Identity and Access Management

Identity and Access Management (IAM) is a critical cybersecurity frameworks which ensures that the right individuals and systems have appropriate access to an organization’s resources. In this post, I will break down IAM’s core concepts, explain its critical components, and provide technical examples of implementation.

What is IAM?

IAM refers to a set of policies, technologies, and processes used to manage digital identities and regulate access to resources. IAM systems ensure that human or machine entities are authenticated, authorized, and continuously monitored while accessing sensitive data or services.

Core Functions of IAM:

• Identity Management: Manages user identities, profiles, and credentials.
• Authentication: Validates the identity of a user or system.
• Authorization: Determines the permissions granted to a user or system based on predefined roles.
• Auditing and Monitoring: Tracks user activity to ensure security compliance.

Core Components of IAM

• User Identity: This includes the information necessary to uniquely identify a user, such as username, email, or unique ID numbers.
• Authentication: The process of proving that the user is who they claim to be. This is done via:
  • Passwords: The most common method of authentication.
  • Passkeys: A passwordless method using cryptographic keys tied to a user’s device. They replace passwords with biometric data (like fingerprint or face ID) or a physical device (phone or security key). Passkeys are stored locally, reducing risks like phishing and credential theft.
  • Multi-Factor Authentication (MFA): Combines multiple forms of authentication, such as a password (something you know) and a mobile code (something you have).
  • Federated Authentication: Uses a trusted third party to authenticate users, such as OAuth or SAML. Example: In AWS IAM, users can log in via a username/password combination and enable MFA using an application like Google Authenticator.
• Authorization: Once authenticated, IAM systems determine what actions a user can perform. This is typically done through Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).

Example: In AWS IAM, a policy document is written in JSON to define user or role permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example_bucket"
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::example_bucket/*"
    }
  ]
}

In this policy, the user is allowed to list objects in an S3 bucket but denied permission to delete them.

• Provisioning and De-provisioning: When a new user joins or leaves an organization, their access is provisioned or revoked across systems.
• Automated provisioning ensures new hires are granted appropriate permissions based on their role, and automated de-provisioning ensures access is removed as soon as they depart.
  Example: In Microsoft Active Directory, user provisioning can be automated via Group Policy or third-party tools like Okta.
• Access Review and Monitoring: IAM systems continuously log user access and activity for auditing and compliance.

IAM Models: RBAC and ABAC

• Role-Based Access Control (RBAC):
  • Access is granted based on the roles assigned to users.
  • Roles are created based on job functions (e.g., admin, developer, viewer).

Example: In Azure AD, roles are assigned to users as follows:

{
  "roleName": "Admin",
  "assignments": [
    {
      "user": "John",
      "permissions": ["read", "write", "execute"]
    }
  ]
}

• Attribute-Based Access Control (ABAC):
  • Decisions are based on attributes like user department, location, or resource tags.
  • Allows fine-grained, context-aware access control.

Example: In AWS, ABAC can be implemented based on user tags:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::example_bucket",
    "Condition": {
      "StringEquals": {
        "aws:RequestTag/Department": "Finance"
      }
    }
  }
}

This policy allows users in the Finance department to access the S3 bucket.

Authentication Protocols in IAM

• OAuth 2.0:
  • Used to allow third-party applications to access a user’s account without sharing credentials.
  • It provides authorization tokens instead of credentials.

• Example: A user logs in with their Google account to access a third-party application like GitHub. GitHub uses OAuth to authenticate the user with Google without ever receiving the user’s password.
• Security Assertion Markup Language (SAML):
• Provides Single Sign-On (SSO) by allowing identities to be passed between identity providers and service providers.

• Example: An organization uses SAML to enable employees to access multiple cloud applications (like Salesforce or Office 365) with a single login using an internal Active Directory account.
• Kerberos:
• A network authentication protocol using tickets to allow secure authentication between users and services.
• Example: In a Windows environment, users log into their workstation, and a Kerberos ticket is generated and presented to services (like file shares or email) without requiring additional authentication.

IAM Best Practices

Principle of Least Privilege (PoLP): Users should be granted the minimal level of access required to perform their jobs.

Example: In AWS IAM, you can restrict a user to only be able to launch EC2 instances but prevent them from deleting them:

{
  "Effect": "Allow",
  "Action": "ec2:RunInstances",
  "Resource": "*"
},
{
  "Effect": "Deny",
  "Action": "ec2:TerminateInstances",
  "Resource": "*"
}

• Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring a second form of identification, such as a mobile device.
  Example: In AWS, users can enable MFA for an extra layer of protection when accessing the console.
• Rotate Keys Regularly: API keys, access tokens, and certificates should be rotated regularly to mitigate potential compromises.
  Example: In AWS, IAM users can have programmatic access to resources via access keys. These keys should be rotated periodically and monitored for usage.
• Continuous Monitoring and Auditing: Regularly monitor access logs to detect unusual patterns.
  Example: In AWS, CloudTrail logs every API call, providing a detailed audit trail for IAM actions. The logs can be integrated with Amazon GuardDuty to alert on suspicious activity.

Implementing IAM in Cloud Environments

Cloud platforms like AWS, Azure, and Google Cloud have built-in IAM services that offer fine-grained access control.

Example in AWS IAM:

AWS IAM allows you to create policies that control access to services such as EC2, S3, and RDS. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example_bucket/*"
    }
  ]
}

In this policy, the user is granted permission to retrieve objects from a specific S3 bucket but nothing else.

Conclusion

Identity and Access Management (IAM) is a cornerstone of secure systems design. From user authentication to role-based access controls, it defines how organizations manage identities and secure resources. By implementing best practices, such as least privilege and MFA, and using the right tools like AWS IAM or Azure AD, you can significantly enhance your security posture.