Lesson 4: Identity and Access Management (IAM)

Authentication

Factors of Authentication:

• Knowledge: Passwords, PINs
• Ownership: Hardware tokens (OTP, FIDO U2F), soft tokens (SMS, authenticator apps)
• Inherence: Biometrics (fingerprint, facial recognition)
• Location: Geolocation/IP-based

Password Security Concepts:

• Length: Total number of characters (longer = stronger)
• Complexity: Mix of letters, numbers, symbols
• Aging: Forces periodic password changes
• Reuse History: Blocks reuse of recent passwords
• NIST Guidance: No aging, allow phrases, no hints
• Passphrases: Long, memorable phrases (recommended)

Password Managers: OS/browser-based, third-party, per-site generation

Multifactor Authentication (MFA)

True MFA: Combines different factors (password + biometric)

Biometrics:

• Enrollment process
• FAR/FRR rates (False Accept Rate/False Reject Rate)
• Throughput/cost considerations

Hard Tokens:

Smart cards, OTP fobs, FIDO U2F security keys

Soft Tokens:

SMS, email, push notifications (interception risks)

Passwordless Authentication

• Public/private key pairs (no PKI required)
• Local gestures (biometric/PIN for proof of presence)
• Attestation for authenticator trust

Access Control Models

• DAC (Discretionary): Owner-managed ACLs, vulnerable to privilege abuse
• MAC (Mandatory): System-enforced labels/clearances
• RBAC (Role-Based): Permissions tied to roles/groups
• ABAC (Attribute-Based): Context-aware (user/object attributes)
• Rule-Based: System-defined rules (time/location policies)

Least Privilege Principle

Minimal permissions, auditing for creep

Authorization Challenges:

• Insufficient Permissions: Reduced productivity, frequent access requests
• Over-Provisioning: Increased attack surface, privilege abuse risks

Remediation: RBAC, periodic audits, access reviews

Account Lifecycle

Provisioning:

Identity proofing, credential issuance, asset allocation Linking systems increases automation of onboarding

Deprovisioning:

Disabling accounts/roles upon exit

Account Restrictions:

• Location-Based: Network/IP, geolocation
• Time-Based: Logon hours, temporary permissions

Privileged Access Management (PAM)

• Zero Standing Privileges: Ephemeral credentials, just-in-time access
• Secure Admin Workstations: Vaulting/brokering credentials

Identity Management

Authentication Providers:

• Local: Windows (NTLM/Kerberos), Linux (/etc/passwd, /etc/shadow, PAM)
• Network/Remote: LDAP, directory services

Directory Services:

• LDAP/X.500: Distinguished names (CN=User, OU=Dept, DC=org)
• Active Directory: Group Policy Objects (GPOs)

Single Sign-On (SSO)

Kerberos:

• KDC (Key Distribution Center): Security guard checking ID and issuing temporary passes
• TGT (Ticket-Granting Ticket): Temporary pass showing to KDC to get service tickets
• Process: Login → Get TGT → Request Access (show TGT) → Use Service (show service ticket)
• Tickets expire quickly, no passwords sent over network after login
• Mutual authentication for service tickets

Federation:

• Identity Providers (IdP) & Service Providers (SP)
• OAuth: RESTful APIs, JWT tokens for authorization (not authentication), implements SSO
• SAML: XML-based assertions (signed, HTTPS/SOAP), federating network/cloud systems
• OpenID Connect (OIDC): Tokens for identity verification