Security+ Objective 4.6: Given a Scenario, Implement and Maintain Identity and Access Management

Controlling the Keys to the Kingdom

Identity and access management determines who can access organizational resources, what they can do with those resources, and under what conditions access is permitted. It's the foundation of security—even the strongest network defenses and data encryption are useless if attackers gain legitimate credentials providing authorized access. IAM encompasses the complete lifecycle from creating accounts and assigning permissions through monitoring usage and eventually removing access when no longer needed. Poor IAM leads to unauthorized access, privilege creep where users accumulate excessive permissions over time, orphaned accounts remaining active after employees leave, and shared credentials making accountability impossible.

Modern IAM faces significant challenges. Organizations have thousands or tens of thousands of users requiring access to hundreds of applications and systems, both on-premises and in cloud environments. Users change roles requiring permission updates, leave requiring prompt access revocation, and need different access levels for different contexts. Meanwhile, sophisticated attackers specifically target identity and access—compromised credentials provide legitimate-looking access that traditional security controls can't distinguish from authorized usage. Effective IAM must balance security against user experience, preventing unauthorized access while enabling authorized users to work efficiently without excessive friction.

IAM has evolved significantly beyond simple username and password authentication. Modern approaches incorporate multifactor authentication requiring multiple verification methods, single sign-on enabling one authentication for multiple applications, federation allowing secure cross-organizational access, privileged access management protecting high-risk administrative accounts, and behavioral analytics detecting compromised credentials through usage anomalies. Organizations increasingly adopt passwordless authentication, just-in-time permissions, and zero trust principles verifying every access request regardless of source. This objective explores the components of comprehensive IAM programs, from fundamental concepts like account provisioning and access controls through advanced techniques like ephemeral credentials and attribute-based access decisions.

Account Lifecycle Management

Provisioning User Accounts

Account provisioning creates user identities and assigns initial access based on roles and business needs. Effective provisioning requires formal processes ensuring accounts are created only with proper authorization, follow naming conventions enabling consistent management, receive appropriate initial permissions based on job roles, and are properly documented for audit trails. Automated provisioning integrates with HR systems creating accounts when employees are hired, assigning role-based permissions, and ensuring consistent application of security policies. Manual provisioning introduces delays and errors—accounts might be created with excessive permissions, without proper approvals, or using inconsistent configurations.

Provisioning should follow least privilege principles, granting only permissions necessary for job functions rather than copying existing user permissions or providing broad access "just in case." New accounts should start with minimal permissions, adding access as specific needs are demonstrated and approved. Organizations should implement provisioning workflows requiring manager approval, security review for sensitive access, and documentation of business justifications. Time-bound accounts with automatic expiration work well for contractors and temporary employees, preventing accounts from lingering indefinitely. Provisioning integration with identity management systems ensures consistent implementation across all platforms rather than creating disconnected accounts in each system separately.

De-provisioning and Access Revocation

De-provisioning removes access when users no longer require it—when employees leave, contractors complete projects, or roles change eliminating certain access needs. Timely de-provisioning is critical for security—accounts active after users leave are common attack vectors, either through the former users themselves or attackers discovering orphaned credentials. De-provisioning should happen promptly when employment ends, ideally integrated with HR systems automatically disabling accounts on termination dates. Organizations should also de-provision unneeded permissions when users change roles, following least privilege rather than accumulating permissions over time.

Comprehensive de-provisioning covers all systems and applications, not just primary directory accounts. Orphaned accounts often remain in secondary systems, forgotten cloud services, or third-party applications when primary accounts are disabled. Organizations should maintain inventories of all systems requiring de-provisioning, implement centralized identity management enabling coordinated deactivation, and conduct regular audits identifying accounts that should be disabled. De-provisioning should disable rather than immediately delete accounts, preserving audit logs and data ownership while preventing login. Account data can be transferred to managers or archived after appropriate retention periods. Effective de-provisioning prevents unauthorized access from former employees while maintaining business continuity.

Permission Assignments and Implications

Permission assignments determine what resources users can access and what actions they can perform—read, write, delete, execute, or administrative control. Effective permission management follows least privilege, granting only permissions necessary for job functions. Over-permissioned accounts create security risks—compromised accounts can cause more damage, insider threats have broader access, and compliance violations occur when users access data they shouldn't. Under-permissioned accounts frustrate users and reduce productivity. The challenge is finding appropriate balance providing necessary access while minimizing risk exposure.

