Identity and Access Management (IAM) — MFA, RBAC, and Zero Trust for Beginners

What Is Identity and Access Management and Why Does It Matter?

NIST SP 800-63 (Digital Identity Guidelines) defines identity and access management (IAM) as the framework of policies, processes, and technologies that ensures the right individuals have the appropriate access to resources at the right time. ISO 27001 Annex A.9 establishes IAM as a mandatory control domain, requiring organisations to manage access rights throughout the entire identity lifecycle.

Identity and access management (IAM) controls who can access systems and what they are allowed to do once inside. Every breach report confirms the same pattern — compromised credentials and excessive permissions are the fastest paths attackers exploit. Verizon’s 2024 Data Breach Investigations Report found that stolen credentials were involved in over 40% of breaches.

IAM is not just an IT operations topic. It sits at the intersection of security architecture, compliance, and day-to-day security operations. Whether you are configuring Active Directory in a small business, reviewing AWS IAM policies in a cloud environment, or triaging a suspicious login alert in a SOC, you are doing IAM work.

When I first encountered IAM during my cybersecurity studies, I assumed it was just “passwords and permissions” — something basic that everyone already understood. Then I started building my home lab with Active Directory and realised the difference between authentication and authorisation was far deeper than I expected. Creating a user account proved identity. But deciding which shares, systems, and admin tools that user could reach? That required a completely different way of thinking. IAM went from something I thought was obvious to the concept I now consider the most important in all of cybersecurity.

Quick Answer

What is identity and access management (IAM)? IAM is the framework of policies and technologies that controls who can access systems and what they are allowed to do, as defined by NIST SP 800-63 and ISO 27001 Annex A.9. Why it matters for beginners: IAM is a core domain on the CompTIA Security+ SY0-701 exam (Domain 2.0) and appears in virtually every cybersecurity job description. Key framework: The AAA model — Authentication (who are you?), Authorisation (what can you do?), and Accounting (what did you do?).

What Do Real-World IAM Failures Look Like?

The Verizon 2024 DBIR reports that stolen credentials were involved in over 40% of all data breaches, making IAM failures the single most common initial attack vector. MITRE ATT&CK documents credential-based techniques across multiple tactics, from Initial Access (T1078 — Valid Accounts) to Privilege Escalation.

IAM failures show up in every industry. These scenarios illustrate why getting identity and access right matters more than most technical controls.

Scenario	What went wrong	IAM concept involved
Former employee accesses company data weeks after leaving	No deprovisioning process removed their account	Identity lifecycle management
Receptionist accidentally deletes payroll database	Overly broad permissions — everyone was a local admin	Least privilege / RBAC
Attacker uses stolen password to access email, then pivots to finance systems	No MFA, and single password unlocked everything via SSO	Multi-factor authentication
Contractor accesses sensitive project data outside their scope	No attribute-based restrictions on data sensitivity	ABAC / need-to-know
Admin account compromised via phishing, attacker gains domain-wide control	Privileged account used for daily browsing, no PAM controls	Privileged Access Management
Cloud storage bucket exposed to the internet	Default IAM policy left public access enabled	Cloud IAM misconfiguration

How Does Identity and Access Management Work?

NIST SP 800-63 divides digital identity into three assurance levels — Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL) — providing a structured framework for implementing IAM controls proportionate to risk.

Think of IAM like building security in a large office complex. The front desk checks your ID badge (authentication). The access card system only opens the doors you are authorised to use (authorisation). The security camera logs show which doors you opened and when (accounting). IAM applies this same logic to every digital system.

Certification objective: CompTIA Security+ SY0-701 Domain 2.0 covers identity and access management concepts including authentication, authorisation, directory services, and access control models. CEH v13 includes IAM exploitation techniques.

The AAA Framework

AAA is the foundation of IAM — three distinct functions that work together:

Component	Question it answers	Examples
Authentication	Who are you?	Password, biometric, smart card, FIDO2 key
Authorisation	What are you allowed to do?	File permissions, role assignments, API scopes
Accounting	What did you do?	Audit logs, session recordings, access reports

A common beginner mistake is conflating authentication with authorisation. Logging in proves identity. It does not determine what you can access after login. These are separate decisions made by separate systems.

Key Definition

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access to a resource. NIST SP 800-63B classifies FIDO2/WebAuthn as the highest assurance authenticator because it is phishing-resistant and cryptographically bound to the relying party.

