| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
Identity & Access Management (Part 1 of 2)
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces the foundations of identity and access management (IAM) β the policies, processes, and technology that determine who can access what. The session covers at a topic level the identity lifecycle, the three-A framework of authentication, authorization and accountability, zero-trust architecture, privileged access management, and the main access control models.
What this episode covers
- IAM purpose and components β authentication services, authorization services, user management, and a central identity repository, and the business payoffs of investing in IAM.
- Identity lifecycle β the five stages from enrollment and role determination through provisioning, review and update (including privilege creep), to deprovisioning.
- Authentication methods β passwords, multifactor authentication, adaptive, token-based, certificate-based, directory-based, and smart card approaches, plus single sign-on benefits and the single-point-of-failure risk.
- Authorization principles β separation of duties, least privilege, need-to-know, coarse-grained versus fine-grained authorization, access control lists, and centralized versus decentralized administration.
- Accountability controls β logging every step from login to action to support nonrepudiation, deterrence, and legal action, plus specific checks auditors look for.
- Zero-trust architecture β the never-trust-always-verify model, per-session least-privilege access, and continuous device posture monitoring.
- Privileged access management and access control models β PAM best practices for elevated accounts and the spectrum from mandatory through attribute-based and policy-based access control models.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do authentication, authorization, and accountability connect in IAM?
The flow goes in order: a subject is first identified, then authenticated to prove it is genuine, then authorized to act on an object, and the whole process is tracked for accountability. Authentication proves identity using methods such as passwords, multifactor authentication, token-based, certificate-based, or directory-based approaches. Authorization then decides what the proven user is actually allowed to do based on rules such as separation of duties, least privilege, and need-to-know.
What is zero-trust architecture and how does it relate to IAM?
Zero-trust architecture is built on the principle of never trust, always verify, where every request is authenticated and authorized before access is granted every time, regardless of location. Access is per-session and based on least privilege, and the system constantly monitors the security posture of every device. Zero trust pairs naturally with IAM because everything hinges on identity, and it is implemented through network segmentation, fast patching, and strong multifactor authentication.
What is privileged access management and why does it matter?
Privileged access management, or PAM, controls the elevated accounts such as administrator accounts, service accounts, and emergency break-glass accounts that can bypass normal security controls. These accounts are the keys to the kingdom, so PAM shrinks the attack surface by enforcing least privilege, monitoring and logging every privileged session, and granting elevated access only temporarily when needed. Best practices include tracking every privileged account, vaulting credentials, automating the process, and limiting lateral movement.
What are the main access control models an IS auditor should know?
The main models are mandatory access control, which is rigid and set by an administrator for the most sensitive environments; discretionary access control, which lets the data owner decide who gets in; rule-based access control, which applies predefined rules to everyone like a firewall; role-based access control, which grants rights based on a personβs role and is the common standard; attribute-based access control, which uses traits such as department or location; and policy-based access control, which blends roles with policy statements.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Identity & Access Management (Part 1 of 2).