This chapter covers Identity and Access Management (IAM), a critical domain in Security Operations for the SY0-701 exam. IAM ensures that the right individuals access the right resources at the right times for the right reasons. Mapping to Objective 4.6, this chapter will equip you with the knowledge to implement and manage authentication, authorization, and accounting mechanisms, and to understand common threats like credential theft and privilege escalation.
Jump to a section
Think of identity and access management (IAM) as a modern airport security checkpoint. You (the user) arrive at the airport with a ticket (your credentials). The first agent checks your ID (authentication) by scanning your passport and matching your face (biometrics or password). Once verified, the agent issues a boarding pass (access token) that grants you access to specific areas—your gate, but not the cockpit or baggage handling. This boarding pass has an expiration time (session token lifetime) and may have restrictions like "only valid for domestic flights" (attribute-based access control). The airport also has a central system that tracks which gates you've entered (audit logs). If a passenger tries to enter a restricted area, the gate beeps and alerts security (access denied). In this analogy, the airport's identity management system (IdP) stores all passenger profiles, the ticket counter (SSO) allows you to check in once and go to multiple gates, and the security cameras (SIEM) monitor for anomalies like someone tailgating through a door. Just as an airport revokes a lost boarding pass, IAM systems revoke tokens when a user is terminated or a device is compromised.
What is Identity and Access Management?
Identity and Access Management (IAM) is the framework of policies, processes, and technologies that manage digital identities and control access to resources. In the context of SY0-701, IAM is about ensuring that only authorized users, devices, or services can access specific data or systems. The core components are identification (claiming an identity), authentication (proving that identity), authorization (determining what that identity can do), and accounting (logging what was done). These four are often abbreviated as IAAA (Identification, Authentication, Authorization, Accounting).
Authentication Factors
Authentication is based on three factors: something you know (e.g., password, PIN), something you have (e.g., smart card, token, phone), and something you are (e.g., fingerprint, retina scan). SY0-701 emphasizes multi-factor authentication (MFA), which requires two or more factors from different categories. For example, a password (knowledge) plus a one-time code from an authenticator app (possession) is MFA. Two-step verification (e.g., password + email code) is not necessarily MFA if both steps are from the same factor (knowledge). The exam tests your ability to identify true MFA scenarios.
Authorization Models
Once authenticated, a user needs authorization to access resources. Common models include: - Discretionary Access Control (DAC): The owner of the resource decides who can access it. Common in file systems (e.g., Linux file permissions). - Mandatory Access Control (MAC): Access is based on labels and clearances managed by a central authority. Used in military and high-security environments. - Role-Based Access Control (RBAC): Access is based on roles assigned to users. For example, "HR Manager" role has access to employee records. - Attribute-Based Access Control (ABAC): Access decisions are based on attributes (user, resource, environment). For example, "allow access if user is in finance department AND time is during business hours AND resource is the accounting system." ABAC is more flexible and is increasingly used in cloud environments.
Identity Providers and Federation
An Identity Provider (IdP) is a system that creates, maintains, and manages identity information and provides authentication services. Examples include Microsoft Azure AD, Okta, and Google Workspace. Federation allows users from one organization to access resources in another organization using their home credentials. This is achieved through trust relationships and standards like Security Assertion Markup Language (SAML), OAuth 2.0, and OpenID Connect (OIDC). SAML is XML-based and commonly used for enterprise single sign-on (SSO). OAuth 2.0 is a delegation framework for token-based authorization, while OIDC is an authentication layer built on OAuth 2.0.
Single Sign-On (SSO) and Session Management
SSO allows a user to authenticate once and gain access to multiple applications without re-entering credentials. This reduces password fatigue but creates a single point of failure. If an attacker compromises the SSO session token, they can access all linked applications. Session management involves creating, maintaining, and destroying sessions. Session tokens should be random, use secure transmission (HTTPS), and have short lifetimes. The OWASP recommends using HttpOnly and Secure flags for cookies, and implementing session timeout after inactivity.
Privileged Access Management (PAM)
PAM focuses on controlling and monitoring access for privileged users (e.g., administrators, root accounts). These accounts have elevated permissions and are prime targets for attackers. PAM solutions enforce least privilege, rotate passwords periodically, and record sessions for audit. For example, a PAM tool like CyberArk or HashiCorp Vault can provide just-in-time (JIT) access, where a user requests temporary admin rights for a specific task. The exam covers concepts like password vaulting, session recording, and approval workflows.