Permission implications extend beyond immediate access. Some permissions enable privilege escalation—modifying security settings, creating accounts, or changing permissions can provide pathways to higher access levels. Data access permissions have compliance implications—regulations often restrict who can access sensitive data requiring careful permission assignment and monitoring. Permissions should be regularly reviewed and recertified ensuring they remain appropriate as roles evolve. Organizations should implement permission analytics identifying risky combinations, detecting permission creep, and highlighting users with access exceeding typical peers. Effective permission management requires ongoing attention, not just initial assignment during provisioning.

Identity Verification and Federation

Identity Proofing

Identity proofing verifies that individuals are who they claim to be before granting accounts and access. Weak identity proofing enables attackers to create accounts using false identities or compromised information. In-person verification provides highest assurance through government-issued photo ID and face-to-face verification. Remote proofing uses knowledge-based authentication asking questions based on personal history, document verification analyzing uploaded IDs, or biometric verification matching selfies to ID photos. The appropriate proofing level depends on access sensitivity and risk tolerance—administrative accounts require stronger proofing than basic user accounts.

Identity proofing happens during initial account creation and potentially when users request sensitive access or reset credentials. Organizations should document proofing methods and evidence maintaining audit trails of identity verification. Proofing should detect synthetic identities created from combined real and fake information, validate that documents aren't forged, and confirm personal information matches identity claims. Stronger proofing increases confidence in user identities but adds friction to onboarding. Organizations must balance security assurance against user experience and operational efficiency, implementing proofing appropriate for their risk environment and access sensitivity.

Federation and Cross-Organizational Access

Federation enables users from one organization to access resources in another using their home organization credentials, eliminating need for separate accounts in each organization. Federation relationships establish trust between identity providers (organizations managing identities) and service providers (organizations providing resources). Users authenticate to their identity providers, which assert identities to service providers through standardized protocols. Federation improves security by centralizing credential management, enhances user experience through fewer credentials to manage, and simplifies access management by delegating authentication to identity providers.

Federation requires trust establishment including cryptographic validation of identity assertions, agreement on attributes being shared, and understanding of liability and responsibility. SAML (Security Assertion Markup Language) is common for enterprise federation exchanging XML-based authentication and authorization assertions. OAuth provides delegated authorization enabling applications to access resources on users' behalf without sharing passwords. Federation enables B2B scenarios where partners need access to shared resources, cloud adoption where organizations use external SaaS applications, and collaboration where users from multiple organizations work together. Organizations must carefully manage federation relationships, limiting trust to appropriate partners, monitoring federated access, and maintaining ability to revoke trust if necessary.

Single Sign-On (SSO)

Single sign-on enables users to authenticate once and access multiple applications without repeated logins. SSO improves user experience by reducing authentication friction, enhances security by reducing password fatigue that leads to weak or reused passwords, and centralizes authentication enabling consistent security policies and monitoring. SSO implementations authenticate users to identity providers, then automatically authenticate to integrated applications using tokens or assertions proving identity. Users see seamless access without understanding underlying authentication mechanics.

LDAP (Lightweight Directory Access Protocol) provides directory services supporting authentication and authorization for multiple applications querying centralized directories. OAuth enables authorization delegation where applications obtain limited access tokens representing user permission without handling passwords directly. SAML exchanges authentication assertions between identity and service providers in enterprise SSO scenarios. Organizations should implement SSO for internal applications improving user experience, extend SSO to cloud applications through federation, and maintain consistent authentication policies across all SSO-integrated applications. SSO creates single points of failure—compromised SSO credentials provide access to all integrated applications—requiring strong authentication protections including multifactor authentication for SSO access.

Access Control Models

Mandatory Access Control (MAC)

Mandatory Access Control enforces centrally defined security policies that users and system owners cannot override. Security labels classify subjects (users, processes) and objects (files, resources) with sensitivity levels like classified, secret, or top secret. MAC policies prevent reading information at higher sensitivity levels than user clearances and prevent writing information to lower sensitivity levels (preventing leaks). MAC provides strong security assurance for environments handling classified or highly sensitive information where users cannot be trusted to make appropriate access decisions. It's common in military and government systems requiring strict information flow control.

