CISSP Domain 5 - Identity and Access Management

Identity and Access Management (IAM) is the security discipline that ensures the right individuals have the right access to the right resources at the right times and for the right reasons. It is the cornerstone of every enterprise security program, acting as the primary gatekeeper between users and the critical data, systems, and applications they need. A failure in IAM can lead to catastrophic data breaches, compliance violations, and operational disruption, making its mastery non-negotiable for any security professional.

Core IAM Concepts: The AAA Framework

The foundation of IAM is built upon four interrelated concepts, often called the AAA security model: Identification, Authentication, Authorization, and Accountability.

Identification is the claim of an identity. A user or system asserts who they are by providing a unique identifier, such as a username, user ID, or email address. This is a one-to-many process—many users can claim the same identity, so identification alone is not proof.

Authentication is the verification of that claimed identity. It’s the process of proving you are who you say you are. Authentication answers the question, "Are you genuine?" Common authentication factors fall into three categories: something you know (a password or PIN), something you have (a smart card or token), and something you are (a fingerprint or retina scan). Multi-factor authentication (MFA) requires evidence from two or more of these distinct categories, dramatically increasing security over single-factor methods like a password alone.

Authorization occurs after successful authentication. It determines what an authenticated identity is allowed to do. Authorization defines the permissions—like read, write, execute, delete—granted to a user over specific resources. It enforces policies that answer, "What are you allowed to access?"

Accountability is achieved by linking activities to a specific, authenticated identity. This is primarily done through comprehensive audit trails and logging. If you cannot trace an action back to an individual, you cannot hold them responsible. Accountability is what makes the other three A's meaningful from a security governance perspective.

Authentication Systems and Infrastructure

Robust authentication extends beyond simple passwords. Single sign-on (SSO) is a system that allows a user to authenticate once and gain access to multiple, related but independent software systems without logging in again. This improves user experience and can reduce the risk of password fatigue, but it creates a single point of failure—if the primary SSO credential is compromised, all linked systems are at risk.

To enable both SSO and centralized management, organizations use directory services. A directory service, like Lightweight Directory Access Protocol (LDAP) or Microsoft Active Directory, is a database that stores and organizes information about network resources and user identities. It acts as the central phonebook for your digital environment, allowing systems to look up and verify user credentials and attributes.

When access needs to cross organizational boundaries, federated identity comes into play. This uses standards like Security Assertion Markup Language (SAML) or OpenID Connect to allow a user’s identity and authentication credentials from one domain (the identity provider, or IdP) to be trusted by another, separate domain (the service provider, or SP). For example, when you use your Google account to log into a third-party website like Spotify, you are using a form of federated identity.

Access Control Models: The Rulebooks for Authorization

Authorization decisions are governed by formal access control models. These are the rulebooks that systems follow to grant or deny access.

Discretionary Access Control (DAC) is a flexible model where the data owner decides who gets access. In a DAC system, if you create a file, you have the discretion to grant read or write permissions to other users. It’s common in operating systems like Windows and Linux but can lead to permission sprawl if not carefully managed.

Mandatory Access Control (MAC) is a strict, policy-driven model used in highly secure environments like governments and militaries. Access decisions are based on security labels (e.g., Confidential, Secret, Top Secret) assigned to both subjects (users) and objects (data). A user can only access data if their security clearance level dominates the data’s classification label. Users cannot override these rules, even if they own the data.

Role-Based Access Control (RBAC) is a business-aligned model where access rights are assigned to roles, not individuals. Users are then assigned to roles based on their job function. For example, all "Accountants" get access to the financial system, and all "HR Associates" get access to the employee database. This simplifies management, as changing a user’s access is as simple as changing their role assignment.

Attribute-Based Access Control (ABAC) is a dynamic, fine-grained model that uses policies that evaluate attributes of the user, resource, action, and environment. A policy could state: "A consultant (user attribute) can read (action) project files (resource) only if their contract is active (user attribute) and the access request is made during business hours (environment attribute)." ABAC offers great flexibility but is more complex to implement and manage.

Foundational Security Principles

Two critical principles must be woven into the implementation of any IAM system: least privilege and separation of duties.

The principle of least privilege dictates that a user, process, or system should be granted the minimum levels of access—or permissions—necessary to perform its legitimate functions. An accountant does not need administrative rights to the web server, and a backup service account only needs read access to the files it backs up. This limits the "blast radius" of a compromise, whether it's a malicious insider or a hijacked user account.

Separation of duties (SoD) is the practice of dividing critical tasks and related permissions among multiple users to prevent fraud, error, and abuse. The classic example is in financial systems: the person who requests a payment should not be the same person who authorizes it, and a third person should reconcile the accounts. In IAM, this means ensuring no single individual has end-to-end control over a sensitive process. SoD is often enforced through careful role engineering in RBAC systems.

Common Pitfalls

1. Confusing Authorization with Accountability: A common exam trap is mixing up these concepts. Remember: Authorization is about permissions (what you can do). Accountability is about traceability (logging what you did). You can have strong authorization controls but still lack accountability if you fail to log and monitor activities.
2. Over-Privileged Service Accounts: Applying the principle of least privilege to human users is common, but it is often neglected for machine or service accounts. These non-human identities are frequently granted excessive, permanent permissions, making them prime targets for attackers. Implement regular reviews and use just-in-time access where possible.
3. Weak MFA Implementation: Not all MFA is created equal. Using two factors from the same category (e.g., a password and a security question—both "something you know") is not true MFA. Furthermore, using SMS for one-time codes is vulnerable to SIM-swapping attacks. Prefer stronger authenticator apps or hardware tokens for the "something you have" factor.
4. Role Proliferation in RBAC: A major failure in RBAC design is creating a new role for every minor permission variation, leading to hundreds of roles that are as hard to manage as individual user permissions. Effective RBAC requires identifying truly distinct job functions within the business, not creating a technical role for every possible access combination.

Summary

• IAM is governed by the AAA framework: Identification (claiming an identity), Authentication (proving the claim), Authorization (granting permissions), and Accountability (logging actions for audit).
• Authentication mechanisms evolve from passwords to MFA, supported by infrastructure like Single Sign-On (SSO) for user convenience, directory services for central management, and federated identity for cross-domain trust.
• Access control models provide the rulebook for authorization decisions: DAC is owner-centric, MAC is label-based and mandatory, RBAC is role-driven for business alignment, and ABAC is dynamic and policy-based on multiple attributes.
• The principle of least privilege and separation of duties are non-negotiable security principles that must be designed into every IAM system to minimize risk and prevent fraud.
• Effective IAM requires continuous lifecycle management—from secure provisioning of identities to timely de-provisioning—and rigorous auditing to ensure policies are enforced and principles are upheld.