Authentication Factors

Authentication strength comes from combining different factor types:

Factor type	Category	Examples
Something you know	Knowledge	Password, PIN, security question
Something you have	Possession	Hardware token, authenticator app, smart card
Something you are	Inherence	Fingerprint, facial recognition, iris scan
Somewhere you are	Location	IP geolocation, GPS, network segment
Something you do	Behaviour	Typing pattern, mouse movement, usage habits

Multi-factor authentication (MFA) requires two or more factors from different categories. A password plus a TOTP code from an authenticator app is MFA. Two passwords are not — they are both “something you know.”

Access Control Models

Four primary models determine how authorisation decisions are made:

Model	Full name	How access is decided	Best for
DAC	Discretionary Access Control	Resource owner sets permissions	Small teams, file shares
MAC	Mandatory Access Control	System enforces labels (Top Secret, Secret)	Military, classified environments
RBAC	Role-Based Access Control	Permissions assigned to roles, users assigned to roles	Most organisations
ABAC	Attribute-Based Access Control	Policies evaluate attributes (role + time + location + data sensitivity)	Complex, dynamic environments

Step-by-Step Explanation

How Authentication Flows Work

When you log into a modern enterprise system, multiple components interact behind the scenes.

Step 1: Identity claim — The user provides a username or email address, asserting who they claim to be.

Step 2: Credential verification — The identity provider (IdP) checks the credential. For passwords, this means comparing a hash. For FIDO2/WebAuthn, this involves a cryptographic challenge-response with the user’s hardware key.

Step 3: MFA challenge — If MFA is enabled, the system requests a second factor. Common options include:

• TOTP (Time-based One-Time Password) — a six-digit code from an authenticator app like Microsoft Authenticator or Google Authenticator, valid for 30 seconds
• FIDO2/WebAuthn — a cryptographic challenge answered by a hardware security key (YubiKey) or platform authenticator (Windows Hello, Touch ID). Phishing-resistant because the key is bound to the specific site origin
• Push notification — the IdP sends an approval prompt to a registered device
• SMS code — a one-time code sent via text message (weakest MFA option, vulnerable to SIM swapping)

Step 4: Token issuance — On successful authentication, the IdP issues a session token or assertion (SAML, OAuth/OIDC) that grants the user access without re-authenticating for each request.

Step 5: Authorisation enforcement — The application checks the token against its access control policies (RBAC, ABAC) to determine what the user can see and do.

Single Sign-On (SSO)

SSO allows users to authenticate once and access multiple applications without re-entering credentials. The key protocols are:

• SAML 2.0 (Security Assertion Markup Language) — XML-based standard commonly used for enterprise web applications. The IdP sends a signed SAML assertion to the service provider.
• OAuth 2.0 — an authorisation framework that grants third-party applications limited access to user resources. It issues access tokens, not identity assertions.
• OpenID Connect (OIDC) — an identity layer built on top of OAuth 2.0. It adds an ID token that proves who the user is. This is what “Sign in with Google” uses.

The critical distinction: SAML handles both authentication and authorisation in enterprise contexts. OAuth handles authorisation only. OIDC adds authentication on top of OAuth.

Privileged Access Management (PAM)

Privileged accounts — domain admins, root accounts, service accounts, cloud IAM admins — are the highest-value targets for attackers. PAM controls include:

• Just-in-time (JIT) access — admin privileges are granted only when needed and automatically revoked after a time window
• Privileged session recording — all actions taken during elevated sessions are logged and can be replayed
• Password vaulting — privileged credentials are stored in an encrypted vault and checked out for temporary use
• Separation of duties — no single person can both approve and execute a privileged action

Directory Services

Most organisations manage identities through directory services:

• Active Directory (AD) — Microsoft’s on-premises directory service. Stores user accounts, groups, computers, and group policies. Nearly every Windows enterprise environment uses AD.
• Azure AD / Entra ID — Microsoft’s cloud identity service. Integrates with on-premises AD via hybrid configurations.
• LDAP (Lightweight Directory Access Protocol) — the protocol used to query directory services. Many Linux and cross-platform applications authenticate against LDAP.

How Does IAM Fit Into a Security Architecture?

ISO 27001 Annex A.9 positions access control as a cross-cutting concern that integrates with network security, cryptography, and operations security to form a layered defence. NIST SP 800-63 further defines a federated identity architecture where identity providers, relying parties, and credential service providers interact to deliver secure access at scale.

How IAM Components Connect

📊 Visual Explanation

IAM Authentication and Authorisation Flow

From identity claim to authorised access — every request follows this pipeline

Pause

Identity ClaimWho are you?

