Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Skip to main content
TJS Cybersecurity Hub IAM
Identity & Access Management

Identity & Access Management:
Secure the New Perimeter

Identity is the new perimeter. Castle-and-moat security is dead. This guide covers authentication architecture, Zero Trust, FIDO2/Passkeys, Privileged Access Management, Non-Human Identities, and compliance -- sourced from NIST, OWASP, Verizon DBIR, and industry research.

68%
Breaches: Human Element
31%
Breaches: Stolen Credentials
$4.88M
Average Breach Cost
46:1
NHI to Human Ratio
📖 30 min read
🎯 Intermediate–Advanced
🛠️ Prereq: Foundations
← New to security? Start with the foundations
The Foundation

What Is Identity & Access Management?

Identity and Access Management (IAM) is the discipline of policies, technologies, and processes used to manage and control user identities and their access to organizational resources. IAM determines who can access what, when, how, and under what conditions.

Identity is the new perimeter. The traditional castle-and-moat model -- where a hardened network boundary protected internal resources -- is dead. Cloud adoption, remote workforces, and API-driven architectures have dissolved the network edge. Every access request, whether from a human or a machine, must be verified independently. IAM is the cornerstone of Zero Trust architecture.

Who Needs This

Security Engineers IAM Architects DevSecOps Teams CISOs GRC Teams IT Administrators Cloud Engineers Security Students Career Changers
Why This Matters Now

68% of breaches involve a human element and 31% involve stolen credentials (Verizon DBIR 2024). The FBI received 193,407 phishing complaints in 2024. 14% of incidents involve MFA fatigue attacks. Non-human identities outnumber humans 46:1 -- and in some environments, up to 82:1. 50% of organizations have experienced a breach tied to non-human identities.

Key Concepts

IAM spans authentication (verifying who you are), authorization (enforcing what you can access), identity governance (ensuring compliance and audit readiness), privileged access management (controlling elevated permissions), and identity lifecycle management (provisioning and deprovisioning from hire to departure). This page covers each domain with practitioner-level depth.

Threat Intelligence

The IAM Threat Landscape

Industry research from Verizon DBIR, the FBI, Aembit, and IBM quantifies the scale of identity-based attacks. These numbers represent verified incidents, not theoretical risk.
68%
Breaches involve a human element (2024)
Verizon DBIR 2024
31%
Breaches involve stolen credentials
Verizon DBIR 2024
$4.88M
Average breach cost
IBM Cost of a Data Breach
193K
FBI phishing complaints (2024)
FBI IC3 Report
14%
Incidents involve MFA fatigue attacks
Verizon DBIR 2025
46:1
Non-human to human identity ratio
Industry Research
50%
Organizations had NHI breaches
Aembit NHI Report 2024
$40-70
Cost per password reset
Industry Research
Core Disciplines

The Five Pillars of IAM

IAM is built on five interdependent disciplines. Each pillar addresses a distinct security function. Click any pillar to expand details.
P1
Authentication
Core
+ Expand
Authentication verifies identity -- proving you are who you claim to be. Modern authentication has moved beyond passwords to multi-factor authentication (MFA), FIDO2/Passkeys for phishing-resistant passwordless login, and adaptive risk-based authentication that adjusts requirements based on context.
Key Technologies
MFA: Something you know + have + are. FIDO2/Passkeys: Public-key cryptography, phishing-resistant. Passwordless: Eliminates the credential attack surface entirely.
P2
Authorization
Core
+ Expand
Authorization enforces access -- determining what an authenticated identity is permitted to do. Modern authorization models include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and dynamic policy engines that evaluate context in real time.
Key Models
RBAC: Access based on assigned roles. ABAC: Access based on attributes (department, location, device posture). Dynamic Policy: Real-time evaluation using policy engines like OPA.
P3
Identity Governance & Administration (IGA)
Core
+ Expand
IGA ensures that access rights are appropriate, compliant, and auditable. It encompasses access reviews, certification campaigns, segregation of duties enforcement, and regulatory compliance reporting. IGA answers the question: "Should this person still have this access?"
Key Functions
Access Reviews: Periodic validation of entitlements. Compliance: SOX, HIPAA, PCI DSS audit readiness. Audit Trails: Complete provenance of who approved what access and when.
P4
Privileged Access Management (PAM)
Critical
+ Expand
PAM controls and monitors elevated access to critical systems. Privileged accounts are the highest-value targets for attackers because they provide direct access to infrastructure, databases, and security controls. PAM eliminates standing privileges through just-in-time (JIT) access.
Key Capabilities
JIT Access: Time-bound elevation, revoked automatically. Session Monitoring: Record and audit all privileged sessions. Credential Vaulting: Secrets stored in hardened vaults, rotated automatically.
P5
Identity Lifecycle Management
Core
+ Expand
Identity Lifecycle Management governs the joiner-mover-leaver process -- from initial provisioning at hire, through role changes and transfers, to immediate deprovisioning at departure. Orphaned accounts from incomplete offboarding are a persistent breach vector.
Key Processes
Joiner: Identity proofing, credential issuance, role-based provisioning. Mover: Dynamic privilege updates on role change. Leaver: Immediate revocation, orphaned account elimination.
Glossary

