Identity and Access Management: Authentication, Authorization, and Access Control
IAM (Identity and Access Management) is the framework of policies and technologies that ensures the right people have the right access at the right time. It covers authentication, authorization, MFA, SSO, federation, and access control models.
Authentication vs Authorization
Authentication verifies who you are — proving identity through credentials. Authorization determines what you are allowed to do — what resources you can access. They are distinct but related processes.
Authentication factors: Something you know — password, PIN, security question Something you have — smart card, security token, phone (for OTP) Something you are — biometrics (fingerprint, facial recognition, iris scan) Somewhere you are — geolocation, IP address Something you do — signature dynamics, typing pattern
The exam emphasizes the three main factors (know, have, are) and that MFA requires using at least two different factors.
- Authentication = who you are (identity verification)
- Authorization = what you can access (permissions)
- Three main factors: something you know, have, are
- MFA requires two or more DIFFERENT factors (not two passwords)
Access Control Models
Mandatory Access Control (MAC) — access decisions are made by a central authority based on security labels. Users cannot override permissions. Used in military and government systems. Example: classified vs unclassified labels.
Discretionary Access Control (DAC) — the resource owner decides who can access it. Common in file systems (file owner sets permissions). Windows NTFS permissions are an example of DAC.
Role-Based Access Control (RBAC) — access is based on job roles. Administrators assign roles, and roles have permissions. Users are added to roles. This is the most common model in enterprises.
Attribute-Based Access Control (ABAC) — access decisions use policies that evaluate attributes: user attributes (role, department), resource attributes (classification, owner), and environmental attributes (time, location). ABAC is more flexible and granular than RBAC.
- MAC: central authority, security labels, user can't override (military)
- DAC: resource owner controls access (file systems)
- RBAC: role-based, most common enterprise model
- ABAC: attribute-based, most flexible and granular
MFA and Authentication Technologies
Multi-Factor Authentication (MFA) requires two or more authentication factors. Common MFA implementations: TOTP (Time-based One-Time Password — Google Authenticator, Authy), SMS codes, push notifications (approve on phone), smart cards (CAC/PIV cards used by government), and biometrics.
For the Security+ exam, understand the difference between: TOTP (time-based, changes every 30 seconds), HOTP (HMAC-based, counter-based, changes after use), and how smart cards use certificates stored on the card for authentication.
Passwordless authentication is an emerging trend using biometrics or possession factors as the primary authentication method, eliminating passwords entirely.
- TOTP: time-based OTP (30-second window) — no network needed after seed
- HOTP: counter-based OTP — changes after each use
- Smart cards: store certificates/keys on embedded chip, require reader
- Biometrics: fingerprint, facial recognition, iris — something you are
- MFA should use different factors (e.g., password + TOTP, not two passwords)
SSO and Federation
Single Sign-On (SSO) allows a user to authenticate once and access multiple applications without re-entering credentials. SSO improves user experience and reduces password fatigue but creates a single point of failure — if the SSO provider is compromised, all applications are accessible.
Federation extends SSO across organizations. For example, using your corporate credentials to log into a partner's application. Federation relies on trust relationships between identity providers (IdP) and service providers (SP).
Key federation protocols: SAML (Security Assertion Markup Language) — XML-based, commonly used for web browser SSO, exchanges authentication and authorization data between IdP and SP. OAuth 2.0 — authorization framework, allows third-party apps to access resources without sharing passwords (e.g., "Login with Google"). OAuth issues tokens, not credentials. OpenID Connect (OIDC) — authentication layer built on OAuth 2.0, adds identity verification.
- SSO: authenticate once, access multiple apps — convenient but single point of failure
- Federation: SSO across organizations — trust between IdP and SP
- SAML: XML-based, enterprise SSO (common in corporate environments)
- OAuth 2.0: authorization framework — grants tokens, not credentials
- OIDC: identity layer on OAuth 2.0 — adds authentication to authorization
LDAP, Kerberos, and PAM
LDAP (Lightweight Directory Access Protocol) — protocol for accessing and maintaining directory services. LDAP stores user accounts, groups, and permissions in a hierarchical structure. Active Directory uses LDAP. LDAP is often used for authentication (bind operation) and authorization (reading attributes).
Kerberos — network authentication protocol using tickets. When a user authenticates, they receive a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). They then use the TGT to request service tickets for specific resources. Kerberos is the default authentication protocol in Active Directory.
PAM (Privileged Access Management) — manages and monitors privileged accounts (administrator accounts). Includes password vaulting (storing admin passwords in a secure vault), session recording (recording admin sessions for audit), just-in-time access (granting temporary elevated privileges), and credential rotation.
- LDAP: protocol for directory services — stores user/group/permission data
- Kerberos: ticket-based authentication — TGT from KDC, then service tickets
- PAM: manages privileged accounts — password vaulting, session recording, JIT access
- Least privilege: grant minimum permissions needed for the task
Exam Tip
Know the three access control models: MAC (labels), DAC (owner), RBAC (roles). Understand SAML vs OAuth vs OIDC: SAML is XML enterprise SSO, OAuth is authorization (tokens), OIDC adds authentication. Kerberos uses tickets, not passwords.