MAC implementations include SELinux enforcing type enforcement policies on Linux systems and Windows Mandatory Integrity Control labeling processes and objects with integrity levels. MAC requires careful policy design and administration since policies are rigid and centrally controlled. Users cannot share files or grant access outside policies regardless of business needs. MAC works best in environments with well-defined information sensitivity levels and strict need-to-know requirements. Most commercial environments find MAC too restrictive, preferring more flexible approaches, but MAC remains valuable for protecting highly sensitive compartmented information requiring guaranteed security policy enforcement.

Discretionary Access Control (DAC)

Discretionary Access Control allows resource owners to determine who can access their resources and what permissions to grant. File system permissions in Windows and Linux implement DAC—file owners can grant read, write, or execute permissions to other users or groups. DAC provides flexibility enabling resource owners to make access decisions based on business needs without requiring central administration for every permission change. However, DAC security relies on individual users making appropriate decisions, creating risks when users grant overly broad permissions or fail to remove access when no longer needed.

DAC is prevalent in commercial environments where flexibility and user empowerment are important. Organizations implement DAC with guidance and policies about appropriate permission granting, regular audits identifying overly permissive access, and technical controls limiting what permissions can be granted. DAC works best when combined with other controls—data classification guiding permission decisions, access reviews validating permissions remain appropriate, and monitoring detecting unusual access patterns. While DAC alone provides insufficient security for highly sensitive environments, it offers practical balance between security and operational flexibility for most business scenarios.

Role-Based Access Control (RBAC)

Role-Based Access Control assigns permissions to roles representing job functions, then assigns users to roles inheriting associated permissions. RBAC simplifies permission management—instead of individually managing permissions for thousands of users, administrators manage permissions for dozens of roles. New users receive appropriate permissions by being assigned to roles matching their jobs. Role changes require updating role assignments rather than individually adjusting hundreds of permissions. RBAC reduces permission errors, ensures consistency across users in similar roles, and scales efficiently as organizations grow.

Effective RBAC requires careful role design reflecting actual job functions, periodic role reviews ensuring role permissions remain appropriate, and preventing role explosion where excessive roles undermine simplicity benefits. Organizations should define core roles for common job functions, implement role hierarchies where senior roles inherit junior role permissions plus additional access, and allow exceptional permissions for unique requirements while maintaining role-based assignments as the norm. RBAC should prevent users from holding conflicting roles creating separation of duties violations. Modern RBAC implementations support role activation where users hold multiple roles but activate specific roles when needed rather than always exercising all permissions.

Authentication Mechanisms

Multifactor Authentication

Multifactor authentication (MFA) requires multiple verification factors making compromise significantly harder than single-factor passwords alone. Authentication factors include something you know (passwords, PINs), something you have (tokens, smart cards, phones), something you are (biometrics), and somewhere you are (geolocation). True MFA uses factors from different categories—password plus SMS code provides two factors, while password plus security questions provides two instances of "something you know" but isn't true MFA. MFA dramatically reduces credential compromise risks since attackers must obtain multiple factors rather than just passwords.

MFA implementations vary in security and usability. SMS-based codes are convenient but vulnerable to SIM swapping and interception. Authenticator apps like Google Authenticator or Microsoft Authenticator generate time-based codes more securely. Hardware tokens (hard tokens) or software tokens (soft tokens) generate cryptographic codes. Security keys using FIDO standards provide phishing-resistant authentication through cryptographic challenge-response. Biometrics include fingerprints, facial recognition, or iris scans verifying "something you are." Organizations should implement MFA for all remote access, administrative accounts, and access to sensitive systems, selecting implementations balancing security strength against user acceptance and deployment feasibility.

Biometric Authentication

Biometric authentication verifies identity through physical characteristics like fingerprints, facial features, iris patterns, or voice characteristics. Biometrics provide convenience—users can't forget biometric factors like they forget passwords—and security since biometric characteristics are unique and difficult to steal or replicate. However, biometrics aren't perfect. False acceptance rates (incorrectly authenticating wrong users) and false rejection rates (incorrectly rejecting legitimate users) require tuning balancing security against user experience. Biometric data can't be changed if compromised unlike passwords requiring revocation and reissuance.

Organizations implementing biometrics should store biometric templates rather than raw biometric data, use cryptographic hashing making stored biometrics useless if compromised, implement liveness detection preventing spoofing with photos or recordings, and combine biometrics with other factors rather than using biometrics alone. Biometrics work well for physical access control, mobile device authentication, and high-value transactions requiring strong identity verification. Privacy considerations require careful biometric data handling, transparency about collection and storage, and compliance with regulations governing biometric information. Biometrics should be one component of comprehensive authentication strategies rather than complete solutions.

