Table of Contents
IAM Fundamentals Authentication Methods (MFA, Passwordless) Authorization Models (RBAC, ABAC) Single Sign-On (SSO) Privileged Access Management (PAM) Zero Trust IdentityIAM Fundamentals
Identity and Access Management (IAM) is the framework of policies and technologies ensuring the right individuals access the right resources at the right times for the right reasons.
Core IAM Components
- Identity: Who is the user? (authentication)
- Access: What can they do? (authorization)
- Governance: Who approved this access? (compliance)
- Lifecycle: Provisioning, changes, deprovisioning
Authentication Methods
Multi-Factor Authentication (MFA)
MFA requires two or more verification factors:
- Something you know: Password, PIN
- Something you have: Phone, hardware token, smart card
- Something you are: Fingerprint, face, retina
MFA Strength Ranking
- FIDO2/WebAuthn (Strongest): Hardware keys, passkeys
- Authenticator Apps: TOTP (Google Authenticator, Authy)
- Push Notifications: Approve on phone (with number matching)
- SMS/Voice (Weakest): Susceptible to SIM swapping
Passwordless Authentication
// WebAuthn Registration (JavaScript)
const credential = await navigator.credentials.create({
publicKey: {
challenge: serverChallenge,
rp: { name: "WhoisNexus" },
user: {
id: userId,
name: "[email protected]",
displayName: "User"
},
pubKeyCredParams: [
{ type: "public-key", alg: -7 }, // ES256
{ type: "public-key", alg: -257 } // RS256
],
authenticatorSelection: {
authenticatorAttachment: "platform",
userVerification: "required"
}
}
});Authorization Models
Role-Based Access Control (RBAC)
# AWS IAM Policy - Developer Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:*",
"organizations:*"
],
"Resource": "*"
}
]
}Attribute-Based Access Control (ABAC)
# Azure ABAC - Access based on attributes
{
"condition": "(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals @Principal[Department]
)",
"description": "Users can only access containers matching their department"
}Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple applications without re-entering credentials.
SAML 2.0 vs OAuth 2.0 vs OIDC
| Protocol | Use Case | Format |
|---|---|---|
| SAML 2.0 | Enterprise SSO | XML |
| OAuth 2.0 | API Authorization | JSON |
| OIDC | Modern SSO + API | JSON (JWT) |
Privileged Access Management (PAM)
PAM secures accounts with elevated access (admins, service accounts, root).
PAM Best Practices
- Just-in-Time (JIT) access provisioning
- Session recording for all privileged access
- Automatic credential rotation
- Approval workflows for sensitive access
- Break-glass procedures for emergencies
Zero Trust Identity
Zero Trust treats every access request as potentially hostile, regardless of network location.
Key Principles
- Verify explicitly (always authenticate and authorize)
- Use least privilege access
- Assume breach (segment access, encrypt data)
# Conditional Access Policy (Azure AD)
{
"conditions": {
"users": { "includeGroups": ["All Users"] },
"applications": { "includeApplications": ["All"] },
"locations": { "excludeLocations": ["Trusted IPs"] },
"signInRiskLevels": ["medium", "high"]
},
"grantControls": {
"operator": "AND",
"builtInControls": ["mfa", "compliantDevice"]
}
}Last updated: December 2024