CompTIA Security+: Identity and Access Management

Controlling who gets into your systems and what they can do once inside is the bedrock of information security. Every major breach, from stolen credentials to unauthorized data access, underscores a failure in Identity and Access Management (IAM). For the CompTIA Security+ exam and your career, mastering IAM means moving beyond simple passwords to a robust framework of authentication, authorization, and accounting that protects resources in an increasingly complex, hybrid world.

The Pillars of IAM: Authentication, Authorization, and Accounting

IAM is built on the foundational AAA framework: Authentication, Authorization, and Accounting. Think of it like entering a secure office building. Authentication is proving your identity at the front desk (e.g., showing an ID badge). Authorization is being granted access to specific rooms, like the finance department but not the R&D lab, based on your job role. Accounting is the logbook at the front desk that records your entry time, the rooms you accessed, and your exit time, providing an audit trail.

In technical terms, authentication verifies a subject's identity (a user, system, or process). Authorization determines what objects (files, databases, applications) the authenticated subject can access and what actions they can perform. Accounting, also called auditing, tracks and logs these activities for security monitoring, forensic analysis, and compliance reporting. A robust IAM strategy seamlessly integrates all three components.

Strengthening the Gate: Authentication Methods and Protocols

The first line of defense is proving "you are who you say you are." The simplest form is single-factor authentication, typically a password (something you know). This is notoriously weak. Multi-factor authentication (MFA) requires two or more distinct factors from these categories: something you know (password, PIN), something you have (smart card, security token, mobile phone), and something you are (biometric like a fingerprint or retina scan). MFA dramatically reduces the risk of account compromise even if a password is stolen.

For centralized authentication, several key protocols are used. Lightweight Directory Access Protocol (LDAP) is a protocol for accessing and maintaining distributed directory information services, like Microsoft Active Directory. It's the "phone book" that stores usernames, passwords, and attributes. Remote Authentication Dial-In User Service (RADIUS) is a client-server protocol that centralizes authentication for network access, commonly used for VPNs, Wi-Fi, and network devices. A RADIUS client (like a wireless access point) forwards user credentials to a central RADIUS server for verification.

Modern applications often rely on federated identity. Security Assertion Markup Language (SAML) is an XML-based standard that enables single sign-on (SSO), allowing a user to log in once and gain access to multiple, separate enterprise applications. In a SAML flow, an Identity Provider (IdP) like Okta authenticates the user and sends a "saml assertion" to the Service Provider (SP), granting access without re-entering credentials.

For less formalized or consumer-facing scenarios, OAuth 2.0 and OpenID Connect (OIDC) are prevalent. OAuth 2.0 is an authorization framework that allows an application to obtain limited access to a user's resources on another service (e.g., using your Google account to grant a photo printing app access to your Google Photos). It's about delegation, not authentication. OpenID Connect is a thin identity layer built on top of OAuth 2.0 that adds authentication, providing a standard way to verify the user's identity.

Governing Access: Authorization and Access Control Models

Once a user is authenticated, the system must authorize their actions. This is governed by formal access control models. The Discretionary Access Control (DAC) model is object-centric. The data owner decides who gets access. In a file system, this is seen as user/group/other permissions where the file creator can grant read/write access to others. While flexible, DAC can lead to permission sprawl.

The Mandatory Access Control (MAC) model is system-enforced and label-based, used in highly secure environments like military or government systems. Users and data objects are assigned classification labels (e.g., Top Secret, Secret). A user can only access data if their clearance level dominates the object's label. The user has no discretion to change these rules.

The Role-Based Access Control (RBAC) model is the most common in enterprise IT. Access is granted based on the user's organizational role (e.g., "Accountant," "Help Desk Tier 1"). Permissions are assigned to roles, and users are assigned to roles. This simplifies management—when John moves from Sales to HR, you simply remove him from the "Sales" role and add him to the "HR" role, instantly updating all his permissions.

The Attribute-Based Access Control (ABAC) model is a more dynamic and granular approach. Access decisions are made by evaluating a set of policies against attributes of the user, resource, and environment. A policy could state: "A consultant (user attribute) can view (action) financial reports (resource attribute) only if the access attempt originates from the corporate network (environment attribute) and the report is not classified (resource attribute)."

Underpinning all these models is the principle of least privilege, which mandates that users and processes should be granted only the minimum levels of access—or permissions—necessary to perform their legitimate functions. This limits the "blast radius" of a compromised account.

Managing the Lifecycle: Account and Privileged Access Management

IAM is not a one-time setup; it's an ongoing lifecycle. Effective account management enforces policies for user account creation, permission review, and timely de-provisioning. A key best practice is implementing time-of-day restrictions, preventing logins outside of working hours, and enforcing credential management policies like password complexity, history, and expiration.

The most critical accounts are those with elevated permissions. Privileged Access Management (PAM) is the discipline of securing, monitoring, and controlling these powerful accounts. Best practices include:

• Just-In-Time (JIT) access, where elevated privileges are granted only for a specific task and a limited time window.
• Using privileged access workstations (PAWs), hardened computers used only for sensitive administrative tasks.
• Employing a password vault to manage, rotate, and monitor the use of privileged account credentials, eliminating the use of static admin passwords.
• Mandating multi-factor authentication (MFA) for all privileged account logins without exception.

Finally, accounting completes the cycle through account lockouts after failed login attempts to thwart brute-force attacks and comprehensive logging and auditing. These logs must be protected from tampering and reviewed regularly to detect anomalous behavior, such as a user accessing files at an unusual time or from an unfamiliar location.

Common Pitfalls

1. Confusing OAuth with Authentication: A frequent exam trap and real-world error is using OAuth 2.0 alone for authentication. OAuth is for authorization (access delegation). For identity verification, you must layer OpenID Connect on top of it or use a dedicated authentication protocol like SAML.

1. Over-Permissioning and Role Bloat: Violating the principle of least privilege is common. This happens by adding users to overly broad roles (like "Administrator") for convenience or failing to clean up old permissions when users change roles. Regularly scheduled access reviews are essential to combat this.

1. Neglecting the Full Account Lifecycle: Focusing only on onboarding and forgetting offboarding is a major security gap. Dormant accounts (often called "orphaned" or "zombie" accounts) of former employees are prime targets for attackers. Automated de-provisioning processes must be tied directly to HR systems.

1. Poor Management of Service Accounts: Non-human accounts used by applications and systems often have powerful privileges and static passwords that are rarely changed. These are high-value targets. They must be included in the PAM strategy, with their credentials managed by a vault and their activity closely monitored.

Summary

• IAM rests on the AAA framework: Authentication (verify identity), Authorization (grant permissions), and Accounting (log activities).
• Strong authentication requires MFA (combining something you know, have, and/or are) and is supported by protocols like LDAP (directories), RADIUS (network access), SAML (enterprise SSO), and OAuth/OpenID Connect (authorization and identity for modern apps).
• Access is governed by models: DAC (owner-controlled), MAC (system-enforced labels), RBAC (role-based), and ABAC (dynamic attribute-based), all guided by the principle of least privilege.
• Secure the lifecycle through robust account management policies, and treat Privileged Access Management (PAM) as a critical discipline, using vaults, JIT access, and PAWs to protect high-level accounts.
• Avoid common errors like misusing OAuth, over-permissioning users, leaving dormant accounts active, and failing to secure service accounts.