Identity & Access Management (IAM) Frameworks

A comprehensive guide to identity and access management frameworks, models, and implementation approaches.

Core IAM Concepts

Identity

A unique representation of a user, device, application, or service within a system.

Authentication

Verifying that an identity is who/what it claims to be.

Authorization

Determining what an authenticated identity is permitted to do.

AAA Framework

Authentication: Who are you?
Authorization: What can you do?
Accounting: What did you do? (audit logging)

IAM Frameworks & Standards

NIST SP 800-63 - Digital Identity Guidelines

Region: United States

Purpose: Federal guidance on digital identity, authentication, and lifecycle management.

Components:

SP 800-63A: Enrollment and identity proofing
SP 800-63B: Authentication and lifecycle management
SP 800-63C: Federation and assertions

Key Concepts:

Identity Assurance Levels (IAL): Strength of identity proofing (IAL1-3)
Authenticator Assurance Levels (AAL): Authentication strength (AAL1-3)
Federation Assurance Levels (FAL): Strength of federated assertion (FAL1-3)

Link: NIST SP 800-63

ISO/IEC 24760 - IT Security and Privacy - A Framework for Identity Management

Region: International

Purpose: International standard defining identity management concepts and principles.

Components:

Part 1: Terminology and concepts
Part 2: Reference architecture and requirements
Part 3: Practice guidance

Link: ISO/IEC 24760

FICAM (Federal Identity, Credential, and Access Management)

Region: United States (Federal)

Purpose: US federal government's IAM architecture framework.

Components:

Identity management
Credential management
Access management
Federation
Governance

Link: FICAM Architecture

OAuth 2.0 & OpenID Connect (OIDC)

Type: Technical standards for authorization and authentication

OAuth 2.0: Authorization framework for delegated access OpenID Connect: Authentication layer built on OAuth 2.0

Use Cases:

Single Sign-On (SSO)
API authorization
Third-party application access

Link: OAuth 2.0 | OpenID Connect

SAML 2.0 (Security Assertion Markup Language)

Type: XML-based standard for authentication and authorization

Primary Use: Enterprise SSO and federation

Components:

Identity Provider (IdP)
Service Provider (SP)
SAML assertions

Status: Mature standard, widely adopted in enterprise; increasingly replaced by OIDC for new implementations.

Link: SAML 2.0

Access Control Models

Role-Based Access Control (RBAC)

Description: Access permissions assigned to roles; users assigned to roles.

Structure:

User → Role → Permissions

Example:

Role: Finance Manager
Permissions: View financial reports, approve invoices, create purchase orders

Advantages:

Simple to understand and implement
Reduces administrative overhead
Aligns with organisational structure

Disadvantages:

Role explosion in complex organisations
Difficult to handle exceptions
Static, doesn't adapt to context

Best For: Organisations with stable, well-defined roles

Attribute-Based Access Control (ABAC)

Description: Access decisions based on attributes of users, resources, actions, and environment.

Structure:

Access = Policy(User Attributes + Resource Attributes + Environment Attributes)

Example Policy:

ALLOW access to financial_data
WHERE user.department = "Finance"
  AND user.clearance >= "Confidential"
  AND resource.classification <= user.clearance
  AND environment.network = "Corporate"
  AND environment.time BETWEEN 09:00 AND 17:00

Attributes Examples:

User: Department, job title, clearance level, location
Resource: Classification, owner, data type
Environment: Time of day, network location, device security posture

Advantages:

Highly flexible and granular
Handles complex, contextual policies
Scales well with fine-grained requirements

Disadvantages:

Complex to design and implement
Requires robust attribute management
Difficult to audit and troubleshoot

Best For: Complex environments requiring dynamic, context-aware access control

Relationship-Based Access Control (ReBAC)

Description: Access decisions based on relationships between entities in a graph.

Example: "User can view documents created by members of their team"

Use Cases: Social networks, collaborative platforms, organisational hierarchies

Mandatory Access Control (MAC)

Description: System-enforced access control based on security labels; users cannot change permissions.

