed IAM systems as a single identity type, or persona. For most early implementations, this was typically in the context of an employee or other workforce identity.
Today, IAM systems must be designed to handle multiple personas. An identity may require differing access depending on the context in which the identity is operating. Enterprises have increasingly merged workforce IAM, Customer Identity and Access Management (CIAM), partner ecosystems, privileged access management, and DevOps platforms. Additionally, resources may exist across these systems for both human and non-human identities.
The same identity may act as an employee, administrator, developer, contractor, partner, customer, or other role depending on the context in which resources are being accessed.
For example, a doctor working at a hospital may normally have privileged access to clinical systems, patient records, and medical applications while performing their job. However, if that same doctor becomes a patient in the same hospital, their access to systems and data must change. In that context, they should no longer access systems as a clinician but instead interact with them as a patient—viewing their own medical information through patient portals and standard patient workflows. Although it is the same individual, the identity system must recognize the different role and adjust access, permissions, and verification requirements accordingly.
As a result, each persona requires different:
- Trust levels
- Authentication and verification requirements
- Authorization policies
- Compliance guidelines and enforcement
To support those requirements, increase operational efficiency, and reduce risk, a single static account is no longer sufficient to represent an identity.
Why IAM Must Move from Accounts to Identity Personas
Modern IAM systems must accommodate more than just accounts. Additionally, access needs to be secured for both human and non-human identities, each operating as different personas.
A persona is a contextual security profile tied to an identity. It defines:
- The context in which the identity is operating
- The required permissions to secure the accessed resources
- Authentication policies, session management, and identity verification requirements
- Risk and compliance operating factors
- Logging, monitoring, and audit requirements
Unlike roles or accounts, personas represent how an identity is acting in the context of the operations being performed.
| Concept | Description | Example |
|---|---|---|
| Identity | The unique representation of a person or entity within IAM systems | Dr. Jane Smith |
| Account | A system credential used to authenticate into a specific platform | Active Directory account |
| Persona | The contextual role an identity is operating under when accessing resources | Doctor accessing clinical systems |
Business Drivers for Using Personas
Modern business requirements depend on an infrastructure that supports multiple personas. The complexity of determining and auditing access has increased as applications have grown to support differing contexts and to depend on multiple identity types.
The following should be considered when implementing persona-based security infrastructure:
Digital Transformation and Persona Requirements
As organizations consolidate platforms, move to an API-based design, and integrate different identity types,; contextual security is required. IAM systems must support differing personas for an identity without requiring multiple accounts. Additionally, identities need to access systems with the correct persona and have the correct security requirements applied without requiring significant added complexity.
Persona-Based IAM for Compliance and Access Governance
Compliance requirements are increasingly driven by the need to with clear segregation of duties, enforcement of least privilege access and auditable activity. Organizations are required to prove:
- Who performed a privileged action
- What granted the level of access in which the action was performed
- How the user was authenticated and verified
Persona-based IAM enables organizations to tie access, authentication, and activity to a unified identity rather than to multiple disconnected accounts.
Increasing Operational Efficiency by Streamlining Access Reviews
Using multiple accounts to represent different contexts of access creates significant administrative overhead. It increases user confusion, complicates authorization policies, and makes access reviews difficult to interpret.
Persona-based identity models simplify the process by linking permissions to a contextual security profile rather than to separate accounts. Instead of reviewing multiple accounts tied to the same individual, organizations can review access based on the persona being activated.
This allows reviewers to evaluate access in terms of business context and operational responsibilities rather than technical account structures. As a result, access certifications become easier to understand, audit, and maintain.
| Traditional IAM Model | Persona-Based IAM Model |
|---|---|
| Multiple accounts per user | Single identity with multiple personas |
| Access tied to account roles | Access tied to contextual persona |
| Difficult access reviews across accounts | Contextual access reviews |
| Higher account sprawl | Reduced account proliferation |
| Limited context awareness | Context-aware authentication and authorization |
Reducing Risk of Identity-Based Attacks
Identity-based attacks are now one of the main ways of compromising security systems. Firewalls and other network-based systems no longer address the most common attack vectors for bad actors. Overprivileged accounts and lack of contextual security increase the risks associated with IAM access. Persona-based IAM reduces the impact of attacks and limits the improper use of privileged accounts.
