Lesson 17: Identity & Access Management (IAM)
Last lesson we opened encryption's black box. Now we move to the other side of the same coin: how do you even know who's trying to access information? IAM (Identity & Access Management) is the framework that ensures only authorized users get access — at the right time and with the right permissions.
In brief: IAM answers 'who are you, and what are you allowed to do.' The AAA model breaks that into three: authentication (prove who you are), authorization (determine what's allowed), and accounting (log what actually happened). Authentication rests on three proof types: something you know (password), something you have (phone), and something you are (fingerprint) — MFA combines at least two. A digital identity goes through a lifecycle: joining (provisioning), changing roles (which requires updating permissions, not just adding), and leaving (everything must be cut off, immediately). And architectures like SSO (one login for every system) and PAM (a digital vault for admin passwords) make all of this manageable at scale.
- IAM & the AAA Model
- IAM is a process-and-technology framework ensuring only authorized users get access to resources, at the right time and with the right permissions — the central 'gate' now that the network itself is no longer closed. Every IAM system rests on three components: authentication (proving identity), authorization (determining what's allowed, usually by role), and accounting (an unchangeable record of what actually happened).
- The Access Paradox
- The constant tension in every organization: the business need demands fast, frictionless access, while the security need demands barriers (passwords, MFA, approvals). Raising security hurts convenience; easing up on users exposes the org to risk. IAM's job is finding the golden path between the two.
- The Three Authentication Factors
- Something you know (Know — password, PIN, outdated and easily-guessed security questions), something you have (Have — phone with SMS/Push, Soft/Hard Token, FIDO Key, Smart Card, OTP valid for 60 seconds), and something you are (Are — fingerprint, face recognition, behavioral biometrics). MFA means mandatorily combining at least two factors of different types — and blocks roughly 99.9% of account-takeover attacks.
- Challenges of Biometrics
- Identification errors: false positives (wrongly blocking a legitimate user — e.g. an employee logging in from a hotel while on vacation gets flagged as 'login from an unusual location') and false negatives (failing to identify a real attacker). Also: unlike a password, a stolen fingerprint can't be 'changed' — biometric data is irreversible.
- Identity Lifecycle: JML
- Joiners: onboarding a new employee and creating their digital identity (provisioning — usually automatic from HR data), then translating their role into specific technical permissions per the need-to-know principle (assignment). Movers: a role change requiring a permission update — adding the new ones and removing the old. Leavers: immediate, full disconnection of every access (de-provisioning).
- The Movers Risk & De-Provisioning
- When an employee changes roles and gains new permissions without the old ones being removed, they accumulate excessive access — and may end up holding conflicting permissions (e.g. both creating a vendor and approving payment to it), violating the principle of Separation of Duties (SoD). The fix: revoke all old permissions before granting new ones. On departure, accounts left active ('zombie accounts') are a serious security hole — a 'kill switch' is needed to instantly disconnect every system with a single action.
- SSO & Identity Federation
- SSO (Single Sign-On): one authentication against a central Identity Provider (IdP) grants access to every organizational system — improves UX and reduces support load, but creates a single point of failure (hence MFA is mandatory). Federation: standard protocols (SAML, OIDC) let an org build trust relationships with third-party services (like Zoom or Salesforce), so an employee logs into them with the same organizational identity, no separate account needed.
- PAM: Privileged Access Management
- While regular IAM manages every employee, PAM focuses only on super-users (system admins, security staff) holding the 'keys to the kingdom.' Strong passwords are kept in a digital vault, unknown even to the user; when server work is needed, the password is 'checked out' for a short time, every action is recorded, and immediately afterward the vault automatically rotates the password — so the one the user held is worthless again.
- Zero Trust in Depth & Machine Identity
- The principle: 'never trust, always verify' — being physically connected to the office network grants no automatic trust, and verification continues in the background throughout activity, not just at login. In practice: checking device health and location before every access, and micro-segmentation preventing lateral movement. Machine identity: non-human entities (service accounts between applications) also need rigorous secrets management — they tend to be less monitored and hold overly broad permissions.
- Cloud IAM, IDaaS, Compliance & the Future of IAM
- IDaaS (Identity as a Service): a third-party provider (like Okta) manages identities via three players — the user, the resource (Service Provider), and the Identity Provider. Shared responsibility for cloud IAM: the customer sets policy, creates users, and defines permissions; the provider secures the infrastructure. Compliance: GDPR grants a 'right to be forgotten,' and Separation of Duties (SoD) is required for financial audits. The future of IAM: CIAM (customer identity management), Self-Sovereign Identity (user-controlled, decentralized identity), and AI for anomaly detection and permission-cleanup recommendations.