Use Cases: Military, government classified systems (e.g., "Top Secret", "Secret", "Confidential")

Discretionary Access Control (DAC)

Description: Resource owners can grant or revoke access at their discretion.

Example: File system permissions (owner can change who has read/write access)

Use Cases: General-purpose operating systems, file shares

Identity Lifecycle Management

flowchart TD
    A[Provisioning] --> B[Access Request]
    B --> C[Access Approval]
    C --> D[Account Creation]
    D --> E[Active Use]
    E --> F[Access Review]
    F --> G[Access Modification]
    G --> E
    F --> H[Deprovisioning]
    E --> H
    H --> I[Account Disabled]
    I --> J[Account Deleted]

Provisioning (Joiner)

Triggers: New hire, contractor onboarding, role change
Activities:
- Identity creation in directory (e.g., Active Directory, Entra ID)
- Account provisioning across systems
- Assignment to groups/roles
- Credential issuance (password, smart card, token)

Access Request & Approval

Self-service requests: User requests access via portal
Automated workflows: Manager/data owner approval
Segregation of duties (SoD) checks: Prevent conflicting role assignments

Active Use

Continuous monitoring: Anomaly detection, privileged access monitoring
Session management: Timeout, re-authentication for sensitive actions

Access Review (Recertification)

Frequency: Quarterly, semi-annually, annually (risk-based)
Process: Managers review and certify user access rights
Automated reminders: Escalation for overdue reviews
Revocation: Remove unnecessary or inappropriate access

Modification (Mover)

Triggers: Promotion, department transfer, role change
Activities:
- Remove old role access
- Provision new role access
- SoD re-evaluation

Deprovisioning (Leaver)

Triggers: Resignation, termination, end of contract
Timing: Immediate for terminations, scheduled for resignations
Activities:
- Disable accounts immediately
- Transfer data ownership
- Revoke physical access (badges, keys)
- Delete accounts after retention period (e.g., 90 days)

Privileged Access Management (PAM)

Purpose

Control, monitor, and audit access to critical systems and sensitive data by privileged users (administrators, DBAs, etc.).

Core PAM Capabilities

1. Privileged Account Discovery

Identify all privileged accounts across systems
Detect shadow admin accounts

2. Password Vaulting

Centrally store privileged credentials
Automatic password rotation
Check-out/check-in workflow

3. Session Management

Launch sessions through PAM gateway
Session recording and playback
Real-time session monitoring and termination

4. Just-in-Time (JIT) Access

Temporary elevation of privileges
Time-bound access grants
Automatic de-provisioning

5. Privilege Elevation & Delegation

Controlled use of sudo or equivalent
Application-level privilege management

PAM Solutions (Examples)

Vendor	Product	Strengths
CyberArk	Privileged Access Security	Enterprise-grade, comprehensive
BeyondTrust	Privilege Management	Strong session management
Delinea (Thycotic/Centrify)	Secret Server, Privilege Manager	Flexible deployment options
HashiCorp	Vault	Cloud-native, developer-friendly
Microsoft	Privileged Identity Management (PIM)	Integrated with Entra ID

Multi-Factor Authentication (MFA)

Authentication Factors

Factor Type	Examples	Vulnerabilities
Something you know	Password, PIN, security question	Phishing, password reuse, brute force
Something you have	Hardware token, smartphone app, smart card	Device theft, SIM swap
Something you are	Fingerprint, facial recognition, iris scan	Biometric spoofing, privacy concerns
Somewhere you are	Geolocation, IP address	VPN, spoofing
Something you do	Behavioural biometrics (typing pattern, gait)	Accuracy, false positives

MFA Maturity Levels

Level	Description	Example
No MFA	Password only	Username + password
Basic MFA	SMS or email OTP	Password + SMS code
Strong MFA	TOTP or push notification	Password + authenticator app (Google, Microsoft)
Phishing-resistant MFA	Hardware token or certificate-based	Password + FIDO2 security key (YubiKey)

Phishing-Resistant Authentication

FIDO2/WebAuthn: Hardware security keys (YubiKey, Titan)
Smart cards/PIV: Physical cards with cryptographic certificates
Certificate-based authentication: Device or user certificates
Passkeys: FIDO2-based passwordless authentication

Recommendation: Migrate to phishing-resistant MFA for privileged users and high-risk roles.

