Module 13: IAM & Enterprise Security Management

Glossary of Terms

A framework of policies and technologies to ensure the right individuals have the right access to the right resources at the right times for the right reasons.

The process of verifying a user's claimed identity to establish trust. Methods include document verification, biometrics, and knowledge-based authentication (KBA).

A system of trust between two parties (organizations) to authenticate users and authorize their access to resources, enabling concepts like Single Sign-On (SSO).

An authentication scheme that allows a user to log in with a single set of credentials to multiple independent software systems.

An open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It is a key protocol for enabling web-based SSO.

An open standard for access delegation, commonly used to grant websites or applications access to information on other websites without giving them the passwords.

A vendor-neutral application protocol for accessing and maintaining distributed directory information services over an IP network. Active Directory is a common example of a directory service that uses LDAP.

Solutions that help secure, control, and monitor access to an organization's critical assets. Features include password vaulting and just-in-time permissions.

The selective restriction of access to a place or other resource. Models include MAC, DAC, RBAC, and ABAC.

A security concept requiring that a user be given only the minimum levels of access – or permissions – needed to perform their job functions.

A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

Advanced security solutions that provide continuous monitoring and response to advanced threats on endpoints (EDR) and across multiple security layers like network, email, and cloud (XDR).

Network security tools that monitor network or system activities for malicious activity. An IDS only detects and alerts, while an IPS can actively block or prevent the detected intrusions.

A security process that tests and checks operating system, database, and application software files to determine whether or not they have been tampered with or corrupted.

A cybersecurity process that analyzes user activity data to detect anomalies and potential threats, such as insider threats or compromised accounts.

Identity & Access Management (IAM)

The Core Components of IAM

IAM is built on three fundamental pillars that govern who can access what within a system.

Identification: The process of a user claiming an identity. This is typically the username or email address.
Authentication: The process of verifying that claimed identity. This is done through authentication factors like passwords (something you know), security keys (something you have), or biometrics (something you are).
Authorization: The process of granting the now-authenticated user specific permissions to access resources. This is where access control models and the principle of least privilege come into play.

Federation & Single Sign-On (SSO)

Federation establishes a trust relationship between different organizations, allowing a user from one to access resources in another. This is the foundation for Single Sign-On (SSO).

Protocols: Secure communication is managed by protocols like SAML (for enterprise web SSO) and OAuth/OpenID Connect (common in consumer applications and APIs).
SSO Pros: Greatly improves user experience, reduces password fatigue, and centralizes access control.
SSO Cons: Creates a single point of failure. If the identity provider is compromised or unavailable, access to all connected applications is at risk.

Access Control Models

Different models are used to enforce authorization rules based on security needs.

Discretionary Access Control (DAC): The owner of a resource can decide who gets to access it. Common in standard file systems (e.g., Windows, Linux).
Mandatory Access Control (MAC): Access is decided by a central authority based on security labels (e.g., Confidential, Secret). Used in high-security environments like military systems. SELinux is an example.
Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are assigned to roles. This simplifies administration in large organizations.
Attribute-Based Access Control (ABAC): The most dynamic model. Access decisions can be based on a combination of user attributes (role, location), resource attributes (data classification), and environmental attributes (time of day).

Enterprise Security Controls

Operating System Security (Hardening)

Securing the underlying operating system is a fundamental step in protecting an enterprise.

Windows Group Policy (GPO): A feature in Windows Active Directory that allows administrators to centrally manage and enforce security settings for users and computers across the network. This can be used to enforce strong password policies, restrict software installation, and configure firewall rules.
SELinux (Security-Enhanced Linux): A Linux kernel security module that provides a mechanism for supporting access control security policies, including Mandatory Access Control (MAC). It operates on a "default deny" principle, meaning any action not explicitly allowed is denied.

Email & Web Security

Email and web browsing are the most common vectors for cyberattacks. Strong filtering and authentication are essential.

Email Authentication (SPF, DKIM, DMARC): These three protocols work together to prevent email spoofing and phishing. SPF checks if an email comes from an authorized server, DKIM verifies the message wasn't altered in transit, and DMARC tells receiving servers what to do if those checks fail.
Web Filtering: Controls and monitors employee web browsing to block access to malicious or inappropriate websites, often using URL scanning, content categorization, and reputation-based filtering.

Data and Endpoint Protection

Protecting sensitive data and the devices (endpoints) that access it is critical.

Data Loss Prevention (DLP): Tools that discover, classify, monitor, and protect sensitive data at rest, in use, and in transit. For example, a DLP policy might block an email from being sent if it contains credit card numbers.
Endpoint Detection and Response (EDR/XDR): EDR focuses on detecting and investigating threats on individual endpoints (laptops, servers). XDR extends this visibility by correlating data from endpoints, networks, email, and cloud environments to provide a more complete picture of an attack.