Username / email

Certificate / badge

AuthenticationProve it

Password / passkey

MFA challenge

IdP verification

Token IssuanceSession created

SAML assertion

OAuth / OIDC token

Session cookie

AuthorisationWhat can you do?

RBAC / ABAC check

Scope validation

Policy enforcement

AccountingWhat did you do?

Audit log entry

Session recording

Compliance report

Idle

RBAC vs ABAC Access Models

📊 Visual Explanation

RBAC vs ABAC

RBAC

Role-based — permissions tied to job roles

• Simple to implement and manage
• Easy to audit — roles map to job titles
• Widely supported in AD, AWS, Azure
• Role explosion in complex organisations
• Cannot handle dynamic conditions (time, location)
• Best for: stable org structures with clear roles

VS

ABAC

Attribute-based — policies evaluate multiple factors

• Fine-grained control based on context
• Handles dynamic conditions (time, location, sensitivity)
• Scales without role explosion
• More complex to design and troubleshoot
• Requires well-defined attribute taxonomy
• Best for: cloud-native, multi-tenant, regulated environments

Verdict: Start with RBAC for most organisations. Add ABAC when you need context-aware decisions that roles alone cannot express.

Use RBAC when…

Enterprise AD, AWS IAM roles, departmental access

Use ABAC when…

Healthcare data access, cloud resource policies, time-restricted admin access

What Does IAM Look Like in Practice?

Example 1: AWS IAM Policy (Least Privilege)

This JSON policy grants read-only access to a single S3 bucket — a textbook example of least privilege:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::company-reports",
        "arn:aws:s3:::company-reports/*"
      ]
    }
  ]
}

Key points: The policy explicitly names the allowed actions (GetObject, ListBucket) and restricts them to a specific resource. It does not use "Action": "*" or "Resource": "*", which would grant excessive permissions.

Example 2: Active Directory Group Policy via PowerShell

Creating a security group and assigning a user in Active Directory:

# Create a new security group for the finance team
New-ADGroup -Name "Finance-ReadOnly" `
  -GroupScope Global `
  -GroupCategory Security `
  -Path "OU=Groups,DC=corp,DC=local" `
  -Description "Read-only access to finance shares"

# Add a user to the group
Add-ADGroupMember -Identity "Finance-ReadOnly" -Members "jsmith"

# Verify group membership
Get-ADGroupMember -Identity "Finance-ReadOnly" | Select-Object Name, SamAccountName

Example 3: Linux PAM Configuration

Linux uses Pluggable Authentication Modules (PAM) to manage authentication. A common configuration enforces MFA via Google Authenticator:

# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator

# Configure the user's TOTP seed
google-authenticator

# Edit PAM config to require TOTP for SSH
# Add this line to /etc/pam.d/sshd:
auth required pam_google_authenticator.so

# Ensure SSH uses PAM (in /etc/ssh/sshd_config):
# ChallengeResponseAuthentication yes
# UsePAM yes

Example 4: Checking for Excessive Permissions

A quick audit command to find users with Domain Admin privileges in Active Directory:

# List all members of Domain Admins (including nested groups)
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
  Select-Object Name, SamAccountName, ObjectClass |
  Sort-Object Name

If this list contains service accounts, shared accounts, or users who do not need domain-wide admin access, you have found a least-privilege violation that needs remediation.

What Are the Limitations of IAM?

The SANS Institute emphasises that IAM controls are only as strong as their weakest implementation detail — MFA can be defeated by fatigue attacks, RBAC can suffer role explosion, and SSO creates a single point of failure if the identity provider is compromised.

Control	Helps with	Common failure mode	Better approach
MFA	Credential theft	Users approve MFA fatigue attacks (repeated push notifications)	Use phishing-resistant FIDO2 keys; enforce number matching
RBAC	Permission management	Role explosion — hundreds of micro-roles nobody can audit	Combine broad RBAC with ABAC for edge cases
SSO	User experience, fewer passwords	Single point of failure — compromised IdP unlocks everything	Protect IdP with strongest MFA; monitor for anomalous SSO sessions
PAM	Privileged account abuse	JIT access windows set too long; vault passwords never rotated	Enforce short time windows (<4 hours); automate credential rotation
Password policies	Weak credential prevention	Complex password rules lead to predictable patterns (Password1!)	Use passkeys or long passphrases; enforce MFA regardless
Service accounts	Application authentication	Static credentials with admin rights, never rotated	Use managed identities or workload identity federation

Common beginner mistakes

• Giving every user local admin “temporarily” and never revoking it
• Confusing OAuth (authorisation) with OIDC (authentication)
• Assuming MFA eliminates all credential-based attacks
• Not accounting for service accounts and API keys in IAM reviews
• Treating account deprovisioning as an HR problem rather than a security control

What Interview Questions Should You Expect About IAM?