Key IAM Security Terms

Essential terminology for security practitioners, architects, and executives. Each term links to deeper coverage in the Security Hub glossary.
Zero Trust Architecture
A security model that eliminates implicit trust. Every access request is verified regardless of source location or network position. Based on NIST SP 800-207 principles: verify explicitly, use least privilege, assume breach.
FIDO2 / Passkeys
Phishing-resistant authentication using public-key cryptography. The private key never leaves the device. Supports device-bound credentials (YubiKey) and synced passkeys (Apple/Google). Login in 2-3 seconds vs 20-45 seconds for passwords.
MFA Fatigue
An attack where adversaries bombard users with repeated MFA push notifications until the victim approves one out of frustration or confusion. 14% of incidents in the Verizon DBIR 2025 involved MFA fatigue.
Non-Human Identity (NHI)
Any identity that is not a human user: service accounts, API keys, CI/CD tokens, AI agents, and machine identities. NHIs outnumber humans 46:1 and up to 82:1 in some environments.
SSO (Single Sign-On)
A centralized authentication mechanism that allows users to authenticate once and access multiple applications. Reduces credential fatigue and the attack surface created by managing dozens of separate passwords.
RBAC vs ABAC
RBAC assigns access based on predefined roles (Admin, Editor, Viewer). ABAC evaluates attributes (department, location, device posture, time of day) for fine-grained, context-aware access decisions.
Privileged Access Management (PAM)
Controls and monitors elevated access to critical systems. Includes credential vaulting, just-in-time access, session recording, and automatic credential rotation to eliminate standing privileges.
Identity Governance (IGA)
The framework for managing digital identities and access rights across the organization. Covers access reviews, certification campaigns, segregation of duties, and compliance reporting.
Segregation of Duties
A control that prevents any single individual from having conflicting access rights. For example, the person who approves invoices should not also be able to create vendors. Critical for SOX, PCI DSS, and fraud prevention.
NIST SP 800-63
The NIST Digital Identity Guidelines that define three assurance levels: AAL1 (single factor), AAL2 (multi-factor), and AAL3 (hardware cryptographic authenticator required). The foundation for federal and enterprise identity standards.
Authentication Deep Dive

