In the modern digital landscape, controlling who has access to what is foundational to protecting information systems. Domain 5 of the CISSP curriculum, Identity and Access Management (IAM), is a core pillar of security architecture. It covers the processes, technologies, and controls used to manage digital identities and regulate user access to critical resources.
Understanding IAM is crucial not just for passing the CISSP exam, but for building real-world security programs that enforce least privilege and prevent unauthorized access.
Understanding Identity and Access Management
IAM involves a set of policies and technologies designed to ensure that the right individuals can access the right resources at the right times for the right reasons.
Key IAM Concepts
- Identification: Claiming an identity (e.g., username)
- Authentication: Proving that identity (e.g., password, biometric)
- Authorization: Granting access to resources based on privileges
- Accounting: Recording actions taken (audit logging)
Together, these are often referred to as AAA -- Authentication, Authorization, and Accounting.
Core IAM Components and Technologies
Access Control Models
IAM relies on access control models to enforce security policies:
Discretionary Access Control (DAC)
- Owner decides who can access resources
- Common in operating systems like Windows
Mandatory Access Control (MAC)
- Central authority enforces classification-based access
- Used in military and government environments
Role-Based Access Control (RBAC)
- Access based on roles assigned to users
- Scales well in enterprise environments
Attribute-Based Access Control (ABAC)
- Access based on attributes (e.g., department, time of day)
- Offers fine-grained control and policy enforcement
Authentication Factors
Authentication strength depends on the number and type of factors:
- Something you know (password, PIN)
- Something you have (smart card, token)
- Something you are (fingerprint, retina scan)
- Somewhere you are (geolocation)
- Something you do (typing rhythm)
Implementing multi-factor authentication (MFA) strengthens defenses by requiring two or more of these factors.
Federation and Single Sign-On
Organizations increasingly use federated identity management to allow users to access multiple systems using a single digital identity. Single Sign-On (SSO) simplifies user experience while maintaining control through a centralized authentication system.
Common federation standards include:
- SAML (Security Assertion Markup Language)
- OAuth 2.0 (Authorization framework)
- OpenID Connect (Identity layer on top of OAuth)
IAM Best Practices and Lifecycle
IAM is not just about provisioning users. It requires comprehensive lifecycle management:
Identity Lifecycle Stages
- Provisioning: Creating user accounts and assigning roles
- Maintenance: Managing access rights over time
- Reviewing: Periodic audits to ensure proper access
- Deprovisioning: Timely removal of accounts upon role change or departure
Key Best Practices
- Enforce least privilege
- Implement MFA for all critical systems
- Use centralized logging for access events
- Automate joiner/mover/leaver processes
- Perform regular access reviews
- Monitor for privilege escalation attempts
IAM is also closely linked to compliance. Regulations such as GDPR, HIPAA, and SOX require strict access controls and audit trails.
Conclusion
Effective identity and access management is a cornerstone of organizational security. By understanding access control models, lifecycle processes, and modern IAM technologies, CISSP candidates and practitioners can ensure that users are granted only the access they need -- nothing more, nothing less.
Mastering IAM is not only vital for CISSP success but also for establishing robust, scalable security architectures in today's complex IT environments.
Study Questions
- What are the three components of AAA in IAM?
- How does RBAC differ from ABAC?
- What are the five types of authentication factors?
- What is the purpose of federated identity management?
- What lifecycle events should trigger access review or removal?