CompTIA Security+ SY0-701 Domain 2.0 dedicates an entire section to identity and access management, making IAM one of the most frequently tested topics on the exam and one of the most commonly asked about in entry-level cybersecurity interviews.

IAM questions test whether you understand identity, access, and the relationship between them — not whether you can recite protocol specifications.

Q: What is the difference between authentication and authorisation?

Strong answer: “Authentication proves who you are — for example, entering a password and a TOTP code. Authorisation determines what you are allowed to do after your identity is confirmed — for example, read-only access to finance reports but no ability to modify them. They are separate decisions made by separate systems.”

Q: Why is MFA important, and what are the strongest MFA methods?

Strong answer: “MFA adds a second factor from a different category, so a stolen password alone is not enough. The strongest methods are phishing-resistant — FIDO2 hardware keys and platform authenticators like Windows Hello. Push notifications are convenient but vulnerable to MFA fatigue attacks. SMS is the weakest because of SIM swapping risks.”

Q: Explain RBAC and when you would use it.

Strong answer: “RBAC assigns permissions to roles rather than individual users. A ‘Finance Analyst’ role gets read access to financial reports. When someone joins or leaves the team, you add or remove their role assignment instead of editing individual permissions. It is simpler to audit because you can review roles rather than thousands of individual user-resource mappings.”

Q: What is Zero Trust and how does it relate to IAM?

Strong answer: “Zero Trust means you do not grant access based on network location. Every request is verified against identity, device health, and context — even if the user is already inside the corporate network. IAM is the engine that makes Zero Trust work: strong authentication, continuous authorisation checks, and least-privilege access at every layer.”

Q: How would you handle a report that a former employee still has access to company systems?

Strong answer: “First, I would immediately disable the account and revoke all active sessions and tokens. Then I would check audit logs to see if the account was accessed after the employee’s departure date. Finally, I would review the offboarding process to identify why deprovisioning did not happen and recommend automation — like connecting HR systems to the identity provider so account disablement triggers automatically on termination.”

How Is IAM Used in Real Security Operations?

MITRE ATT&CK documents over 30 techniques involving credential access and privilege escalation, making IAM-related alerts among the most critical events a SOC analyst will investigate. The Verizon 2024 DBIR confirms that credential-based attacks remain the dominant initial access vector across all industries.

SOC Analyst Context

IAM generates some of the most important alerts a SOC analyst will investigate:

• Impossible travel — a user authenticates from Sydney, then from London 30 minutes later. This indicates credential compromise or VPN misattribution.
• MFA bypass attempts — repeated failed MFA challenges followed by a successful login may indicate MFA fatigue attacks.
• Privilege escalation — a standard user account is suddenly added to the Domain Admins group outside of change management.
• Service account anomalies — a service account that normally authenticates from one server suddenly connects from an unfamiliar IP.
• Stale account usage — an account that has been inactive for 90+ days suddenly becomes active, suggesting credential compromise.

Australian Context

Australia’s regulatory landscape places specific emphasis on IAM controls:

ASD Essential Eight — Two of the eight mitigation strategies directly map to IAM:

• Multi-factor authentication — the ACSC recommends MFA for all users accessing internet-facing services, with phishing-resistant methods (FIDO2) at the highest maturity level
• Restrict administrative privileges — privileged accounts must be separate from standard accounts, time-limited, and not used for email or web browsing

ACSC Information Security Manual (ISM) — Includes detailed IAM controls around:

• Unique identification and authentication of all users
• Separation of privileged and non-privileged accounts
• Regular access reviews (at least every 12 months)
• Automated deprovisioning when staff depart

Privacy Act 1988 — Organisations must take reasonable steps to protect personal information, which includes controlling who can access it. IAM failures that expose personal data can trigger Privacy Act obligations and Australian Information Commissioner investigations.

APRA CPS 234 — Financial institutions regulated by APRA must implement information security controls proportionate to the sensitivity of data, with specific requirements around access management and authentication strength.