Single Sign-On (SSO)

Benefits

Improved user experience (one login for multiple systems)
Centralized access control
Reduced password fatigue and reuse
Simplified offboarding

Risks

Single point of failure
Compromised SSO account = access to all connected systems
Requires robust MFA on SSO identity provider

SSO Protocols

SAML 2.0: Enterprise federation
OpenID Connect (OIDC): Modern web/mobile apps
Kerberos: Windows Active Directory environments

SSO Providers (Examples)

Entra ID (Azure AD): Microsoft ecosystem, broad app support
Okta: SaaS-focused, extensive integrations
Ping Identity: Enterprise federation
Google Workspace: Google ecosystem
Auth0 (Okta): Developer-focused identity platform

Zero Trust & Identity-Centric Security

Zero Trust Principles

Verify explicitly: Always authenticate and authorize
Least privilege access: Grant minimum necessary access
Assume breach: Continuously verify, don't trust network location

Identity as the New Perimeter

In Zero Trust architecture, identity replaces network perimeter as the primary security boundary.

Key Controls:

Strong authentication (MFA, phishing-resistant)
Continuous verification (risk-based authentication)
Conditional access (device health, location, risk signals)
Micro-segmentation (limit lateral movement)

Related Framework: NIST SP 800-207 Zero Trust Architecture

Identity Governance & Administration (IGA)

Core IGA Functions

1. Identity Lifecycle Management

Automated provisioning/deprovisioning
Joiner/Mover/Leaver workflows

2. Access Request & Approval

Self-service access requests
Approval workflows
Emergency access procedures

3. Access Certification (Recertification)

Periodic review of user entitlements
Manager attestation
Automated revocation of unapproved access

4. Segregation of Duties (SoD)

Policy definition (conflicting roles/permissions)
Detection of violations
Remediation workflows

5. Role Management

Role definition and lifecycle
Role mining (discover implicit roles from existing access)
Role optimization (reduce role sprawl)

6. Reporting & Analytics

Compliance reporting (who has access to what)
Risk analytics (orphaned accounts, excessive permissions)
Audit trails

IGA Solutions (Examples)

Vendor	Product	Strengths
SailPoint	IdentityNow, IdentityIQ	Market leader, AI-driven insights
Saviynt	Enterprise Identity Cloud	Cloud-native, converged IGA+PAM
One Identity	Identity Manager	Strong on-premises and hybrid support
Microsoft	Entra ID Governance	Integrated with Microsoft ecosystem
Omada	Identity Cloud	User-friendly, strong role management

Federation & Identity Providers

Federated Identity

Users authenticate once with their home organisation (Identity Provider) and access services at other organisations (Service Providers) without separate credentials.

Use Cases:

Academic federation (e.g., UK Access Management Federation, InCommon)
B2B collaboration (partner access to systems)
SaaS application access

Identity Provider (IdP) vs Service Provider (SP)

IdP: Authenticates users and provides identity assertions (e.g., Entra ID, Okta)
SP: Relies on IdP for authentication (e.g., Salesforce, AWS Console)

Federation Standards

SAML 2.0: Enterprise standard
OpenID Connect: Modern alternative
WS-Federation: Microsoft-centric environments

Passwordless Authentication

Approaches

Biometrics: Fingerprint, facial recognition (Windows Hello, Touch ID)
FIDO2/WebAuthn: Hardware security keys or platform authenticators
Magic links: Email or SMS link for authentication (low security, avoid for sensitive systems)
Passkeys: FIDO2-based, synced across devices (Apple, Google, Microsoft)

Benefits

Eliminates password-related attacks (phishing, credential stuffing)
Improved user experience
Reduced helpdesk burden (password resets)

Challenges

Device dependency (lost/damaged device)
Fallback authentication required
User education and adoption

Cloud IAM Services

Amazon Web Services (AWS) IAM

Users, Groups, Roles: RBAC model
Policies: JSON-based permission definitions
Federation: SAML 2.0, OIDC integration
STS: Temporary credentials for federated access

Microsoft Entra ID (formerly Azure AD)

Cloud-native directory: User and device identity
Conditional Access: Risk-based access policies
Privileged Identity Management (PIM): JIT admin access
Hybrid identity: Integration with on-premises AD

Google Cloud Identity & IAM

Cloud Identity: User and group management
IAM: Resource-level access control
BeyondCorp: Zero Trust implementation
Workforce Identity Federation: Integrate external IdPs

IAM Best Practices

1. Principle of Least Privilege

Grant users the minimum access necessary to perform their job functions.