Leveraging Context Instead of Multi-Account Reviews
Traditional approaches to governance were based on accounts and the roles associated with those accounts. This approach does not align to the needs of a multi-persona environment. Context must be considered.
Persona-based governance allows the following:
Separation of Duties
Once requiring complex role design, organizations can leverage personas to develop separation of duties policies. Policies are defined based on the context of access for both privileged and non-privileged resources and can apply to both human and non-human identities. The method of leveraging multiple accounts based upon activity can instead be enforced by persona and the context of system access.
Context-Based Auditing
Deploying a context-based security infrastructure allows the capture of not only who is performing the task, but also the persona in which a user is operating. This enhances:
- Investigations of security incidents
- Access certifications
- Reporting of regulatory requirements
Persona-Based IAM as a Core Identity Security Architecture
Leveraging a persona-based security infrastructure is no longer a nice-to-have. It is now a core requirement when designing an IAM infrastructure.
Implementing personas provides the following:
Enhanced Enforcement of Least Privileged Access Principles
Access is granted to the activated persona context instead of requiring sign-in with multiple accounts. Context-based enforcement reduces the risk associated with elevated access and reduces crossover between privileged and non-privileged sessions. Zero Trust becomes easier to implement when designing access based upon what the user is doing within the context of the persona being leveraged.
Reduced Account Sprawl
Persona-based identities eliminate the need to create accounts for each function being performed. Instead of requiring verification of multiple accounts, a unified identity based upon personas limits the number of accounts required. This not only simplifies management of the accounts but can also reduce other factors like licensing costs.
Improved Audit Trails
Audit evidence is based upon not only who did what, but also as which persona was activated and which controls applied. This simplifies investigation of security incidents and accelerates responses to reduce the impact of those incidents.
Better End User Experience
Identity verification and risk-based step-up authentication can be reduced to only the persona-based actions being performed. By deliberately selecting or activating the appropriate persona, identities can more easily be mapped to the allowed operations, providing increased visibility into what operations an identity can perform.
Enhancing Security Infrastructure with an Identity Data Fabric
An Identity Data Fabric provides a centralized layer that consolidates identity data across an organization, including HR systems, directories, SaaS platforms, customer databases, partner systems, PAM tools, DevOps environments, and other repositories of identity information. By creating a unified view of identity data, organizations can manage, govern, and synchronize identity information across systems while maintaining a single identity model capable of supporting multiple personas.
This layer enables:
- Identity resolution and correlation across systems
- Attribute normalization to establish consistent identity data
- Business logic-based attributes derived from identity context
- Resource-specific views of identity data for downstream systems
An Identity Data Fabric does not replace IAM, governance, or authentication platforms. Instead, it strengthens those systems by providing a unified identity layer that authentication and access services can use to determine which personas are available to an identity and which policies should apply.
How to Implement a Multi-Persona IAM Architecture
Implementing a multi-persona IAM architecture requires careful planning. It must provide the following capabilities:
- A unified identity that supports multiple personas
- Persona activation based upon the context of access and the risk levels for access to the requested systems
- Least privilege access based upon persona instead of account
- Selection of the activated persona to enforce security for high-risk activities
- Governance and monitoring that supports all layers of the security and application infrastructure
Making the active persona clear to the users is a key requirement for improved user experience. Providing a mechanism to deliberately activate the necessary persona reduces mistakes. This becomes especially necessary when leveraging privileged contexts.
Enabling Persona-Based IAM Through an Identity Data Fabric
The model of leveraging a single account per identity is no longer a viable pattern for implementing IAM systems. This structure limits visibility, increases security risk, and creates unnecessary complexity for both users and administrators. Organizations require IAM infrastructure that can support evolving identity contexts while meeting regulatory, operational, and security requirements.
An Identity Data Fabric provides the foundation for persona-based IAM by enabling:
- Context-aware access
- The ability to enforce least privilege
- Reduced need for multiple accounts
- Clear separation of duties
- Improved audit and compliance activities
A single identity can operate through multiple personas. IAM and security architectures must be designed to recognize and enforce these contexts to strengthen security, maintain control, and improve operational efficiency.