Authentication Methods Compared

Authentication proves identity. The method you choose determines your resistance to phishing, credential theft, and MFA bypass attacks. Explore the four major approaches.
FIDO2 / Passkeys: Passwordless Authentication
FIDO Alliance · Phishing-Resistant by Design
FIDO2 uses public-key cryptography to eliminate passwords entirely. The private key never leaves the device, making phishing and credential theft mathematically impossible. Supports device-bound credentials (YubiKey, Titan Key) and synced passkeys (Apple, Google, Microsoft ecosystems).
How It Works
Public-key crypto. Private key stays on device. Server stores only the public key.
Login Speed
2-3 seconds vs 20-45 seconds for traditional password + MFA
Device-Bound vs Synced
Device-bound (YubiKey): highest assurance. Synced (Apple/Google): better UX, cross-device.
Security Impact
>99% reduction in phishing. >95% reduction in account takeover.
Multi-Factor Authentication (MFA)
NIST SP 800-63B · AAL1 / AAL2 / AAL3
MFA requires two or more factors: something you know (password), something you have (token/phone), and something you are (biometric). Legacy MFA is vulnerable to SIM swap, adversary-in-the-middle (AiTM), and push bombing (MFA fatigue). NIST SP 800-63B defines three Authenticator Assurance Levels.
AAL1
Single factor. Password only. Lowest assurance.
AAL2
Multi-factor required. OTP, push notification, or software authenticator.
AAL3
Hardware cryptographic authenticator required. Verifier impersonation resistance mandatory.
Known Vulnerabilities
SIM swap, AiTM proxy attacks, push bombing / MFA fatigue (14% of incidents per DBIR 2025).
SSO: SAML & OpenID Connect
Enterprise Federation · Credential Fatigue Reduction
SAML provides XML-based enterprise federation for legacy and on-premises applications. OpenID Connect (OIDC) is built on OAuth 2.0 for modern web and mobile apps. Both reduce credential fatigue and the attack surface by centralizing authentication into a single identity provider.
SAML
XML-based. Enterprise SSO for legacy apps. Assertion-based trust between IdP and SP.
OIDC
JSON/JWT-based. Modern apps. Built on OAuth 2.0. Lightweight, mobile-friendly.
Security Benefits
Fewer passwords to manage. Centralized MFA enforcement. Faster deprovisioning.
Attack Surface
IdP compromise = total access. Requires hardened IdP with phishing-resistant MFA.
Adaptive / Risk-Based Authentication
Context-Aware · Dynamic Step-Up
Adaptive authentication dynamically adjusts requirements based on real-time context: location, device posture, behavioral anomalies, and impossible travel detection. Low-risk sessions proceed with minimal friction. High-risk signals trigger step-up authentication automatically.
Context Signals
Location, device posture, behavioral patterns, impossible travel, time of access.
Step-Up Auth
Elevated authentication required when risk signals spike. Transparent to low-risk users.
Behavioral Analytics
Typing cadence, mouse movement, session patterns. Detects compromised sessions in real time.
Impossible Travel
Flags logins from geographically impossible locations within short timeframes.
Architecture

Zero Trust Architecture: NIST 800-207

Zero Trust eliminates implicit trust. Every request is verified, every session is validated, every access decision is logged. These are the core components defined by NIST SP 800-207.
1
Policy Engine (PE)
The brain of Zero Trust. Calculates trust scores based on identity, device posture, location, behavioral analytics, and threat intelligence feeds.

The Policy Engine ingests telemetry from multiple sources and produces a real-time trust score for every access request. It evaluates identity claims, device health, network context, and historical behavior to determine whether access should be granted, denied, or stepped up.

+ Expand
2
Policy Administrator (PA)
Executes the decisions made by the Policy Engine. Generates session-specific tokens, configures access paths, and communicates decisions to enforcement points.

The PA acts as the command and control layer. It translates policy decisions into actionable configurations -- creating time-bound tokens, establishing encrypted tunnels, and revoking access when trust scores drop below threshold.

+ Expand
3
Policy Enforcement Point (PEP)
The gatekeeper at the resource boundary. Enforces allow/deny decisions for every access request. No request bypasses the PEP.

PEPs sit at every resource boundary -- application, database, API, file share. They intercept every request and query the PA for authorization. If the PA denies the request, the PEP blocks it. There is no implicit access path that bypasses enforcement.

+ Expand
4
Continuous Verification
Real-time telemetry and behavioral analytics validate trust throughout the session -- not just at login. Trust is re-evaluated continuously.

Authentication at login is not enough. Continuous verification monitors session behavior, device posture changes, and network anomalies throughout the entire session. If a device becomes non-compliant or behavior deviates from baseline, access is revoked or stepped up immediately.

+ Expand
5
Micro-Segmentation
Isolate network zones and resources to limit the blast radius of a compromised identity. Lateral movement is blocked by design.