Access Control Lists (ACLs) and Permissions
ACLs are lists of permissions attached to an object (file, directory, network resource). They specify which subjects (users, groups) have what type of access (read, write, execute). In networking, ACLs filter traffic based on source/destination IP, port, and protocol. For example, a router ACL might allow inbound HTTP traffic (TCP 80) from any source to a web server. SY0-701 expects you to understand the difference between discretionary ACLs (where the owner controls permissions) and system ACLs (used by the OS for auditing).
Account Management Lifecycle
Proper account management includes provisioning, review, and deprovisioning. Provisioning creates accounts with appropriate privileges. Review ensures accounts are still needed and permissions are correct. Deprovisioning disables or deletes accounts when users leave or change roles. Common mistakes include orphaned accounts (accounts for former employees still active) and privilege creep (users accumulating excessive permissions over time). The exam emphasizes the principle of least privilege and the need for regular audits.
Authentication Protocols and Standards
Several protocols are used for authentication in networks: - Kerberos: A ticket-based authentication protocol used in Active Directory. It uses symmetric key cryptography and a trusted third party (Key Distribution Center). Common ports: UDP 88 (Kerberos), UDP 464 (Kerberos password change). - LDAP: Lightweight Directory Access Protocol (port 389 for unencrypted, 636 for LDAPS). Used to query and modify directory services like Active Directory. - RADIUS: Remote Authentication Dial-In User Service (ports 1812/1813 for authentication/accounting, or 1645/1646 legacy). Used for network access control (e.g., VPN, Wi-Fi). - TACACS+: Terminal Access Controller Access-Control System Plus (port 49). Cisco-proprietary, separates authentication, authorization, and accounting. - 802.1X: Port-based network access control. Uses EAP (Extensible Authentication Protocol) over LAN. Common in enterprise Wi-Fi and wired networks.
Threats to IAM
Common threats include: - Credential Stuffing: Using stolen username/password pairs from one breach to try on other sites. Mitigation: MFA, account lockout, rate limiting. - Password Spraying: Trying a few common passwords against many accounts. Mitigation: strong password policies, MFA, monitoring for multiple failed logins. - Pass-the-Hash: Attacker captures a hash and uses it to authenticate without knowing the plaintext password. Mitigation: use Kerberos instead of NTLM, restrict local admin privileges, enable Credential Guard. - Privilege Escalation: Attacker gains higher permissions than intended. Can be vertical (user to admin) or horizontal (user to another user). Mitigation: least privilege, PAM, regular permission audits. - Social Engineering: Phishing, vishing, or pretexting to obtain credentials. Mitigation: user training, MFA, email filtering.
Defense in Depth for IAM
Implement multiple layers: strong password policies, MFA, least privilege, regular audits, session timeouts, and monitoring. Use a SIEM to correlate logs from authentication servers, firewalls, and endpoints. For example, a SIEM alert might trigger on a user logging in from two different geographic locations within an impossible time frame, indicating a possible credential theft.
Configure IdP and User Directory
Begin by setting up an identity provider (IdP) such as Microsoft Azure AD or Okta. Create a user directory with attributes like username, email, department, and role. For on-premises environments, this could be Active Directory with LDAP. Ensure that the directory is synchronized with HR systems for automated provisioning. Logs from this step show user creation events (Event ID 4720 in Windows) and attribute changes.
Define Authentication Policies
Establish password policies (length, complexity, expiration) and MFA requirements. Configure conditional access policies based on user location, device compliance, and risk level. For example, require MFA for all external access. Tools: Group Policy for on-prem AD, Conditional Access in Azure AD. Logs show policy changes (Event ID 4739) and authentication attempts.
Implement Authorization and Access Control
Assign roles or attributes to users based on job function. Create RBAC roles with specific permissions. For ABAC, define policies using attributes. For example, allow access to finance system only if department='Finance' AND time='business hours'. Use ACLs on files and network devices. Test access by attempting to access resources with different user accounts. Logs show permission changes (Event ID 4670) and access attempts (Event ID 4663).
Deploy Privileged Access Management
Identify privileged accounts (domain admins, service accounts). Implement a PAM solution like CyberArk or a simpler approach using Group Managed Service Accounts (gMSA). Configure password rotation and session recording. Require approval workflows for elevation. For example, an admin must request a temporary admin token via a ticketing system. Logs show elevation requests, approvals, and privileged session activity.
