Section 17 – IAM Identity and Access Management

CompTIA IT Security Course

Section 17

IAM Identity and Access Management

 

1. Core IAM Concepts
Identification vs Authentication vs Authorization

Identification: “Who are you?” (user ID, service account)

Authentication: “Prove it” (passwords, PKI certificates, MFA)

Authorization: “What may you do?” (roles, privileges, policies)

Authentication Factors

Something you know: password, PIN

Something you have: OTP token, smart card

Something you are: biometric (fingerprint, iris)

Behavioural: keystroke dynamics, gait

Access Control Models

Discretionary Access Control (DAC): owner-based rights; prone to privilege creep

Mandatory Access Control (MAC): system-enforced labels; high security but low flexibility

Role-Based Access Control (RBAC): permissions bound to roles; scalable in enterprises

Attribute-Based Access Control (ABAC): decisions based on attributes (time, location, device)

Common IAM Technologies & Protocols

Directory Services: LDAP, Active Directory, eDirectory

Federation & SSO: SAML 2.0, OAuth 2.0, OpenID Connect

Privileged Access Management: vaults, just-in-time (JIT) elevation, PAM solutions

Account Management: service accounts vs user accounts, onboarding/offboarding, orphaned account cleanup