IAM Complete Guide

1. IAM Fundamentals

Identity and Access Management ensures the right people have the right access to the right resources at the right time. It encompasses authentication (who you are) and authorization (what you can do).

2. Authentication Methods

3. Multi-Factor Authentication

# MFA strength hierarchy (strongest to weakest):
1. Hardware security keys (FIDO2/WebAuthn)
2. Authenticator apps (TOTP)
3. Push notifications
4. SMS/Voice OTP (vulnerable to SIM swap)
5. Email OTP

# Passwordless options:
- FIDO2 security keys
- Windows Hello for Business
- Passkeys
- Certificate-based auth

4. Single Sign-On (SSO)

• SAML 2.0: Enterprise SSO standard
• OIDC: Modern OAuth 2.0-based SSO
• Benefits: Better UX, centralized control
• Risk: Single point of compromise

5. Access Control Models

# Role-Based Access Control (RBAC)
# Users → Roles → Permissions
User: john.doe
Role: Sales Manager
Permissions: Read CRM, Edit Opportunities

# Attribute-Based Access Control (ABAC)
# Policy-based, contextual decisions
IF user.department = "Finance"
   AND resource.classification = "Financial"
   AND time.hour BETWEEN 9 AND 18
   THEN allow

# Least Privilege Principle
# Grant minimum access needed
# Review and revoke regularly

6. Privileged Access Management

• Password vault: Secure credential storage
• Session recording: Audit privileged actions
• Just-in-time access: Temporary elevation
• Approval workflows: Request-based access
• Solutions: CyberArk, BeyondTrust, Delinea

7. Identity Lifecycle

1. Provisioning: Create accounts, assign access
2. Access requests: Self-service with approvals
3. Reviews: Regular access certifications
4. Deprovisioning: Remove access on termination

8. IAM Solutions

FAQ

Zero Trust AD Security OAuth Security