A comprehensive study guide covering IAM concepts (5 unique subject types, 3 account risk types), updated NIST SP 800-63B password policies, SSO and MFA (5 authentication factors), passwordless authentication and biometric impersonation, certificate management, federation (IdP/SP/provisioning), access control models (DAC/MAC/RBAC/ABAC), IAM auditing and log reviews, conduct and use policies (code of conduct/AUP/privileged user agreement), and permissions auditing.
Identity and Access Management (IAM) is the security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to interact with organisational assets (networks, operating systems, applications). When you log in to a computer, you're participating in the IAM process: presenting credentials (identification), being verified (authentication), and being granted access (authorisation).
NIST Special Publication 800-63B (Digital Identity Guidelines) has deprecated several traditional password policy elements. If you learned from an older Security+ curriculum, some of these will contradict what you previously memorised. These changes will appear on the CySA+ exam.
Single Sign-On (SSO) enables a user to authenticate once and receive authorisation for multiple services. Windows domain login using Kerberos is SSO in action. One strong credential opens everything.
Passwordless authentication removes the knowledge factor (password) entirely. Instead, it relies on ownership factors (what you have) or inherence factors (what you are). Typically backed by public key cryptography with the private key stored on the user's device.
Certificate management is the practice of issuing, updating, and revoking digital certificates. Certificates provide the primary means of assuring the identity of machines and application code — they underpin HTTPS, email signing, code signing, and 802.1X network authentication.
A federation provides shared login capability across multiple systems and enterprises. It allows a company to trust accounts created and managed by a different organisation. When you "Sign in with Google" on a third-party website, you're using federation.
Two key principles underpin all access control: Least Privilege (do everything with the minimum rights needed) and Separation of Duties (no single person can perform a complete sensitive transaction alone — requires dual authorisation). These principles are implemented through four access control models.
IAM auditing detects compromised legitimate accounts, rogue account use, and insider threats. The primary method is log monitoring and review. Audit logs record all file access and authentication events — but they're only useful if someone actually reads them.
Security policies direct employee behaviour. Three specific policies govern how employees interact with systems, data, and their own access privileges. Each targets a different audience.