Monitor and Audit Access
Enable logging on all authentication servers, domain controllers, and critical systems. Forward logs to a SIEM (e.g., Splunk, ELK). Create alerts for suspicious activities: multiple failed logins (account lockout), logins from unusual locations, or changes to privileged groups. Regularly review access rights and remove orphaned accounts. Perform periodic audits using tools like Microsoft's ADAC or third-party IGA solutions. Logs show user login events (Event ID 4624 for success, 4625 for failure) and group membership changes (Event ID 4728, 4732, 4756).
Scenario 1: SOC Analyst Responding to a Brute Force Attack
A SOC analyst sees a surge in failed logins (Event ID 4625) for multiple user accounts from a single IP address. The SIEM shows 1000 failed attempts in 5 minutes. The analyst checks the account lockout policy (e.g., 10 attempts in 15 minutes). The accounts are locked out, but the attacker continues trying other accounts. The analyst blocks the IP on the firewall and enables MFA for all external logins. The correct response is to identify the source IP, block it, and reset passwords for affected accounts. A common mistake is to assume lockout is sufficient; attackers often use password spraying, which avoids lockout by trying a few passwords on many accounts. The analyst should also check for successful logins from the same IP (Event ID 4624) to see if any accounts were compromised.
Scenario 2: Privilege Escalation via Service Account
An engineer notices that a service account (svc_backup) has been added to the Domain Admins group. The change log shows Event ID 4732 (a member was added to a security-enabled global group) from an admin workstation. The engineer reviews the change request—none exists. The incident response team investigates: the admin's credentials were phished, and the attacker used them to escalate privileges. The correct response is to remove the service account from Domain Admins, reset the admin's password, and audit all changes made by that admin. A common mistake is to only remove the service account without investigating the root cause. The team should also check for other unauthorized group memberships and potential persistence mechanisms.
Scenario 3: MFA Bypass via Session Token Theft
A user reports receiving MFA push notifications for logins they didn't attempt. The SIEM shows successful logins from an IP in a different country. The user's session token was stolen via a man-in-the-middle attack (e.g., using a rogue Wi-Fi). The analyst revokes all active sessions, resets the user's password, and forces MFA re-enrollment. The correct response also includes reviewing the user's recent activity for data exfiltration. A common mistake is to only change the password, leaving the session token valid. The analyst should also check for similar attacks on other users and implement token binding (e.g., using certificate-based authentication).
SY0-701 Objective 4.6 focuses on implementing and managing identity and access management. The exam expects you to:
Differentiate between authentication, authorization, and accounting.
Identify the correct authentication factor (something you know/have/are).
Understand SSO, federation, and their protocols (SAML, OAuth, OIDC).
Explain the principle of least privilege and need-to-know.
Recognize threats like credential stuffing, password spraying, and pass-the-hash.
Understand the purpose of PAM and account lifecycle management.
Common Wrong Answers: 1. "Two-step verification is the same as MFA." Wrong: two-step may use the same factor (e.g., password + security question). MFA requires different factors. 2. "SSO eliminates the need for passwords." Wrong: SSO still requires initial authentication with credentials. 3. "Federation requires users to have separate accounts in each organization." Wrong: federation allows using home credentials across organizations. 4. "Kerberos uses public key cryptography." Wrong: Kerberos uses symmetric key cryptography.
Trick Questions: - A question may describe a scenario where a user logs in with a password and then receives a code on their phone. This is MFA (knowledge + possession) if the code is from an authenticator app (possession) not email (knowledge). - A question may ask about the protocol for federated SSO. SAML is for enterprise SSO, OAuth is for delegated authorization, OIDC is for authentication. - A question about access control models: if the owner sets permissions, it's DAC; if a central authority sets labels, it's MAC; if based on roles, it's RBAC; if based on attributes, it's ABAC.
Decision Rule: On scenario questions, first identify if the issue is authentication (proving identity) or authorization (what they can do). Then determine if the solution involves MFA, SSO, or access control models. Eliminate answers that don't match the factor or model described.
Authentication = proving identity (something you know/have/are). Authorization = determining access rights.
Multi-factor authentication (MFA) requires two or more factors from different categories.
Single Sign-On (SSO) uses a session token to access multiple applications after one authentication.
Federation allows cross-organization authentication using standards like SAML, OAuth, and OIDC.
Role-Based Access Control (RBAC) assigns permissions based on roles; Attribute-Based Access Control (ABAC) uses attributes.