2. Separation of Duties (SoD)

Prevent any single user from having conflicting permissions (e.g., request and approve purchases).

3. Regular Access Reviews

Conduct periodic recertification of user access (quarterly/semi-annually/annually).

4. Strong Authentication

Enforce MFA for all users
Phishing-resistant MFA for privileged accounts
Risk-based authentication (adaptive MFA)

5. Automate Provisioning & Deprovisioning

Integrate HR systems with IAM
Immediate deprovisioning for leavers
Automated role assignment for joiners

6. Privileged Access Monitoring

Session recording for privileged users
Real-time anomaly detection
Just-in-time access where possible

7. Password Hygiene (if passwords still used)

Minimum 12-16 character length
Password managers encouraged
Breach monitoring (e.g., Have I Been Pwned)
No forced periodic changes (NIST guidance)

8. Audit Logging

Log all authentication events
Log all access to sensitive data
Retain logs per compliance requirements
Centralised log management (SIEM)

Metrics & KPIs

Metric	Description	Target
MFA Adoption Rate	% of users with MFA enabled	100%
Privileged Account Coverage	% of privileged accounts managed by PAM	100%
Deprovisioning Timeliness	Average time to disable account after separation	<24 hours
Orphaned Accounts	Accounts with no activity in 90+ days	0
Access Review Completion	% of scheduled reviews completed on time	>95%
SoD Violations	Number of active SoD conflicts	0
Failed Login Attempts	Rate of failed authentications (potential attacks)	Monitor trend
Password Reset Volume	Helpdesk tickets for password resets	Decreasing (with SSO/passwordless)

Industry-Specific Requirements

Financial Services (UK - FCA/PRA)

Strong customer authentication (SCA) for payments (PSD2)
Segregation of duties for financial controls
Privileged access monitoring

Healthcare (HIPAA - US)

Unique user identification (164.312(a)(2)(i))
Emergency access procedures
Automatic logoff
Access audit controls

Healthcare (NHS - UK)

NHS Identity requirements
Role-Based Access Control (RBAC) mandatory
Smartcard authentication for clinical staff

Government (UK)

Government Security Classifications (OFFICIAL, SECRET, TOP SECRET)
Baseline Personnel Security Standard (BPSS)
Security clearance (SC, DV) for privileged access

Quick Selection Guide

Organisation Profile	Recommended Approach
Small business (<50)	Cloud IdP (Entra ID, Google), SSO for SaaS apps, MFA enforcement
Medium (50-500)	Cloud IdP + IGA lite (access reviews), PAM for critical systems, RBAC model
Large enterprise (500+)	Full IGA platform, comprehensive PAM, ABAC for complex scenarios, federation
Financial services	IGA + PAM mandatory, phishing-resistant MFA, SoD enforcement, regulatory compliance
Healthcare	RBAC aligned with clinical roles, smartcard/MFA, emergency access procedures, HIPAA/NHS compliance
Government/Defence	MAC or RBAC aligned with clearance levels, strong authentication, federation for inter-agency access

Common Pitfalls

Over-reliance on groups: Using groups as substitute for proper RBAC design
Role explosion: Creating too many granular roles instead of using ABAC
Neglecting service accounts: Unmanaged service account credentials
Weak MFA bypass: SMS OTP or email as only MFA option
No access review process: Permissions accumulate indefinitely
Delayed deprovisioning: Ex-employees retaining access
Shared credentials: Multiple users sharing privileged accounts
Lack of SoD controls: No prevention of conflicting role assignments