Identity & Access Management
The foundations of controlling identity and access — authn, authz, and MFA.
IAM is the foundation of security: control who can access what. Two distinct steps:
- Authentication (AuthN) — proving identity (password + MFA, certificates, SSO via OAuth2/OIDC/SAML)
- Authorization (AuthZ) — deciding what an authenticated identity may do (RBAC roles, ABAC attribute-based policies)
Best practices: enforce MFA everywhere, centralize identity with SSO, use short-lived credentials and federation instead of static keys, and grant least privilege. Machine identities (service accounts, workload identity) deserve the same rigor as human ones.
A secure access flow:
1. User logs in with password + MFA (AuthN)
2. SSO issues a short-lived token (OIDC)
3. Each request: token validated, RBAC checks the action (AuthZ)
4. Access granted only if a policy explicitly allows it (least privilege)
Machine access:
App assumes a role / uses workload identity → short-lived creds, no static key- Define authentication and authorization with a concrete example of each.
- Explain why MFA dramatically reduces account-takeover risk.
- Contrast RBAC with ABAC.
- Why prefer federation/short-lived credentials over static API keys?
Cheat Sheet▾
| Term | Meaning |
|---|---|
| AuthN | Prove identity |
| AuthZ | Determine permissions |
| MFA | Extra verification factor |
| SSO | Centralized login |
| OAuth2 / OIDC / SAML | Federation protocols |
| RBAC / ABAC | Role / attribute-based access |
| Least privilege | Minimum needed access |
Common Interview Questions▾
What's the difference between authentication and authorization?
Authentication verifies who you are (login, MFA, certs). Authorization determines what you’re allowed to do once authenticated (roles, policies). AuthN always precedes AuthZ.
Why is MFA so effective?
It requires a second factor beyond a password, so a stolen or phished password alone can’t grant access — blocking the vast majority of account-takeover attacks.
Why use short-lived credentials over static keys?
Short-lived, automatically rotated credentials limit the window of exposure if leaked, whereas static keys persist indefinitely and are a prime target.