Intro to IAM: Identity & Access Management Basics

IAM is the set of policies, processes, and technologies that ensure the right individuals, systems, and services have the right access to the right resources at the right time, for the right reasons. It spans the entire lifecycle of an identity: creation, assignment of permissions, ongoing review, modification, and eventual removal.

Three closely related concepts form the heart of IAM. Identification is the act of claiming an identity (entering a username). Authentication is the act of proving that identity (entering a password, providing a security key). Authorization is the act of granting or denying access based on the authenticated identity. Many beginners conflate authentication and authorization; keeping them distinct is critical.

Accounts, identities, and entitlements are three more terms worth distinguishing. An account is the technical record of a user in a system. An identity is the broader concept of who the user is, often spanning many accounts. An entitlement is a specific permission attached to an account: the ability to read a file, restart a service, or modify a database.

A fourth element, accountability, ensures actions can be traced back to identities. This is what audit logs, access reviews, and forensic investigations rely on. Without accountability, even the best authentication and authorization controls leave investigators unable to reconstruct events.

Authentication methods are traditionally grouped into three "factors": something you know (a password or PIN), something you have (a token, smart card, or phone), and something you are (a biometric trait). Multi-factor authentication (MFA) combines two or more factors to dramatically strengthen security.

Passwords remain the most common authentication factor, but they are also the weakest when used alone. Reuse, phishing, and brute force have made password-only systems unsuitable for any sensitive resource. Modern guidance emphasizes long passphrases over complex but short passwords, the use of password managers, and the elimination of mandatory periodic changes that train users into bad habits.

MFA prevents most password-related breaches. Even simple MFA via SMS or app-based one-time codes blocks a large percentage of attacks. However, MFA is not all equal. SMS is vulnerable to SIM-swap attacks. Push-based MFA can be defeated by "MFA fatigue" where attackers send repeated prompts until users approve one accidentally. Phishing-resistant MFA, based on FIDO2 hardware keys or platform authenticators (Touch ID, Windows Hello), is the gold standard because the cryptographic exchange is bound to the legitimate domain.

Passkeys, a recent evolution of FIDO2, are designed to replace passwords entirely. They use public-key cryptography, store the private key on the user's device, and synchronize across devices through cloud services like iCloud Keychain or Google Password Manager. Adoption is growing rapidly across consumer and enterprise platforms.

Biometric authentication uses physiological or behavioral traits: fingerprint, face, voice, iris, keystroke patterns. Modern biometric systems include liveness detection to defeat presentation attacks (photos, masks, recordings). Biometrics work best as a convenient unlock for a stronger underlying credential, not as a sole standalone factor for high-value systems.

Once identity is established, authorization determines what is allowed. Several models exist.

Role-Based Access Control (RBAC) groups permissions into roles and assigns roles to users. RBAC is simple to administer at small scale but can sprawl in large organizations, producing role explosions and gaps.

Attribute-Based Access Control (ABAC) uses attributes of the user, resource, and context to make decisions. For example, a policy might say "allow read access if the user is in the finance department AND the request comes from a managed device AND it is between 9am and 5pm." ABAC is flexible but requires good data hygiene.

Relationship-Based Access Control (ReBAC), popular in modern SaaS applications, expresses access in terms of relationships between users and resources (such as "owner of project," "editor of document"). Google's Zanzibar paper inspired many production implementations.

Policy-as-code engines like Open Policy Agent (OPA), Cedar, and SpiceDB allow centralized authorization decisions across many applications. They support unit testing, version control, and policy review.

Privileged Access Management (PAM) deserves special attention. Administrative accounts are high-value targets and require enhanced controls: just-in-time elevation, session recording, vaulted credentials, and approval workflows. Tools like CyberArk, BeyondTrust, and HashiCorp Boundary serve this need.

A handful of protocols power modern identity. SAML 2.0 enables federated single sign-on between identity providers and service providers, widely used in enterprise SaaS. OAuth 2.0 is an authorization framework that lets one application access resources on another on behalf of a user. OpenID Connect (OIDC) builds on OAuth 2.0 to add authentication.

LDAP and Active Directory remain widespread, especially in on-premises environments. Microsoft Entra ID (formerly Azure AD) extends Active Directory concepts to cloud and federation. Okta, Google Workspace, OneLogin, and Auth0 are major cloud-based identity providers.