Password Management

Password Best Practices

Password policies balance security against usability determining requirements users must meet. Length is more important than complexity—longer passwords resist brute force attacks better than shorter complex ones. Modern guidance recommends minimum 12-15 character passwords rather than 8 characters with complexity requirements. Complexity requirements (uppercase, lowercase, numbers, symbols) make passwords harder to remember without significantly improving security against modern attacks, often leading users to predictable patterns like "Password1!". Organizations should emphasize length over complexity, using passphrases of multiple words rather than complex character combinations.

Password reuse across multiple sites creates significant risks—one compromised site exposes credentials to all sites using same passwords. Organizations should prohibit reusing previous passwords and check new passwords against databases of known-compromised credentials rejecting those appearing in breaches. Password expiration forcing periodic changes was traditional practice but modern guidance questions its value—frequent changes lead to predictable patterns and weaker passwords. Better approaches include monitoring for credential compromise, implementing MFA reducing password importance, and only requiring changes when compromise is suspected. Password age tracking how long passwords have been in use enables targeted resets for old passwords while avoiding forced changes for recent passwords.

Password Managers

Password managers generate, store, and auto-fill strong unique passwords for every account, solving the impossible task of remembering hundreds of complex passwords. Users remember one strong master password protecting encrypted password vaults. Password managers enable using cryptographically random passwords for every site without memory burden, eliminating password reuse, and facilitating longer more complex passwords. They reduce phishing risks by auto-filling passwords only on legitimate sites rather than phishing lookalikes where users might manually enter credentials.

Organizations should encourage or require password manager adoption, potentially providing enterprise password managers like 1Password, LastPass, or Bitwarden. Enterprise password managers enable secure password sharing for service accounts, provide administrative visibility without exposing passwords, and support emergency access if users are unavailable. Personal password managers are better than no password manager even if not enterprise-controlled. Password managers eliminate most barriers to strong unique passwords for every account significantly improving security posture. Organizations should train users on password manager usage, address concerns about security, and lead by example with IT staff using password managers.

Passwordless Authentication

Passwordless authentication eliminates passwords entirely using alternatives like biometrics, security keys, or certificate-based authentication. Passwordless approaches remove password-related attacks including phishing, credential stuffing, and password reuse. Windows Hello uses biometrics or PINs backed by device TPMs. FIDO2 security keys provide cryptographic authentication without passwords. Certificate-based authentication uses PKI certificates identifying users. Passwordless authentication improves security by eliminating most common attack vectors while improving user experience through faster authentication without password memory burdens.

Transitioning to passwordless requires supporting infrastructure including biometric readers, security key distribution, or PKI deployment. Organizations should pilot passwordless authentication with IT staff before broader deployment, maintain password fallbacks during transition, and carefully handle device loss scenarios where passwordless credentials might be inaccessible. Passwordless works best combined with device trust—authentication proves device possession plus biometric or PIN proves user presence. While passwordless represents the future of authentication, practical deployment requires careful planning, user training, and staged implementation ensuring business continuity during transition.

Privileged Access Management

Just-in-Time Permissions

Just-in-time (JIT) permissions grant elevated access only when needed for specific durations rather than permanent administrative privileges. Users request elevated access with business justifications, receive approval, and get temporary permissions that automatically expire after defined periods. JIT reduces standing privileges that create security risks when compromised and limits insider threat exposure by restricting when elevated access is available. Administrators work with standard user accounts most of the time, elevating only for specific administrative tasks, then reverting to standard privileges when tasks complete.

JIT implementation requires workflows for requesting and approving access, automated systems granting and revoking permissions, monitoring and logging of privileged access usage, and integration with ticketing systems tracking why access was needed. Organizations should implement JIT for administrative accounts, database access, cloud administration, and any high-privilege access. JIT permissions should be time-bound (2 hours, 8 hours, 24 hours) appropriate for task durations, role-specific granting only permissions needed for specific tasks, and logged comprehensively supporting audit requirements. JIT significantly reduces attack surface by eliminating most standing administrative privileges while maintaining operational capabilities for legitimate administrative needs.

