Introduction
Identity and Access Management (IAM) ensures that users, devices, and services are properly identified, authenticated, and authorized before accessing resources. It is a central control point for enforcing security policies.
For ICT professionals, IAM failures are a leading cause of breaches. Poor authentication, excessive privileges, or weak lifecycle management can allow attackers to gain and maintain access.
Outcome 1
Understand authentication mechanisms and identity verification methods.
Outcome 2
Apply access control models such as RBAC and ABAC effectively.
Outcome 3
Manage identity lifecycle and enforce governance policies.
Figures
Authentication Flow
Identify
Authenticate
Authorize
Access
Access Control Models
RBAC
Access based on roles assigned to users.
ABAC
Access based on attributes and context.
MAC/DAC
System vs owner-controlled access decisions.
Case Examples
Credential Theft
Attackers obtain passwords via phishing and access systems.
- MFA reduces risk
- Monitor anomalies
Privilege Escalation
User gains higher permissions than intended.
- Apply least privilege
- Review access regularly
Glossary (50 Terms)
| # | Term | Definition |
|---|---|---|
| 1 | Identity | A unique digital representation of a user, system, or service that enables authentication, authorization, and accountability within an information system environment. |
| 2 | Authentication | The process of verifying a claimed identity using credentials such as passwords, tokens, or biometrics before granting access to systems or data. |
| 3 | Authorization | The process of determining what actions an authenticated identity is allowed to perform, based on policies, roles, or contextual attributes. |
| 4 | Access Control | A set of mechanisms and policies that restrict access to resources, ensuring only authorized users or systems can perform specific actions. |
| 5 | MFA | Multi-factor authentication requires multiple independent credentials, such as something you know, have, or are, significantly improving resistance to credential theft attacks. |
| 6 | RBAC | Role-Based Access Control assigns permissions based on predefined roles within an organization, simplifying management and ensuring consistent access rights aligned with job functions. |
| 7 | ABAC | Attribute-Based Access Control evaluates multiple attributes such as user role, device, time, and location to dynamically determine whether access should be granted. |
| 8 | Least Privilege | A security principle ensuring users and systems receive only the minimum permissions necessary to perform tasks, reducing potential damage from misuse or compromise. |
| 9 | Provisioning | The process of creating user accounts and assigning appropriate roles and permissions based on job responsibilities and organizational policies. |
| 10 | Deprovisioning | The process of removing user accounts and revoking access rights when they are no longer required, such as after role changes or termination. |
| 11 | Identity Lifecycle | The complete management process of identities from creation and maintenance to eventual removal, ensuring access rights remain appropriate over time. |
| 12 | SSO | Single Sign-On allows users to authenticate once and access multiple systems without re-entering credentials, improving usability while requiring strong security controls. |
| 13 | Federation | An identity management approach that enables multiple organizations or systems to share authentication information through trusted relationships and standardized protocols. |
| 14 | Kerberos | A network authentication protocol that uses tickets and symmetric cryptography to securely verify identities without transmitting passwords over the network. |
| 15 | SAML | Security Assertion Markup Language is a standard for exchanging authentication and authorization data between identity providers and service providers in federated environments. |
| 16 | OAuth | An authorization framework that allows applications to access user resources on another service without exposing user credentials directly. |
| 17 | OpenID Connect | An authentication protocol built on OAuth that verifies user identity and provides standardized identity information to applications. |
| 18 | Privileged Account | An account with elevated permissions capable of modifying system configurations, managing users, or accessing sensitive data, requiring strict monitoring and controls. |
| 19 | PAM | Privileged Access Management focuses on securing, monitoring, and controlling privileged accounts to reduce the risk of misuse or compromise. |
| 20 | Directory Service | A centralized system that stores identity information, authentication data, and access permissions for users and devices within an organization. |
| 21 | Biometrics | An authentication method using unique physical or behavioral characteristics such as fingerprints, facial recognition, or voice patterns to verify identity. |
| 22 | Token | A physical or digital device used to generate or store authentication credentials, often as part of multi-factor authentication systems. |
| 23 | Password Policy | A set of rules defining password complexity, length, expiration, and reuse to reduce the risk of weak or compromised credentials. |
| 24 | Session Management | The process of securely maintaining user sessions after authentication, including handling session tokens, timeouts, and protection against hijacking attacks. |
| 25 | Access Review | A periodic process of evaluating user permissions to ensure access rights remain appropriate and aligned with current roles and responsibilities. |
| 26 | Identity Provider | A system responsible for authenticating users and issuing identity assertions that can be used by other systems for access decisions. |
| 27 | Service Provider | An application or system that relies on an external identity provider to authenticate users and grant access to its resources. |
| 28 | Adaptive Authentication | An authentication approach that dynamically adjusts required security measures based on contextual risk factors such as location or device. |
| 29 | Account Lockout | A security control that disables an account after a number of failed login attempts to prevent brute force attacks. |
| 30 | Credential Management | The processes and tools used to securely store, manage, and protect authentication credentials throughout their lifecycle. |
| 31 | Zero Trust | A security model that assumes no implicit trust and requires continuous verification of identity and context for every access request. |
| 32 | Identity Governance | A framework ensuring identity and access management processes comply with policies, regulations, and business requirements through oversight and controls. |
| 33 | ACL | An Access Control List specifies which users or systems have access to a resource and defines the permitted actions for each entity. |
| 34 | Role Engineering | The process of designing and defining roles and associated permissions within an organization to support efficient and secure access control. |
| 35 | Identity Assurance | The level of confidence that an identity has been correctly verified, often based on the strength of authentication methods used. |
| 36 | Identity Verification | The process of confirming an individual’s real-world identity before granting access to systems or sensitive information. |
| 37 | Authentication Server | A system responsible for validating user credentials and confirming identity during login attempts. |
| 38 | Authorization Server | A system that issues access tokens and enforces access control policies for authenticated users. |
| 39 | Access Token | A credential issued after authentication that allows a user or system to access protected resources for a limited time. |
| 40 | Federated Identity | An identity management approach that enables users to authenticate across multiple systems using a single identity provider. |
| 41 | Single Factor Authentication | An authentication method using only one type of credential, typically a password, which provides lower security compared to multi-factor approaches. |
| 42 | Strong Authentication | An authentication method using multiple or high-assurance factors to significantly reduce the likelihood of unauthorized access. |
| 43 | Credential Stuffing | An attack where stolen credentials from one service are reused to gain unauthorized access to other systems. |
| 44 | Brute Force Attack | An attack method that systematically attempts many password combinations until the correct one is found. |
| 45 | Session Hijacking | An attack where an attacker takes over an active user session to gain unauthorized access to a system. |
| 46 | Identity Store | A repository that contains user credentials, identity attributes, and authentication data used by identity management systems. |
| 47 | Access Policy | A set of rules defining who can access resources and under what conditions, based on organizational security requirements. |
| 48 | Delegation | The process of granting authority to another user or system to perform actions on behalf of an identity. |
| 49 | Separation of Duties | A security principle that divides responsibilities among multiple individuals to reduce the risk of fraud or unauthorized actions. |
| 50 | Identity Federation Protocol | A standardized protocol such as SAML or OAuth that enables secure sharing of identity and authentication information across systems. |