Lesson 03intermediateKnowledge

Identity and Access Management

Who are you, what can you touch, and how do we know?

Overview

IAM is one of the most operationally important Security+ domains. Nearly every breach involves a compromised identity or misconfigured access control. Answer the five questions below. Focus on the "why" and "what goes wrong" rather than just describing what things are.

Read before you answer

Identity and Access Management (IAM) is the discipline of ensuring that the right people have access to the right resources at the right times, and that this can be proven and audited. Security+ treats IAM as one of the most critical domains because identity is now the primary attack surface in most enterprise breaches: once an attacker has valid credentials, many technical controls become irrelevant. The core principle underpinning IAM is least privilege β€” every account, service, and process should have exactly the permissions it needs to do its job, and no more. Related concepts include need-to-know (access to information should be granted only when there is a legitimate operational requirement) and separation of duties (no single person should control an entire sensitive process).

Authentication factors are categorised as: something you know (password, PIN), something you have (hardware token, smart card, authenticator app), and something you are (biometric β€” fingerprint, face, retina). Multi-factor authentication (MFA) requires two or more categories and dramatically reduces the risk of credential-based attacks. Single Sign-On (SSO) allows users to authenticate once and access multiple systems, reducing password fatigue while centralising authentication. Federated identity extends SSO across organisational boundaries using standards like SAML, OAuth 2.0, and OpenID Connect. Privileged Access Management (PAM) applies additional controls to highly privileged accounts β€” administrator and service accounts β€” including just-in-time access, session recording, and vault-based credential storage.

Access control models determine how authorisation decisions are made. Mandatory Access Control (MAC) uses labels (Top Secret, Secret, etc.) set by the system β€” used primarily in government and military contexts. Discretionary Access Control (DAC) lets resource owners grant permissions β€” used in most operating systems. Role-Based Access Control (RBAC) assigns permissions to roles rather than individuals, making large-scale management practical. Attribute-Based Access Control (ABAC) makes decisions based on attributes of the user, resource, and environment. The account lifecycle β€” provisioning, modification, and especially timely deprovisioning β€” is a critical control area: orphaned accounts from employees who have left represent a significant attack surface.