Vendor-Neutral IAM Concepts
Understanding core IAM principles is critical for navigating any IAM platform. Below are foundational concepts organized by role, general principles, and protocols:1. Identity Roles & Responsibilities
| Role | Focus | Key Activities |
|---|---|---|
| IAM Analyst | General access management for users and resources. | Granting/revoking access, troubleshooting logins, managing SSO integrations. |
| PAM Analyst | Securing privileged accounts (e.g., admins, service accounts). | Enforcing just-in-time access, auditing credential vaults, monitoring sessions. |
| CIAM Analyst | Managing customer identities (B2C). | Implementing social logins (OIDC), securing customer data, scaling authentication. |
| IGA Analyst | Governance, compliance, and identity lifecycle oversight. | Access certifications, role mining, policy enforcement (e.g., RBAC/ABAC). |
2. Core IAM Concepts
General Identity Management
| Concept | Purpose & Definition | Examples/Use Cases |
|---|---|---|
| Directory Service | Centralizes user/resource data for authentication and authorization. | Active Directory (on-prem), Okta Universal Directory (cloud), OpenLDAP. |
| Identity Provider (IdP) | Authenticates users and issues tokens for access. | Entra ID, Okta, Keycloak, etc. |
| User Provisioning | Granting/revoking access to applications or systems. | Joining a company, leaving a company, or moving to a new role. |
| Identity Lifecycle Management | Manages accounts from creation (joiner) to deletion (leaver). | Deprovisioning access in 50+ apps when an employee leaves. |
| Access Certifications | Periodic reviews to ensure least privilege. | Quarterly audits of finance team’s access to ERP systems. |
| Workflows | Automates IAM processes (e.g., approvals, provisioning). | Auto-escalating MFA requirements for high-risk logins. |
Security Frameworks
| Concept | Components | Relevance to IAM |
|---|---|---|
| C.I.A. Triad | Confidentiality (privacy), Integrity (untampered data), Availability (uptime). | Ensures information systems protect data, prevent unauthorized changes, and stay reliable. |
| A.A.A. Framework | Authentication (verify identity), Authorization (grant access), Accounting (audit logs). | Basis for all IAM systems. |
| Zero Trust | “Never trust, always verify.” | Requires continuous authentication (e.g. Risk-Based Authentication). |
| Least Privilege | Grant minimal access required for a task. | Restricting developers to only the AWS environments they need. |
Access Control Models
| Model | Definition & Approach | Key Use Cases |
|---|---|---|
| RBAC (Role-Based Access Control) | Assigns permissions based on organizational roles (e.g., “Manager,” “Developer”). Users inherit access by being assigned to roles. | Healthcare systems restricting access to patient records by role (doctor, nurse, admin). |
| ABAC (Attribute-Based Access Control) | Grants access dynamically using policies that evaluate attributes (user, resource, environment). | Granting access to financial records only if user’s department matches AND clearance level is “High.” |
| GBAC (Group-Based Access Control) | Manages permissions through group memberships, often layered with RBAC/ABAC for granularity. | Tech companies providing project-specific access by adding users to Azure AD/Okta groups. |
3. Protocols & Standards
| Protocol | Purpose & Key Features | Real-World Use Cases |
|---|---|---|
| OAuth 2.0 | Grants delegated access to resources (e.g., APIs) without sharing passwords. | Letting a mobile app access a user’s Google Drive files. |
| OIDC | Adds identity layer to OAuth 2.0 for authentication. | “Sign in with Google” on a news website. |
| SAML 2.0 | Enables SSO for workforce apps via XML-based assertions. | Employees logging into Workday using through Okta’s end-user dashboard. |
| SCIM | Automates user provisioning/deprovisioning across systems. | Creating/deleting Slack accounts automatically when users join/leave a company. |
| LDAP | Queries directory services (e.g., user attributes, groups). | Authenticating users against on-prem Active Directory. |
| Kerberos | Secure ticket-based authentication within Windows domains. Uses symmetric encryption and time-limited tickets (TGTs) for resource access. | Access to on-prem file shares after domain login (internal networks only). |
| WebAuthn | Passwordless auth using biometrics/FIDO2 keys. | Employees logging into GitHub with a YubiKey. |
Legacy/Declining Protocols
| Protocol | Limitations & Modern Alternatives |
|---|---|
| NTLM | Vulnerable to pass-the-hash attacks; replaced by Kerberos. |
| WS-Fed | Less flexible than OIDC/SAML, but still used in AD Federation Services. |
| SPML | XML-heavy and complex; largely replaced by SCIM. |
| XACML | Overly verbose for most use cases; replaced by policy-as-code tools. |