IAM Architecture — modularCISO

Module 02 · Lesson 03

Identity is the new perimeter

When employees access resources from anywhere on any device, the one constant is who they are. IAM is the control plane for modern security.

Core Concepts

Authentication · Authorization · Accounting

AuthN

Who are you?

Passwords, MFA, biometrics, certificates. Proving identity.

AuthZ

What can you do?

RBAC, ABAC, policy-based. Granting permissions.

Accounting

What did you do?

Audit logs, session recording. Tracking actions.

Plus Federation (SSO, SAML, OIDC) and Lifecycle (joiner-mover-leaver provisioning).

MFA Spectrum

Not all MFA is equal

Method	Security	Weakness
SMS codes	Low	SIM swapping, SS7 attacks, social engineering of carriers
TOTP apps	Good	Phishable — user enters code on fake login page
Push notifications	Good	MFA fatigue — bombard until user approves
FIDO2 / WebAuthn	Excellent	Phishing-resistant. Crypto bound to legitimate domain. Gold standard.

Google: 85,000 employees with hardware keys → zero successful phishing.

Privileged Access

Protecting the keys to the kingdom

JIT Access

Just-in-time: No standing privileges. Request, approve, time-limited. Expires automatically.

Vaulting

Credential vault: CyberArk, HashiCorp Vault. Auto-rotated. Human never knows the password.

Recording

Session recording: Every privileged session recorded. Deters misuse, enables investigation.

Break-glass

Emergency access: When normal PAM is down. Documented, audited, used rarely.

Authorization Models

RBAC vs ABAC

RBAC

Role-Based

Permissions → roles → users. Simple, works for stable orgs. Breaks at scale: "role explosion" when you need 500 roles for edge cases.

ABAC

Attribute-Based

User dept + device health + time + data classification → decision. Flexible, complex. Required for zero trust.

Start RBAC, add ABAC for high-sensitivity resources. Don't boil the ocean.

The Identity Stack

Modern IAM architecture

IdP

Identity Provider: Entra ID, Okta, Google Workspace. Single source of truth.

SSO

Single Sign-On: SAML/OIDC federation. Authenticate once, access all apps.

MFA

Everywhere: Every app, every user. FIDO2 for privileged, TOTP minimum for standard.

PAM

Privileged Access: JIT, vaulting, recording for admin accounts.

IGA

Governance: Access reviews, certification campaigns, separation of duties.

Key Takeaway

Identity is the control plane

Remember this

MFA blocks 99.9% of automated account compromise. Deploy it everywhere.

FIDO2 keys are phishing-resistant. Everything else is phishable to some degree.

Privileged accounts need JIT + vaulting + recording. Standing admin = breach waiting to happen.

The joiner-mover-leaver lifecycle is where access control fails. Automate it.

1 / 7