Micro-segmentation divides the network into isolated zones, each with its own access controls. Even if an attacker compromises one identity, they cannot move laterally to other zones without separate, verified authorization. This limits blast radius and contains breaches.

+ Expand
6
Least Privilege / Just-in-Time (JIT)
Time-bound, elevated access only when needed. Standing privileges are eliminated. Access is automatically revoked after the task window closes.

Least privilege ensures identities receive only the minimum access required for their current task. JIT access takes this further by granting elevated permissions on demand with automatic expiration. No identity retains standing privileged access -- reducing the window of opportunity for attackers.

+ Expand
Lifecycle Management

Identity Lifecycle: Joiner-Mover-Leaver

Every identity follows a lifecycle from creation to decommission. Gaps in any phase create orphaned accounts, privilege creep, and breach vectors. Click each phase to expand.
JOINER
Provisioning & Onboarding
Phase 1
+ Expand
The joiner phase covers identity proofing (verifying the person is who they claim to be), credential issuance (passwords, MFA enrollment, certificates), and role-based provisioning (assigning access based on job function). Automated provisioning from HR systems reduces manual errors and ensures day-one productivity.
Key Controls
Identity Proofing: Verify identity before issuing credentials. Role-Based Provisioning: Assign access based on job function, not individual requests. Credential Issuance: MFA enrollment at onboarding, not optional.
MOVER
Role Changes & Transfers
Phase 2
+ Expand
The mover phase is where privilege creep occurs. When employees change roles, new access is added but old access is rarely removed. Over time, individuals accumulate permissions far beyond their current job function. Dynamic privilege updates and periodic access reviews are essential.
Key Controls
Dynamic Privilege Updates: Revoke old access when new roles are assigned. Access Reviews: Manager-certified quarterly reviews of all entitlements. SoD Enforcement: Prevent conflicting roles from being assigned to the same identity.
LEAVER
Offboarding & Revocation
Critical
+ Expand
The leaver phase requires immediate and complete revocation of all access. Delayed deprovisioning creates "undead identities" -- accounts that belong to former employees but remain active. These are prime targets for credential stuffing and insider threat scenarios.
Key Controls
Immediate Revocation: All access disabled within minutes of departure trigger. Orphaned Account Elimination: Automated scans for accounts without active owners. Undead Identity Prevention: HR-triggered automated deprovisioning workflows.
Emerging Threat

Non-Human Identities (NHI): The 46:1 Problem

Non-human identities outnumber humans 46:1 -- and in some environments, up to 82:1. 50% of organizations have experienced a breach tied to NHIs. This is the fastest-growing identity attack surface.
The Hidden Identity Attack Surface

Non-human identities include service accounts, API keys, CI/CD tokens, AI agents, and machine identities. They often have broader access than human users, longer credential lifespans, and weaker governance. The OWASP NHI Top 10 now classifies the most critical risks.

Key risks: Improper offboarding of service accounts, overprivileged machine identities, insecure cloud configuration, hardcoded secrets in code repositories, and AI agents with autonomous access to production systems.

NHI Security Maturity Model

Level 0-1
Unaware / Ad Hoc
No NHI inventory exists. Service accounts are created manually with static credentials. API keys are hardcoded in repositories. No rotation policy. Offboarding does not cover machine identities.
Level 2-3
Emerging / Managed
Basic NHI inventory started. Secret scanning in CI/CD pipelines catches hardcoded credentials. Credential rotation policies exist but are inconsistently applied. Some NHIs have owners assigned.
Level 4-5
Advanced / Optimized
Complete NHI inventory with owners, rotation schedules, and access reviews. Just-in-time credentials for all machine identities. Automated detection of orphaned service accounts. OWASP NHI Top 10 coverage verified.
NHI Types to Govern

Service Accounts: Persistent machine identities accessing databases, APIs, and infrastructure. API Keys: Static tokens for service-to-service authentication. CI/CD Tokens: Pipeline credentials with broad deployment access. AI Agents: Autonomous identities making decisions and accessing production systems without human approval loops.

