Identity and Access Management in Practice: From AAA to MFA

IAM and AAA

Identity and access management (IAM) decides who can do what on systems, and how we track it. At its core are the AAA functions: authentication, authorization, accounting.

AAA Functions

• Authentication: Proving you are who you claim to be.
• Authorization: Deciding what an authenticated user is allowed to do.
• Accounting: Recording what they actually did.

Hybrid Environments

Modern IAM applies AAA across a hybrid environment that mixes cloud, mobile, IoT, OT, and on‑premises resources, all of which must be monitored and secured.

What You Will Do

You will follow a user’s journey from login to authorization, see where MFA fits, connect IAM to account lifecycle processes, and apply least privilege and just‑in‑time access.

Jordan’s Login Journey

Jordan, an employee working from home, opens a browser to access a company portal, which redirects to an identity provider login page.

High-Level Flow

Jordan enters username and password, completes MFA via a mobile app, receives a token, and the web app uses that token to decide what Jordan can access.

AAA in the Journey

Authentication: username, password, MFA. Authorization: roles and policies limiting Jordan to HR dashboards. Accounting: logs of logins and actions.

Exam Mindset

On Security+ questions, map every scenario to AAA: who is proving identity, how access is decided, and what is logged for later review.

What Is Authentication?

Authentication answers the question: “Are you really this user?” It verifies identity but does not yet decide what you can do.

Factor Types

Common factors: something you know (password), have (token or phone), are (biometrics), somewhere you are (location), and something you do (behavior).

Single vs Multi-Factor

Single-factor uses one factor type, like a password only. Multi-factor combines two or more different factor types, such as password plus authenticator app.

Identification vs Authentication

Identification is claiming an identity (typing a username). Authentication is proving that claim (entering a valid password and MFA).

What Makes MFA, MFA?

MFA requires two or more different factor types, such as something you know plus something you have, not just two passwords or two biometrics.

Good MFA Examples

Password + SMS code, PIN + fingerprint, smart card + PIN, or authenticator app push plus device biometric all qualify as multi-factor authentication.

Bad MFA Examples

Password + security question, fingerprint + facial recognition, or two separate passwords do not qualify as MFA because they use the same factor type.

Security+ Angle

For remote access, cloud admin portals, and privileged accounts, enabling MFA is a common correct answer to strengthen authentication.

What Is Authorization?

Authorization answers: “Given this is the user, what are they allowed to do?” It checks permissions, roles, and policies after authentication.

RBAC and ABAC

RBAC groups permissions into roles like HR Analyst. ABAC uses attributes (user, resource, environment) and evaluates policies based on those attributes.

Jordan’s Permissions

Jordan’s token contains claims like role=HR_Analyst. The app uses these to allow HR dashboards but deny system-wide admin features.

Least Privilege

Least privilege is enforced at authorization: users get only the minimum access they need, limiting damage if an account is compromised.

What Is Accounting?

Accounting answers: “What did this user do, when, and from where?” It relies on logs of authentication, authorization decisions, and activity.

IAM Logging

IAM accounting includes login logs, records of allow/deny decisions, and detailed audit trails of actions taken inside applications.

Why It Matters

Logs support anomaly detection, investigations, and compliance. They help prove who did what and when, supporting governance, risk, and compliance.

AAA Recap

Authentication proves identity, authorization decides access, and accounting records activity. Together they form the AAA model in IAM.

Account Lifecycle

IAM manages the full account lifecycle: provisioning new accounts, maintaining and changing access, and deprovisioning when users leave.

Provisioning

Provisioning creates accounts and assigns initial access, often triggered by HR onboarding and automated through IAM workflows.

Maintenance and Change

When roles change, IAM should update group memberships and roles, removing old access to avoid users accumulating excessive permissions.

Deprovisioning

Deprovisioning disables or removes accounts and access when users leave, preventing orphaned accounts that attackers can exploit.

Access Reviews

Access reviews are periodic checks where managers confirm that each user’s permissions are still needed, removing outdated or excessive access.

Just-in-Time Access

JIT access grants elevated permissions only when needed and for a short time, then automatically removes them to reduce attack surface.

Zero Trust Link

These processes support zero trust by limiting access to only what is needed and continuously validating that permissions remain appropriate.

Exam Hint

When scenarios show too many standing admin accounts, look for answers involving JIT access and periodic access reviews, not just stronger passwords.

Hybrid Environment Scenario

A company uses on-prem AD, a cloud IdP, VPN, SaaS HR apps, and an OT network. Jordan, an HR analyst, works remotely and must access several systems.

VPN and SSO

Jordan authenticates to VPN with password plus push MFA, then uses SSO to reach the cloud HR app, receiving a token with HR_Analyst role claims.

Authorization and Logging

The HR app uses Jordan’s role to limit dashboards to HR data, while all activity is logged and sent to the SIEM for accounting and detection.

JIT Access to OT

Jordan occasionally gets time-limited, read-only access to an OT dashboard via JIT elevation, which automatically expires to enforce least privilege.

Remote Access

For remote workers using VPNs, enforce MFA, centralize identity with an IdP, and log all connections for accounting and monitoring.

Cloud Admins

For cloud admin consoles, combine MFA with role-based least privilege and just-in-time elevation for sensitive administrative tasks.

Fixing Excess Access

Address orphaned or overprivileged accounts using automated deprovisioning, periodic access reviews, and well-designed roles.

Using Logs Wisely

When you see suspicious login patterns, rely on IAM logs, SIEM analysis, and conditional access policies to detect and respond.