Summary and Key Takeaways

• Identity and access management controls who can access systems and what they can do — it is the single most impactful security domain for preventing breaches.
• Authentication proves identity; authorisation grants permissions — never conflate the two.
• MFA is essential but not all MFA is equal — FIDO2/WebAuthn is phishing-resistant; SMS is the weakest option.
• RBAC works for most organisations — add ABAC when you need context-aware access decisions.
• Privileged accounts are the highest-value targets — PAM controls (JIT access, session recording, vaulting) are critical.
• Zero Trust relies on strong IAM — continuous verification replaces implicit trust based on network location.
• Account lifecycle matters — provisioning, access reviews, and deprovisioning failures cause as many breaches as technical exploits.

Related links

• Security Concepts for the foundational principles (CIA triad, AAA, least privilege) that IAM implements
• Career Roadmap to see where IAM skills fit in your learning path
• Threat Landscape to understand how attackers exploit weak IAM
• CompTIA Security+ where IAM is a major exam domain (Domain 2.0)
• Home Lab Setup to practice Active Directory and IAM configurations safely

Frequently Asked Questions

What is identity and access management (IAM)?

IAM is the framework of policies, processes, and technologies that ensures the right people have the right access to the right resources at the right time. It covers authentication (proving identity), authorisation (granting permissions), and accounting (logging activity).

What is the difference between authentication and authorisation?

Authentication verifies who you are — for example, by checking a password and MFA code. Authorisation determines what you are allowed to do after your identity is confirmed, such as read-only access versus full admin rights. They are separate functions handled by different systems.

What is the strongest form of MFA?

FIDO2/WebAuthn using hardware security keys or platform authenticators (like Windows Hello or Touch ID) is the strongest form of MFA because it is phishing-resistant — the cryptographic challenge is bound to the specific website origin, so fake login pages cannot intercept it.

What is RBAC and how does it differ from ABAC?

RBAC (Role-Based Access Control) assigns permissions to roles, and users are assigned to roles. ABAC (Attribute-Based Access Control) evaluates policies based on multiple attributes like user role, time of day, location, and data sensitivity. RBAC is simpler; ABAC handles more complex, dynamic scenarios.

What is Single Sign-On (SSO)?

SSO allows users to authenticate once with an identity provider and then access multiple applications without re-entering credentials. Common protocols include SAML 2.0 for enterprise apps and OpenID Connect (built on OAuth 2.0) for modern web and mobile applications.

What is Privileged Access Management (PAM)?

PAM is a set of controls for securing high-privilege accounts like domain admins and root accounts. It includes just-in-time access (granting admin rights only when needed), password vaulting, session recording, and separation of duties to reduce the risk of privileged account abuse.

What is Zero Trust and how does IAM enable it?

Zero Trust is a security model that requires continuous verification of every access request regardless of network location. IAM enables Zero Trust by providing strong authentication, context-aware authorisation, continuous session evaluation, and least-privilege access enforcement.

What is Active Directory and why is it important for security?

Active Directory (AD) is Microsoft's directory service that stores and manages user accounts, groups, computers, and security policies in Windows enterprise environments. It is important because compromising AD — particularly Domain Admin accounts — gives an attacker control over the entire Windows environment.

How does IAM appear on the CompTIA Security+ exam?

CompTIA Security+ SY0-701 covers IAM extensively in Domain 2.0, including authentication methods, access control models (DAC, MAC, RBAC, ABAC), identity management concepts, SSO protocols, MFA implementations, and account management practices like provisioning and deprovisioning.

What are the Essential Eight IAM requirements for Australian organisations?

The ASD Essential Eight includes two IAM-specific strategies: multi-factor authentication for all users accessing internet-facing services (with FIDO2 at highest maturity), and restricting administrative privileges by separating privileged from standard accounts, time-limiting access, and preventing admin accounts from browsing the web or reading email.

Related sections

Security Concepts

Understand the CIA triad, AAA framework, and least privilege that underpin all IAM decisions.

Explore Risk Management

Learn how to assess and prioritise the risks that IAM controls are designed to mitigate.

Explore Cryptography Basics

Understand the encryption and hashing that protect credentials and secure authentication protocols.

Explore

More resources

NIST SP 800-63 Digital Identity Guidelines

Authoritative guidance on authentication assurance levels, credential management, and identity proofing.

Visit ACSC Essential Eight Maturity Model

Australian baseline mitigation strategies including MFA and restricting administrative privileges.

Visit OWASP Authentication Cheat Sheet

Practical guidance on implementing secure authentication in web applications.

Visit

---

IAM standards, protocols, and best practices evolve. Verify implementation details against current NIST SP 800-63, OWASP guidelines, and vendor documentation for authoritative guidance. Career and salary data sourced from CyberSeek and BLS Occupational Outlook Handbook as of 2025. Individual results vary based on location, experience, market conditions, and effort.