Case Studies

Notable IAM Breaches

Real-world breaches that demonstrate the consequences of IAM failures. Each case traces back to a specific identity control gap.
Colonial Pipeline
2021 · Credential Compromise
A single breached password from a dark web database of 8 billion credentials gave attackers access to the pipeline's VPN. The account lacked MFA. The resulting ransomware attack shut down fuel distribution across the US East Coast.
Uber
2022 · MFA Fatigue Attack
Attackers bombarded an Uber contractor with repeated MFA push notifications until the victim approved one. The attacker then accessed internal systems including Slack, Google Workspace, and source code repositories.
Cisco
2022 · Voice Phishing + MFA Bypass
Attackers used voice phishing (vishing) to social-engineer a Cisco employee, then exploited MFA push acceptance to gain initial access. The attacker moved laterally through internal systems using the compromised identity.
MGM Resorts
2023 · Social Engineering
Attackers social-engineered the IT help desk into resetting credentials for a privileged account. A 10-minute phone call gave the attackers access to MGM's identity provider, leading to widespread system compromise and an estimated $100M+ in damages.
Regulatory Landscape

IAM Compliance Requirements

Regulations increasingly mandate strong identity controls. Non-compliance after an identity-based breach compounds financial damage with regulatory fines.
HIPAA
Health Insurance Portability · ePHI Protection
Requires access controls, identity proofing, and audit logging for all systems processing electronic Protected Health Information (ePHI).
  • Unique user identification for all ePHI access
  • Identity proofing before credential issuance
  • Role-based access controls with minimum necessary
  • Tamper-proof audit logs for all identity events
PCI DSS 4.0
Version 4.0 · Payment Card Industry
Mandates phishing-resistant MFA for all access to cardholder data environments. Strict access controls and identity lifecycle management required.
  • Phishing-resistant MFA for CDE access
  • Unique IDs for all users with system access
  • Strict access controls and least privilege
  • Regular access reviews and prompt deprovisioning
GDPR / CCPA
Data Protection · Privacy Controls
Mandates data consent management, minimization principles, privacy controls, and user rights including access requests and data erasure.
  • Data consent and minimization controls
  • Support for data subject access requests
  • Privacy-preserving identity verification
  • Right to erasure and data portability
Compliance Mapping

IAM & Compliance Controls

How IAM maps to the compliance frameworks your organization is audited against.
PCI DSS v4.0
Requirement 7: Restrict access to cardholder data by business need to know — role-based access, least privilege.
Requirement 8: Identify users and authenticate access — MFA required for all access to cardholder data, 12-character minimum passwords, idle timeout.
Requirement 8.3.6: MFA for all non-console administrative access.
Requirement 8.6: System and service account management — applies to NHI controls.
SOC 2
CC6.1: Logical and physical access controls — IAM policy, RBAC/ABAC implementation.
CC6.2: User registration and authorization — identity lifecycle (joiner-mover-leaver).
CC6.3: Role-based access and least privilege — authorization model enforcement.
CC6.8: Restricting access to system components — PAM controls for privileged accounts.
ISO 27001:2022
A.5.15: Access control policy — defines organizational IAM requirements.
A.5.16: Identity management — identity lifecycle, unique IDs, shared account prohibition.
A.5.17: Authentication information — password policy, MFA, credential management.
A.5.18: Access rights — provisioning, review, revocation. Joiner-mover-leaver process.
NIST SP 800-63
AAL1: Single-factor authentication — password or PIN.
AAL2: Two-factor authentication — password + OTP or push notification.
AAL3: Hardware-based authentication — FIDO2/passkeys, phishing-resistant MFA. Required for high-assurance applications.
IAL1-3: Identity proofing levels from self-asserted to in-person verification.
Career Development

IAM Certifications

Certifications that validate IAM expertise across identity governance, privileged access, cloud identity, and general security domains.
Identity Management Institute
Certified Identity and Access Manager (CIAM)
IAM-focused, vendor-neutral certification covering identity governance, access management, authentication, and compliance across enterprise environments.
IAM-Focused Vendor-Neutral Governance + Technical
ISC2
CISSP (Certified Information Systems Security Professional)
Broad security certification with dedicated IAM domain coverage. Validates understanding of identity lifecycle, access models, and authentication architecture.
General Security IAM Domain Management-Level
Microsoft
SC-300: Identity and Access Administrator
Microsoft-focused certification for Azure AD / Entra ID administration. Covers conditional access, identity governance, and hybrid identity management.
Microsoft / Azure Entra ID Hands-On
CyberArk
CyberArk Defender / Sentry
PAM-focused, vendor-specific certifications for CyberArk platform administration. Covers credential vaulting, session management, and privileged access workflows.
PAM-Focused Vendor-Specific Technical
Deep Dives

