Identity and Access Management (IAM)

🔐 IAM Overview

IAM is the discipline for managing user identities and their permissions. It includes provisioning, authentication, authorization, and auditing. Learn more about IAM on Wikipedia.

👤 Authentication Factors

Authentication factors are the methods used to verify a user's identity. They are categorized into five main types, each providing a layer of security. Combining multiple factors (multi-factor authentication) significantly enhances security.

• Something you know: Information only the user should know, such as passwords, PINs, or security questions.

  Example: A user enters their password to log in to a system.

  Learn more about secure password practices at the NIST Password Guidelines.

• Something you have: Physical objects in the user's possession, such as smart cards, hardware tokens, or mobile devices.

  Example: A user inserts a smart card into a reader or uses a one-time password (OTP) generated by a hardware token.

  Learn more about smart cards at the Smart Card Alliance.

• Something you are: Biometric characteristics unique to the user, such as fingerprints, facial recognition, or iris scans.

  Example: A user unlocks their phone using facial recognition or logs into a system using a fingerprint scanner.

  Learn more about biometrics at the ISO Biometrics Standards.

• Somewhere you are: Location-based authentication using geolocation or IP address.

  Example: A banking application restricts access if the user's login attempt originates from an unfamiliar country.

  Learn more about geolocation security at the Geospatial World.

• Something you do: Behavioral biometrics, such as typing patterns, mouse movements, or touchscreen gestures.

  Example: A system analyzes a user's typing speed and rhythm to verify their identity.

  Learn more about behavioral biometrics at the National Center for Biotechnology Information (NCBI).

Multi-factor authentication (MFA) combines two or more of these factors to provide stronger security. For example, a user might log in with a password (something you know) and a one-time code sent to their phone (something you have).

📋 IAM Lifecycle

1. Identify: Assign identity. Learn more about identity management on Wikipedia.
2. Authenticate: Verify identity. Learn more about authentication on Wikipedia.
3. Authorize: Grant specific access. Learn more about authorization on Wikipedia.
4. Audit: Log and review access. Learn more about auditing on Wikipedia.

🔏 Access Control Models

Access control models define how permissions are granted to users, groups, or systems to access resources. These models are critical for ensuring that sensitive data and systems are protected from unauthorized access. Below are the key access control models used in modern security frameworks:

• Mandatory Access Control (MAC): A highly restrictive model where access is based on security labels assigned to users and resources. Only administrators can modify access rules.

  Example: A government system classifies documents as "Confidential," "Secret," or "Top Secret," and only users with the appropriate clearance level can access them.

  Learn more about MAC at the NIST Glossary.

• Discretionary Access Control (DAC): A flexible model where resource owners have the authority to grant or revoke access to their resources.

  Example: A file owner in a Linux system uses the chmod command to set read, write, or execute permissions for other users.

  Learn more about DAC at the Red Hat Security Guide.

• Role-Based Access Control (RBAC): Access is granted based on roles assigned to users, such as "Administrator," "HR," or "Finance." This model simplifies permission management in large organizations.

  Example: An HR employee has access to payroll systems but not to IT infrastructure tools.

  Learn more about RBAC at the NIST RBAC Project.

• Attribute-Based Access Control (ABAC): Access is granted based on attributes such as user role, location, device type, or time of access. ABAC provides fine-grained control and is often used in dynamic environments.

  Example: A user can access a corporate application only during business hours and from a company-issued device.

  Learn more about ABAC at the NIST Guide to ABAC.

Choosing the right access control model depends on the organization's security requirements, regulatory compliance needs, and operational complexity. Combining these models can provide a layered approach to access control.

🔗 Federation, SSO & PAM

• SSO: One login across multiple services. Learn more about Single Sign-On on Wikipedia.
• Federation: Trust across organizations. Learn more about Federated Identity on Wikipedia.
• PAM: Controls elevated access accounts. Learn more about Privileged Access Management on Wikipedia.

🧰 IAM Tools & Protocols

Identity and Access Management (IAM) relies on various tools and protocols to ensure secure authentication, authorization, and identity federation. Below are key tools and protocols used in IAM systems:

• OAuth: A protocol for delegated authorization, allowing third-party applications to access resources on behalf of a user without sharing credentials.

  Example: A user authorizes a fitness app to access their Google Calendar to schedule workouts.

  Learn more about OAuth at the OAuth Official Website.

• OpenID Connect (OIDC): An identity layer built on top of OAuth 2.0, enabling authentication and single sign-on (SSO).

  Example: A user logs into a website using their Google account credentials.

  Learn more about OpenID Connect at the OpenID Connect Official Website.

• SAML (Security Assertion Markup Language): A protocol used for exchanging authentication and authorization data between parties, commonly used for enterprise SSO.

  Example: An employee logs into a corporate application using their organization's SSO portal.

  Learn more about SAML at the OASIS SAML Standard.

• LDAP (Lightweight Directory Access Protocol): A protocol for accessing and maintaining distributed directory information services, such as user accounts and permissions.

  Example: A company uses LDAP to manage employee credentials and permissions across multiple systems.

  Learn more about LDAP at the LDAP.com.

• GPO (Group Policy Objects): A feature in Microsoft Active Directory that allows administrators to enforce security policies and configurations across users and devices.

  Example: An administrator enforces a policy requiring all users to lock their screens after 5 minutes of inactivity.

  Learn more about GPO at the Microsoft Group Policy Overview.

These tools and protocols form the backbone of modern IAM systems, enabling secure and efficient management of user identities and access permissions.