Password Vaulting

Password vaults securely store privileged account credentials like administrative passwords, service account passwords, and application credentials. Instead of sharing passwords through insecure channels or storing them in spreadsheets, passwords are stored encrypted in vaults. Users request access receiving passwords through secure checkout processes, use credentials for authorized tasks, then credentials are automatically rotated after use preventing ongoing access. Vaulting provides comprehensive audit trails tracking who accessed which credentials when, prevents password sharing and reuse, and enables password rotation without needing to manually update passwords across all usage locations.

Password vault implementations should enforce checkout workflows requiring approval for sensitive credentials, automatically rotate passwords after use or on regular schedules, record session activity showing what administrators did with privileged credentials, integrate with monitoring systems alerting on unusual privileged access, and maintain encrypted credential storage protecting against vault compromise. Organizations should vault administrative accounts, service accounts, API keys, database credentials, and any shared or privileged credentials. Modern privileged access management (PAM) platforms integrate password vaulting with just-in-time permissions, session recording, and automated remediation providing comprehensive privileged access control.

Ephemeral Credentials

Ephemeral credentials are temporary credentials created on-demand and automatically expiring after short durations or specific uses. Unlike permanent credentials that exist indefinitely, ephemeral credentials only exist when actively needed. Cloud platforms generate temporary access tokens valid for hours rather than permanent API keys. Databases create temporary accounts for specific sessions rather than shared accounts. Ephemeral credentials reduce credential theft risks since credentials quickly become useless, eliminate credential management burden since temporary credentials don't require rotation, and improve security through automatic expiration without requiring manual revocation.

Organizations should use ephemeral credentials for cloud resource access through assumed roles or service accounts, temporary database access for development and operations, API authentication using short-lived tokens, and any scenario where permanent credentials aren't necessary. Ephemeral approaches require infrastructure supporting credential generation and validation, applications able to request new credentials when expiring, and monitoring ensuring credential issuance aligns with legitimate needs. While ephemeral credentials improve security, they require more sophisticated credential management than permanent credentials. Organizations should transition from permanent credentials to ephemeral approaches where feasible, particularly for programmatic access and administrative operations.

Real-World Implementation Scenarios

Scenario 1: Enterprise IAM Modernization

Scenario 2: Healthcare IAM Compliance

Scenario 3: Cloud-First IAM Strategy

Best Practices for Identity and Access Management

Strategic Approach

• Lifecycle automation: Integrate provisioning and de-provisioning with HR systems ensuring timely and consistent account management throughout employment lifecycle.
• Least privilege: Grant minimum permissions necessary for job functions, regularly reviewing and removing unnecessary access preventing permission creep.
• Zero trust verification: Verify every access request regardless of source location or previous authentication treating nothing as inherently trusted.
• Centralized identity: Implement single identity source of truth providing consistent identity management across all systems rather than disconnected accounts.
• Defense in depth: Layer multiple authentication and authorization controls so individual control failures don't result in complete compromise.

Operational Excellence

• Regular access reviews: Conduct periodic recertification of user permissions ensuring access remains appropriate for current roles and responsibilities.
• Privileged access protection: Implement comprehensive PAM protecting administrative credentials through vaulting, just-in-time access, and session monitoring.
• Strong authentication: Deploy MFA for remote access, privileged accounts, and sensitive systems significantly reducing credential compromise risks.
• Comprehensive monitoring: Track authentication attempts, permission usage, and privilege escalations detecting anomalies suggesting compromise or misuse.
• User training: Educate users about authentication best practices, password security, MFA importance, and recognizing phishing attempting credential theft.

Practice Questions

Practice Lab: IAM Implementation

Lab Setup and Prerequisites

For this lab, you'll need access to directory services, identity management platforms, authentication systems, and privileged access management tools. The lab is designed to be completed in approximately 6-7 hours and provides hands-on experience with comprehensive IAM implementation.

Lab Activities

Lab Outcomes and Learning Objectives

Upon completing this lab, you should be able to implement account provisioning and de-provisioning, configure role-based access control, deploy multifactor authentication, implement SSO, configure password policies, and deploy privileged access management. You'll gain practical experience with IAM used in real-world enterprise environments.

Advanced Lab Extensions

For more advanced practice, try implementing attribute-based access control, deploying passwordless authentication, implementing federation with external identity providers, and integrating identity monitoring with security analytics platforms.

Frequently Asked Questions