IAM Security Articles

Practitioner-written guides covering specific IAM domains in depth. Built from verified sources, not vendor whitepapers.
Beginner Coming Soon 12 min read
Zero Trust IAM: From Castle-and-Moat to Identity-Centric Security
How identity replaced the network perimeter. NIST 800-207 components, implementation roadmap, and real-world Zero Trust architecture patterns.
Intermediate Coming Soon 15 min read
FIDO2 and Passkeys: The Complete Enterprise Deployment Guide
Deploying phishing-resistant passwordless authentication. Device-bound vs synced passkeys, migration strategies, and user adoption playbook.
Advanced Coming Soon 18 min read
Non-Human Identity Security: The 46:1 Problem
Governing service accounts, API keys, CI/CD tokens, and AI agents. NHI inventory strategies, OWASP NHI Top 10 coverage, and maturity model assessment.
Intermediate Coming Soon 10 min read
NIST SP 800-63-4: What Changed and Why It Matters
Breaking down the latest revision of the Digital Identity Guidelines. New assurance levels, updated authenticator requirements, and migration guidance.
Advanced Coming Soon 16 min read
Privileged Access Management: Eliminating Standing Privileges
JIT access implementation, credential vaulting architecture, session monitoring, and the path from standing admin access to zero standing privileges.
Beginner Coming Soon 8 min read
IAM Compliance Checklist: HIPAA, PCI DSS, GDPR Requirements
Mapping compliance frameworks to IAM controls. Checklist-driven guide for organizations managing identity across regulated environments.
Identity & Access Management

Start Securing Your Identity Perimeter

Explore the full IAM ecosystem -- Zero Trust architecture, phishing-resistant authentication, privileged access controls, and non-human identity governance. Practitioner resources, no sales pitch.

Sources Informing This Page
NIST SP 800-207 NIST SP 800-63-4 Verizon DBIR 2025 FIDO Alliance OWASP NHI Top 10 CISA Zero Trust Maturity Model Aembit NHI Report 2024
Related Pillars

Continue Your Journey

IAM connects to API security, governance frameworks, and compliance. These pillars complement what you've learned here.
Pillar
API Security
OWASP API Top 10, OAuth 2.1, shadow API governance, and zero trust API architecture. APIs are the interface where IAM decisions are enforced.
Explore API Security →
Pillar
GRC Hub
Governance, Risk, and Compliance frameworks. NIST CSF, ISO 27001, CIS Controls, and CMMC compared. IAM governance fits into the broader GRC program.
Explore GRC →
Pillar
Security Compliance
SOC 2, PCI DSS, HIPAA, and FedRAMP deep dives. Checklists, audit prep guides, and control mapping for IAM-adjacent compliance requirements.
Explore Compliance →
Pillar
Incident Response
NIST 800-61r3 lifecycle, playbooks, tabletop exercises, plan templates. Compromised identities trigger the majority of IR engagements.
Explore IR →
Threat
Ransomware
Evolution, defense strategies, IR playbook, compliance reporting. Credential theft and privilege escalation are top ransomware attack paths.
Explore Ransomware →
Security Glossary → What Is InfoSec? → Understanding Risk → Hub Home →
More from TJS

Related Hubs

Intelligence
Security News Center
Real-time threat intelligence, CVE tracking, and security intelligence briefs updated daily.
Visit News Center →
AI + Security
AI Governance Hub
AI committee frameworks, governance charters, and regulatory compliance. Where IAM meets AI agent identity risk.
Explore AI Governance →
Certifications
Learning Hub
CISSP, Security+, SC-300, and IT certification study guides. Build the credentials behind the knowledge.
Start Learning →
" }, "elements