IAM Fundamentals Flashcards
Checking access...
Test your understanding of the IAM Fundamentals module. Click a card to flip it between question and answer. Use the arrows, keyboard (← →), or swipe on mobile to move through the deck.
What does IAM stand for and what is its core purpose?
Click to reveal answer
Identity and Access Management — ensuring the right people have the right access to the right resources at the right time for the right reasons.
Click to see question
What are the four business drivers for IAM?
Click to reveal answer
1. Security — reducing breach risk. 2. Compliance — meeting regulatory mandates. 3. Operational efficiency — automating provisioning. 4. User experience — enabling SSO and self-service.
Click to see question
What are the three core capability areas of IAM?
Click to reveal answer
Identity Management (creating and storing identities), Access Management (authentication and authorization), and Governance (certification, SOD, auditing).
Click to see question
True or False: IAM is a single software product.
Click to reveal answer
False. IAM is a capability delivered through people, processes, and technology working together.
Click to see question
What are the four types of digital identities?
Click to reveal answer
1. User identity (human). 2. Service identity (API, microservice). 3. Device identity (laptop, server). 4. Workload identity (Kubernetes pod, cloud function).
Click to see question
What is identity proofing?
Click to reveal answer
The process of collecting and verifying evidence about an identity before establishing a trusted digital identity.
Click to see question
What are the three NIST Identity Assurance Levels (IAL)?
Click to reveal answer
IAL1 — Self-attested, no proofing. IAL2 — Remote or in-person proofing (government ID, KBV). IAL3 — In-person physical proofing with biometric comparison.
Click to see question
What is identity federation?
Click to reveal answer
Federation enables an identity created in one domain to be trusted in another — the foundation of cross-organisational SSO.
Click to see question
What does JML stand for in identity lifecycle management?
Click to reveal answer
Joiner-Mover-Leaver — the framework for managing identities from creation through modification to removal.
Click to see question
What three actions are required immediately when a user leaves an organisation?
Click to reveal answer
1. Account disable (prevent login). 2. Credential revocation (reset password, invalidate sessions). 3. Access removal (remove group memberships, roles).
Click to see question
What is the most common security finding related to identity lifecycle?
Click to reveal answer
Delayed deprovisioning — accounts remaining active after a user has left the organisation.
Click to see question
What is the foundational integration needed for lifecycle automation?
Click to reveal answer
HR system (HRIS) integration — connecting IAM to the authoritative source for identity events (new hires, terminations, transfers).
Click to see question
What is the primary difference between a directory service and a relational database?
Click to reveal answer
Directory services are hierarchical (tree structure), read-optimised, and use LDAP. Relational databases are tabular, transaction-oriented, and use SQL.
Click to see question
What protocol does LDAP stand for and what does it define?
Click to reveal answer
Lightweight Directory Access Protocol — defines the data model (DIT), query syntax (LDAP filters), operations (Bind, Search, Modify), and security (SASL, LDAPS).
Click to see question
Name three cloud directory services.
Click to reveal answer
Azure AD (Entra ID), Okta Universal Directory, Google Cloud Identity, Amazon Cognito.
Click to see question
What is the hub-and-spoke directory integration pattern?
Click to reveal answer
A central identity directory serves as the authentication source for multiple target applications, rather than each application maintaining its own identity store.
Click to see question
What is Just-in-Time (JIT) provisioning?
Click to reveal answer
Accounts are created on first successful authentication — no pre-provisioning needed. Ideal for SaaS applications where licensing depends on active users.
Click to see question
What does SCIM stand for?
Click to reveal answer
System for Cross-domain Identity Management (RFC 7642–7644) — the open RESTful standard for automating identity provisioning.
Click to see question
What HTTP methods does SCIM use for provisioning operations?
Click to reveal answer
POST — Create user. GET — Read user. PATCH — Partial update. PUT — Full replace. DELETE — Remove user.
Click to see question
What is the difference between account disable and account deletion in deprovisioning?
Click to reveal answer
Disable prevents login but preserves data (reversible). Deletion permanently removes the account (irreversible). Disable should happen immediately; deletion after the retention period.
Click to see question
What are the three main authentication factor types?
Click to reveal answer
Knowledge (something you know), Possession (something you have), Inherence (something you are). True MFA requires factors from at least two different categories.
Click to see question
What percentage of automated attacks does MFA block according to Microsoft?
Click to reveal answer
99.9% — MFA is the single most effective security control organisations can deploy.
Click to see question
What is MFA fatigue?
Click to reveal answer
An attack where the adversary repeatedly sends push notification MFA requests until the user eventually accepts one, granting the attacker access.
Click to see question
What makes FIDO2/WebAuthn phishing-resistant?
Click to reveal answer
FIDO2 uses public-key cryptography where the private key never leaves the user's device. The key is bound to the origin domain, so phishing sites cannot use stolen credentials.
Click to see question
What is the difference between authentication and authorization?
Click to reveal answer
Authentication verifies identity ("Who are you?"). Authorization determines permissions ("What are you allowed to do?").
Click to see question
What are the three core RBAC rules according to NIST?
Click to reveal answer
1. Role assignment — user must be assigned a role. 2. Role authorization — user's active role must be authorised. 3. Permission authorization — permission must be authorised for the active role.
Click to see question
What attributes does ABAC use to make access decisions?
Click to reveal answer
User attributes, resource attributes, action attributes, and environmental context (time, network, location).
Click to see question
What is ReBAC and what system popularised it?
Click to reveal answer
Relationship-Based Access Control — models access as relationships between entities in a graph. Popularised by Google Zanzibar (used in Google Drive, YouTube, Gmail).
Click to see question
What is access certification?
Click to reveal answer
Periodic review of user entitlements by resource owners and managers to confirm or revoke each user's access.
Click to see question
What is segregation of duties (SoD)?
Click to reveal answer
Ensuring no single person has enough access to commit fraud or cause significant damage. Conflicting access combinations must be identified and prevented.
Click to see question
What compliance frameworks require IAM controls?
Click to reveal answer
Multiple — SOX, GDPR, HIPAA, PCI DSS, ISO 27001, NIST SP 800-53 all mandate identity and access management controls.
Click to see question
What are the five levels of the IAM maturity model?
Click to reveal answer
1. Initial (ad-hoc). 2. Defined (documented). 3. Managed (automated). 4. Measured (continuous). 5. Optimized (predictive).
Click to see question
What is the most common IAM architecture pattern in enterprises undergoing cloud migration?
Click to reveal answer
Hybrid IAM — combining on-premises directories (AD) with cloud identity platforms (Azure AD, Okta) through synchronisation.
Click to see question
What are the three principles of Zero Trust?
Click to reveal answer
1. Verify explicitly — authenticate and authorize every request. 2. Least privilege — grant minimum access required. 3. Assume breach — segment, monitor, trust nothing by default.
Click to see question
What are the components of a policy-based authorization system?
Click to reveal answer
PEP (Policy Enforcement Point) — intercepts requests. PDP (Policy Decision Point) — evaluates policies. PIP (Policy Information Point) — provides attribute data.
Click to see question
When should an organisation choose centralized vs. decentralized IAM?
Click to reveal answer
Centralized for small-medium, single-jurisdiction, organic-growth organisations. Decentralized for large, multi-region enterprises with acquisition history and diverse regulatory requirements.
Click to see question
Tip
Review any cards you got wrong by navigating to the corresponding module page for a deeper explanation.