Privileged Access Management (PAM) controls and monitors elevated accounts, often with just-in-time access.
Common authentication protocols: Kerberos (UDP 88), LDAP (389/636), RADIUS (1812/1813), TACACS+ (49).
Account lifecycle includes provisioning, review, and deprovisioning to prevent orphaned accounts.
Credential stuffing, password spraying, and pass-the-hash are common IAM threats.
Least privilege and need-to-know are fundamental principles for access control.
These come up on the exam all the time. Here's how to tell them apart.
SAML (Security Assertion Markup Language)
XML-based markup language
Primarily used for enterprise SSO (web browser SSO)
Defines authentication and authorization assertions
Uses SAML assertions (e.g., authentication statement, attribute statement)
Typically uses HTTP POST or redirect bindings
OAuth 2.0 / OpenID Connect (OIDC)
JSON-based (OAuth uses JWTs, OIDC adds ID token)
OAuth 2.0 is for delegated authorization; OIDC adds authentication layer
OAuth 2.0 uses access tokens; OIDC uses ID tokens for authentication
Commonly used for mobile apps, APIs, and social login
Uses HTTP redirects with query parameters or POST
Mistake
Two-factor authentication and multi-factor authentication are the same thing.
Correct
Two-factor authentication (2FA) is a subset of MFA that uses exactly two factors. MFA can use two or more factors. The key is that the factors must come from different categories (knowledge, possession, inherence). Using two passwords is not MFA.
Mistake
Single sign-on (SSO) means you never have to enter a password again.
Correct
SSO requires an initial authentication (often with a password and MFA). After that, the session token is used to access other applications without re-entering credentials. If the session expires, the user must authenticate again.
Mistake
Federation requires a shared user database between organizations.
Correct
Federation does not require shared databases. It establishes trust relationships (e.g., via SAML metadata exchange) so that one organization's IdP can authenticate users for another organization's service provider.
Mistake
Kerberos is a public key infrastructure (PKI) protocol.
Correct
Kerberos uses symmetric key cryptography (shared secrets) and a trusted third party (KDC). It does not use public/private key pairs. PKI is used in other protocols like SSL/TLS.
Mistake
The principle of least privilege means giving users only the permissions they need for their current task.
Correct
Least privilege means granting the minimum permissions necessary to perform a job function, not just a single task. It is about role-based permissions, not just-in-time. JIT is a technique to implement least privilege but is not the definition.
Authentication verifies who you are (e.g., password, fingerprint). Authorization determines what you are allowed to do (e.g., read a file, access a network). For the exam, remember: authentication comes first, then authorization. A common trick: a system that checks your ID is authenticating; a system that checks your clearance level is authorizing.
Not necessarily. Two-step verification involves two steps, but they may be from the same factor (e.g., password + security question). MFA requires two different factors. For the exam, if a scenario uses password and a code sent via email, that is two-step but not MFA (both are knowledge factors). If it uses password and a code from an authenticator app, that is MFA (knowledge + possession).
RBAC assigns permissions based on roles (e.g., 'Manager' role can approve expenses). ABAC uses attributes (user, resource, environment) to make access decisions (e.g., 'allow if user.department = resource.department AND time during business hours'). ABAC is more flexible and granular. On the exam, ABAC is often used in cloud environments with dynamic policies.
Privileged Access Management (PAM) protects privileged accounts (admin, root) by enforcing least privilege, rotating passwords, recording sessions, and requiring approval for elevation. It mitigates risks like credential theft and insider threats. For the exam, know that PAM often uses just-in-time (JIT) access and password vaulting.
Kerberos uses a Key Distribution Center (KDC) which issues ticket-granting tickets (TGT) after initial authentication. The user then uses the TGT to request service tickets for specific services (e.g., file server). All communication uses symmetric key encryption. Common ports: UDP 88. The exam may test that Kerberos is used in Active Directory and that it prevents pass-the-hash when properly configured.
SAML is an XML-based protocol for exchanging authentication and authorization data between an IdP and a service provider. It is primarily used for enterprise SSO. OAuth 2.0 is a framework for delegated authorization, often used for API access. OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0. On the exam, SAML is for web SSO, OAuth is for API delegation, and OIDC is for authentication in modern apps.
Least privilege means granting users only the permissions necessary to perform their job functions. This reduces the attack surface and limits damage from compromised accounts. On the exam, it is often contrasted with 'need-to-know' (access to specific data). Both are fundamental to IAM.
You've just covered Identity and Access Management — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?