๐ IAM & IGA
Identity & Access Management and Governance โ authentication, authorization, MFA, SSO, RBAC/ABAC, PAM, access certification, role management, SOD policies, and compliance.
Overview
Identity & Access Management (IAM) is the framework of policies and technologies to ensure the right individuals access the right resources at the right time for the right reasons. IAM covers authentication (proving you are who you say), authorization (what you can do), and governance (managing the lifecycle). It's the foundation of zero trust and cloud security.
Key Concepts
Authentication (AuthN)
Verifying identity โ passwords, MFA (TOTP, FIDO2, biometrics), passwordless, certificate-based, and risk-based adaptive authentication.
Authorization (AuthZ)
Determining access rights โ RBAC (Role-Based), ABAC (Attribute-Based), PBAC (Policy-Based), and ReBAC (Relationship-Based) models.
SSO (Single Sign-On)
One authentication event grants access to multiple applications. Protocols: SAML 2.0, OAuth 2.0, OpenID Connect (OIDC).
MFA (Multi-Factor Authentication)
Combining two or more factors: something you know (password), something you have (token/phone), something you are (biometrics).
PAM (Privileged Access Management)
Securing, controlling, and monitoring privileged accounts. Includes session recording, just-in-time access, password vaulting, and privilege elevation.
Identity Lifecycle
Joiner-Mover-Leaver processes. Automated provisioning, role changes, and de-provisioning tied to HR systems and identity governance.
Access Certification (IGA)
Periodic access reviews where managers certify or revoke user entitlements. Ensures compliance with SOX, HIPAA, and regulatory requirements.
Segregation of Duties (SOD)
IGA policy preventing conflicts of interest โ e.g., same person cannot both create and approve purchase orders. Enforced through preventive and detective controls.
IAM Architecture Flow
IAM Authentication & Authorization Flow
From user request through authentication, authorization, to audit
Interview Preparation
What is the difference between RBAC and ABAC?
RBAC (Role-Based Access Control) assigns permissions based on predefined roles (e.g., 'Admin', 'Editor', 'Viewer'). It's simple, well-understood, but can lead to role explosion. ABAC (Attribute-Based Access Control) evaluates attributes (user department, resource classification, time of day, location) against policies to make dynamic access decisions. ABAC is more flexible and granular โ e.g., 'allow access if user.department == resource.owner AND time is business hours AND location is corporate network'. Best practice: use RBAC for broad permissions and layer ABAC for fine-grained context-aware access.
How would you implement least privilege access in a large organization?
1) Map all identities (human and non-human). 2) Implement RBAC aligned to job functions with regular access reviews. 3) Use PAM for privileged accounts with JIT access. 4) Enable permission boundaries and SCPs in cloud. 5) Automate provisioning/de-provisioning via IGA platform. 6) Run access certification campaigns quarterly. 7) Monitor for permission drift and anomalous access patterns. 8) Implement entitlement analytics to flag excess permissions.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-63 (Digital Identity), SP 800-53 AC (Access Control), IA (Identification & Authentication) |
| ISO | A.9 (Access Control), A.9.2 (User Access Mgmt), A.9.4 (System Access Control) |
| OWASP | A01 (Broken Access Control), A07 (Identification & Authentication Failures) |