Why IAM Matters in Cloud
IAM is the new perimeter in cloud security.
Most cloud breaches happen due to misconfigured IAM (too much access or weak authentication).
How IAM Differs in Cloud
| Point | Meaning |
| Spans multiple organizations | Users access many cloud services; trust must extend across orgs. |
| Different IAM models per CSP | AWS IAM ≠ Azure AD ≠ GCP IAM. Adds complexity. |
| Unified cloud consoles exposed to internet | Makes misconfiguration dangerous. |
Result: Identity Federation becomes necessary and privileged access must be tightly controlled.
Key IAM Terms
| Term | Meaning |
| Identity | Who the entity is (attributes). |
| Authentication | Proving the identity (password, OTP, biometric). |
| Authorization | What the identity is allowed to do. |
| Entitlements | Mapping identities to permissions. |
| Role | A set of permissions based on job or function. |
| Entity | User, service, device, app accessing the system. |
| Persona | Categorizing user types to assign roles. |
Access Control Models
| Model | Idea | Good for |
| RBAC (Role-Based) | Access based on job roles | Standard enterprise use |
| ABAC (Attribute-Based) | Access depends on attributes (user + device + resource + context) | Dynamic, zero-trust |
| PBAC (Policy-Based) | Access decision defined in machine-readable policies | Large-scale cloud environments |
Exam Trick: PBAC enforces RBAC and ABAC via policies.
Identity Federation & SSO
Allows users to log in once and access multiple services.
| Term | Meaning |
| IdP (Identity Provider) | Authenticates the user (e.g., Azure AD, Okta). |
| Relying Party / Service Provider | Accepts user identity from IdP (e.g., Salesforce). |
| Assertion | The identity information IdP sends to the RP. |
Common Federation Protocols
| Protocol | Use | Notes |
| SAML | Enterprise SSO | XML, mainly browser-based web apps |
| OAuth 2.0 | Authorization for APIs | Does not authenticate identity |
| OIDC | Authentication on top of OAuth | Common for modern cloud/mobile apps |
Exam Tip:
- OAuth = Authorization
- OIDC = Authentication
- SAML = Enterprise Web SSO
Identity Architecture Approaches
| Model | Description | Pros | Cons |
| Hub-and-Spoke | Central broker connects to all services | Strong governance | Needs central IdP setup |
| Free-form | Direct connection from internal directory to cloud | Simple initially | Hard to scale, weak governance |
Authentication (MFA is Mandatory in Cloud)
Types of MFA:
| Type | Strength | Notes |
| Hard Token | Strongest | Hardware security key (e.g., YubiKey) |
| Soft Token (TOTP Apps) | Strong | Google Authenticator, Authy |
| SMS OTP | Weak | Vulnerable to SIM swap |
| Biometrics | Medium | Depends on device security |
Passwordless: FIDO / Passkeys → resistant to phishing
BUT: Not recommended for cloud admin accounts.
Authorization & Entitlements in Cloud
- Use least privilege
- Grant just-in-time (JIT) access for admins
- Review roles and privileges regularly
- Use resource tagging to enable ABAC
Privileged Identity & Access Management (PIM & PAM)
| Term | Purpose |
| PIM | Manages who is a privileged user |
| PAM | Controls how they access systems |
Key Features:
- MFA required
- Session recording
- Credential vaulting
- Temporary admin privileges (no permanent admin accounts)
Golden Exam Takeaways
- Identity is the new security boundary in cloud.
- SSO + Federation reduce credential sprawl.
- Always use MFA for cloud access.
- Prefer PBAC + ABAC for cloud scalability.
- Use PIM/PAM to control high-privilege accounts.
- Avoid overly broad IAM policies (e.g., “*:*”).
Flashcards for practice: https://quizlet.com/in/1108708277/ccsk-domain-5-iam-flash-cards/?i=4jehw4&x=1jqt
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.