For service-to-service authentication, OAuth 2.0 with client credentials, mTLS (mutual TLS), and JSON Web Tokens (JWTs) are common. Modern microservice architectures rely heavily on these patterns.

SCIM (System for Cross-domain Identity Management) automates user provisioning and deprovisioning across systems, ensuring that when an employee joins, changes role, or leaves, their access updates everywhere.

Identity Governance and Administration (IGA) brings policy and process to identities. It includes provisioning, deprovisioning, access reviews, segregation of duties, and certification campaigns. Tools like SailPoint, Saviynt, Microsoft Entra ID Governance, and Omada provide IGA capabilities.

Joiner-Mover-Leaver (JML) is the core workflow. A joiner gets the access required for their initial role. A mover gets new access for their new role and, importantly, loses access from their old one (this step is often missed). A leaver has all access revoked promptly.

Access reviews, often called recertifications, ask managers to confirm that each direct report still needs the access they have. Done well, they catch leftover access from old roles, dormant accounts, and excessive privileges. Done poorly, they devolve into rubber-stamp exercises.

Segregation of Duties (SoD) prevents conflicts of interest, such as the same person being able to create vendors and approve payments. SoD policies are essential for fraud prevention and are heavily scrutinized in financial audits.

The 2020 Twitter compromise abused administrative tools accessed by employees, illustrating the importance of privileged access management and just-in-time elevation. Even social engineering attacks against admins can be blunted by additional approval workflows and strong MFA.

The Colonial Pipeline attack in 2021 began with a single legacy VPN account that lacked MFA. The credential was sufficient to gain initial access, and the resulting ransomware disrupted fuel supply across the U.S. East Coast. The lesson: every account, especially those with external access, must have MFA.

Microsoft's Storm-0558 incident in 2023 demonstrated how compromised signing keys for cloud identities can have devastating reach. The case underscored the importance of key management, monitoring of identity provider activity, and rapid detection of anomalous tokens.

Multiple recent breaches involved social engineering of identity provider helpdesks (so-called "vishing" attacks) to reset MFA or passwords. As a result, leading organizations now require strong out-of-band verification before any privileged account changes.

Adopt strong authentication everywhere. Phishing-resistant MFA, especially for privileged accounts and external-facing systems, is now the baseline expectation. Eliminate SMS-based MFA where possible and adopt FIDO2 or passkeys.

Apply least privilege relentlessly. Default accounts to minimum necessary access. Use just-in-time elevation for sensitive operations. Avoid standing administrative privileges where possible.

Centralize identity. A single identity provider with single sign-on reduces password fatigue, simplifies offboarding, and improves visibility. Federate SaaS apps to your IdP and use SCIM for provisioning.

Monitor identity activity. Authentication logs, MFA challenge results, and identity provider audit logs are invaluable. Integrate them into your SIEM and build detections for impossible travel, mass downloads, suspicious app consent grants, and anomalous administrative actions.

Implement zero trust principles. Treat every request as untrusted until proven otherwise. Combine identity, device posture, application context, and behavioral signals into access decisions. Solutions like Microsoft Conditional Access, Okta Identity Engine, and Google BeyondCorp embody this approach.

Practice secure offboarding. Deprovision accounts promptly when people leave. Revoke OAuth grants, mobile device certificates, and shared resources. Audit shared resources to ensure ex-employees do not retain access through service accounts or personal device pairings.

Manage non-human identities carefully. Service accounts, API keys, OAuth clients, and machine identities now outnumber human identities in many organizations. Inventory them, rotate credentials, monitor activity, and limit blast radius.

Educate users. People are part of the identity ecosystem. Teach them to recognize phishing, avoid reusing passwords, and protect their MFA devices. Reward reporting of suspicious activity.

Earn certifications. The Microsoft Identity and Access Administrator certification, Okta's certifications, and the SANS SEC511 course cover practical IAM at depth. Broader credentials like CISSP and CISM also include identity content.

Build a lab. Set up a directory server, an identity provider, and a few sample applications. Configure SSO, federation, and provisioning between them. Experimenting with real protocols builds an intuition that no slide deck can match.

Read primary sources. NIST SP 800-63 series defines digital identity guidelines used worldwide. The FIDO Alliance documents passkeys and FIDO2. OAuth 2.0 and OIDC specifications are accessible with patience and pay long dividends.

Develop scripting skills. Automation around user lifecycle, access reviews, and reporting is a high-leverage area. PowerShell, Python, and Bash with identity APIs are common tools.