Post

Identity and Access Management (IAM) Solutions

Posted Updated
By
4 min read
Identity and Access Management (IAM) Solutions

Identity and Access Management (IAM) Solutions

Ensure right access for the right people at the right time for the right reason.

Topics
  1. Identity & Access management (IAM)
  2. Multifactor Authentication (MFA)
  3. Password Security
  4. Password Attacks
  5. Single Sign-On (SSO)
  6. Federation
  7. Privileged Access Management (PAM)
  8. Access Control Models
  9. Assigning Permissions
  10. Review

1. Identity & Access Management (IAM)

What It Is:
IAM governs who (users, devices) can access what (resources) and how (permissions).

Key Components:

  • Identity Provisioning: Creating user accounts (e.g., onboarding employees in Active Directory).

  • Authentication: Verifying identities (e.g., passwords, biometrics).

  • Authorization: Granting permissions (e.g., read/write access to files).

  • Auditing: Tracking access (e.g., logging login attempts).

Example:
A hospital uses IAM to ensure doctors access patient records (authorization) only after logging in with their ID badge (authentication).

Exam Tip: Know the difference between authentication (proving identity) and authorization (granting permissions).

2. Multifactor Authentication (MFA)

What It Is:
Requiring two or more authentication factors:

  1. Something you know (password).

  2. Something you have (smartphone, token).

  3. Something you are (fingerprint, facial recognition).

Example:
Google Authenticator generates a time-based one-time password (TOTP) for logging into your bank account.

Security+ Focus:

  • MFA Types: SMS (less secure), hardware tokens (YubiKey), biometrics.

  • MFA Bypass Risks: SIM swapping, phishing attacks (e.g., fake MFA prompts).

3. Password Security

Best Practices:

  • ComplexityPa$$w0rd! > password123.

  • Length: 12+ characters.

  • Rotation: Change every 90 days (though NIST now recommends longer passwords over frequent changes).

  • Storage: Use a password manager (e.g., LastPass, Bitwarden).

Example:
A company enforces password history policies to prevent reusing old passwords.

Exam Alert:

  • Password Policies: CompTIA loves questions on password expirationreuse, and complexity rules.

4. Password Attacks

Common Types:

  • Brute Force: Trying every possible combination (e.g., hydra tool).

  • Dictionary Attack: Using common words (e.g., rockyou.txt wordlist).

  • Rainbow Table: Precomputed hashes for cracking passwords.

  • Credential Stuffing: Reusing breached passwords across sites.

Real-World Example:
The 2012 LinkedIn breach exposed 117 million passwords stored as unsalted SHA-1 hashes, enabling easy cracking.

Mitigation:

  • Salting: Adding random data to passwords before hashing.

  • Account Lockouts: Lock after 5 failed attempts.

5. Single Sign-On (SSO)

What It Is:
One login grants access to multiple systems (e.g., logging into Google to access Gmail, Drive, and YouTube).

How It Works:

  • Identity Provider (IdP): Centralizes authentication (e.g., Okta, Microsoft Entra ID).

  • Service Provider (SP): Relies on the IdP (e.g., Salesforce, Slack).

Example:
Employees at a tech company use SSO to access GitHub, Jira, and Confluence without separate logins.

Security+ Focus:

  • Advantages: Reduces password fatigue.

  • Risks: SSO as a single point of failure (if compromised).

6. Federation

What It Is:
Extending SSO across organizations using trusted standards:

  • SAML (Security Assertion Markup Language): XML-based for web apps.

  • OAuth 2.0 (Open Authorization): Token-based API access (e.g., “Sign in with Google”).

  • OpenID Connect: Built on OAuth 2.0 for authentication.

Example:
A university partners with a research lab. Students log in via their university credentials (SAML) to access the lab’s portal.

Exam Tip:

  • SAML = Authentication + Authorization.

  • OAuth = Authorization only.

7. Privileged Access Management (PAM)

What It Is:
Securing accounts with elevated permissions (e.g., admins, root users).

Key Strategies:

  • Just-In-Time (JIT) Access: Temporary privileges (e.g., CyberArk).

  • Session Monitoring: Record and audit admin activities.

  • Principle of Least Privilege (PoLP): Grant minimal permissions needed.

Example:
A sysadmin uses PAM tools like Thycotic to access a server, with automatic session termination after 1 hour.

Exam Focus:

  • Privilege Escalation: Mitigated by PAM (e.g., vertical vs. horizontal).

8. Access Control Models

Common Models:

  1. DAC (Discretionary Access Control): Owners control access (e.g., file permissions in Windows).

  2. MAC (Mandatory Access Control): System-enforced labels (e.g., military classified data).

  3. RBAC (Role-Based Access Control): Permissions based on job roles (e.g., “HR Manager”).

  4. ABAC (Attribute-Based Access Control): Rules based on attributes (e.g., time, location).

Example:
A hospital uses RBAC to grant nurses access to patient records but restricts editing to doctors.

Security+ Tip:

  • Rule-Based Access Control ≠ RBAC. Rule-based uses system-wide rules (e.g., firewall ACLs).

9. Assigning Permissions

Best Practices:

  • Role-Based: Assign permissions to groups, not individuals (e.g., “Finance Team”).

  • User Access Reviews: Audit permissions quarterly.

  • Separation of Duties: Prevent conflicts of interest (e.g., same person can’t approve and process payments).

Example:
A cloud admin uses AWS IAM roles to grant EC2 instances access to S3 buckets without hardcoding keys.

10. Review: Key IAM Concepts for Security+

Must-Know Checklist:
✅ MFA reduces account takeover risks.
✅ SSO relies on federation standards (SAML, OAuth).
✅ PAM secures admin accounts via JIT and monitoring.
✅ RBAC > DAC for enterprise scalability.

Exam Practice Question:
Which access control model uses labels like “Top Secret” and “Confidential”?
A) DAC
B) MAC
C) RBAC
D) ABAC
Answer: B) MAC.

Final Tips for Security+ Success

  • Hands-On Practice: Set up SSO with free tiers (e.g., Azure AD).
  • Memorize Standards: SAML vs. OAuth, RBAC vs. ABAC.
  • Think Like an Auditor: How would you detect unauthorized access?

FAQ:
Q: What’s the difference between SSO and Federation?
A: SSO is for one organization; Federation extends SSO across multiple organizations.

Q: How does salting prevent rainbow table attacks?
A: Salting adds unique random data to each password, making precomputed tables useless.

This guide equips your readers with both exam-ready knowledge and practical insights for real-world IAM implementations. For deeper dives, recommend labs on tools like Okta or Microsoft Entra ID! 🔒

This response is AI-generated, for reference only.

To get in touch with me or for general discussion please visit ZeroDayMindset Discussion

Information, Security +
reading certification
This post is licensed under CC BY 4.0 by the author.