Identity and Access Management

Identity and Access Management (IAM) is one of the basics of information security.

Concepts related to Authentication

Continuous authentication Monitors user behavior continuously to ensure that the authenticated user remains the same throughout a session.

Risk-based authentication analyzes user behavior and contextual information to determine the level of risk and adjust authentication requirements accordingly.

Zero trust security model may apply authentication dynamically.

Zero Trust Network Access (ZTNA) is an IT security solution that provides secure remote access to an organization’s applications, data, and services based on clearly defined access control policies.

You can read more about zero trust security on this post.

Secrets management includes password management. You can read more about secrets management on this post.

An Identity Provider (IdP) is a third-party that provides identification and authentication services. Though it performs authentication, it may not perform authorization.

Access Control Models

You can read about access control models on this post.

Primary Authentication Factors

Primary authentication factors:

  1. Type 1 – Something you know
  2. Type 2 – Something you have
  3. Type 3 – Something you are

Types of Authentication

Types of authentication:

  • Password-based authentication
  • Multi-factor authentication (MFA)
  • Public Key Infrastructures (PKI)
  • Challenge-response authentication
  • Biometric Authentication
  • Token-based authentication
  • Risk-based authentication
  • Knowledge-based authentication

Multi-factor Authentication (MFA)

Multi-factor Authentication (MFA) or multifactor authentication requires two or more of the above mentioned primary authentication factors.

An example of MFA solution is PIV (Personal Identify Verification).

SMS Authentication

SIM factores are insecure because of SIM swapping and VoIP-based attacks on SMS messages.

Challenge-response Authentication

You can read more about challenge-response authentication on this post.

Biometric Authentication

Biometric authentication is any authentication method that is based on human biometrics.

You can read more about biometric authentication on this post.

Token-based Authentication

Token-based authentication may include Time-based One-Time Passwords (TOTP) and hardware tokens (like smart cards).

Knowledge-based Authentication

Knowledge-based authentication is used by some financial institutions to validate the identity of new users. It uses information from tax and financial records that is unlikely to be available to others, allowing new users to provide details like their last credit car payment, mortgage payment, or other information to validate their identity.

7 Laws of Identity

The 7 laws of identity were published in 2005 by Kim Cameron.

They consisted of:

  • Law 1: User control and consent
  • Law 2: Minimum disclosure for a constrained use
  • Law 3: Justifiable Parties
  • Law 4: Directed Identity
  • Law 5: Pluralism of Operators and Technologies
  • Law 6: Human Integration
  • Law 7: Consistent Experience Across Contexts

You can read them on this external document.

Account Provisioning

Account provisioning or user provisioning refers to the activities related to the creation, modification, disabilitation and deletion of user accounts and their profiles across IT applications.

Just-in-time provisioning (JIT provisioning) creates accounts when they are needed rather than creating them in advance. This is an effective method to limit the number of accounts being maintained and can be useful if user account numbers are part of a licensing agreement.

An standard format for account provisioning data is Service Provisioning Markup Language (SPML). It is an XML-based language designed to allow platforms to generate and respond to provisioning requests.

Directory Services

You can find a list of directory protocols on this post.

Authentication, Authorization and Accounting Protocols

You can find a list of identity and authentication protocols on this post.

Authentication, authorization and accounting (AAA) network protocols on this post.

Network Access Control Methods

Network Access Control Methods:

  • MAC address filtering
  • Port Security
  • Authentication Protocols
  • Internal Network AAA
  • Web-based IAM
  • DHCP snooping
  • NAC
  • Directory Services
  • Identity Federation

MAC Address Filtering

Network devices are allowed or denied access based on their MAC addresses.

It is not very safe as MAC addresses can be spoofed.

Also they are difficult to handle when there are many devices or there are many connection and disconnections.

Port Security

It could either mean physical port security or OSI transport layer port security.

You can read more about this on “CISSP Study Guide 9th Edition”, p. 585.

Authentication Protocols

You can read more about authentication protocols like EAP / IEEE 802.1x, CHAP, PAP on this post.

Internal Network AAA

You can read about protocols for authentication, authorization and accountability (AAA) in an internal network on this post.

The most popular internal network AAA protocols are Kerberos, RADIUS and TATACS+.


Network Access Control (NAC) is a security solution that enforces policy on devices that access networks to increase network visibility and reduce risk. You can read more about it on this post.

Dynamic Host Configuration Protocol (DHCP) Snooping

DHCP snooping verifies the legitimacy of DHCP servers and prevents unauthorized DHCP servers on the network

Nevertheless, it does not provide user-level authentication.

Web-Based IAM

You can read about web-based identity and access management (IAM) protocols on this post.

The most popular protocols are SAML, OAuth and OIDC.

Directory Services

You can read more about directory services on this post.

The most popular protocol is LDAP.

Identity Federation

Identity federation implies sharing identity information.

You can read more about identity federation on this post.

Session Management

Session management is enabled through:

  • Cookies
  • Hidden form fields
  • URL rewriting
  • Session built fraemworks (e.g., Java’s JavaHTTPS)

Secure session ID requisites:

  • Session ID should be impredictible
  • Session ID should be meaningless.
  • Session length should be at least 128 bits
  • Session ID should have at least 64 bits of entropy

Single Sign-On

Single Sign-on (SSO) allows a user to access multiple applications with a single set of credentials.

You can read more about single sign-on on this post.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *