Identity
- MFA enforced
- No shared accounts
- Disable unused accounts
- Rotate keys
IAM (Identity and Access Management) - Deep Technical Breakdown
IAM is the most critical control in cloud and SaaS security.
80-90% of cloud breaches start with IAM misconfiguration.
What Is IAM?
IAM controls who can access your systems, what they can access, what actions they can perform, and under what conditions.
IAM = Authentication + Authorization + Policy Enforcement
The 4 Core Components of IAM
1) Identity (Who are you?)
- Human user (developer, HR manager)
- Service account (microservice)
- Application
- VM/container workload
- API client
Each identity must be unique and traceable.
2) Authentication (Prove who you are)
- Password
- MFA (OTP/authenticator app)
- SSH keys
- OAuth2
- JWT
- Certificates
- Biometrics
Best practice: enforce MFA for all privileged accounts.
3) Authorization (What can you do?)
After authentication, the system evaluates roles, permissions, and policies.
- HR Manager -> Approve leave
- Employee -> View own leave
- DevOps -> Deploy to staging only
4) Policy Engine (How rules are enforced)
Allow:
Action: read
Resource: /crm/tenant/123/*
Condition: user.tenantId == 123
IAM in Cloud (Azure/AWS/GCP)
IAM governs who can create VMs, delete databases, read storage, deploy code, and change network/firewall rules.
| Concept | Meaning |
|---|---|
| User | Human identity |
| Group | Collection of users |
| Role | Set of permissions |
| Policy | Rules that define access |
| Service Account | Non-human identity |
Least Privilege (Most Important)
Grant only minimum permissions needed.
- Bad: developer has full admin in production.
- Good: developer can deploy to staging, but cannot access prod DB or delete resources.
Access Control Models
1) RBAC (Role-Based Access Control)
User -> Role -> Permissions (simple and widely adopted).
- ROLE_ADMIN
- ROLE_MANAGER
- ROLE_EMPLOYEE
2) ABAC (Attribute-Based Access Control)
Uses attributes from user/resource/context.
Allow if:
user.department == resource.department
AND time between 9am-6pm
3) PBAC (Policy-Based Access Control)
Cloud-heavy model: policy defines action, resource, and condition.
Common IAM Vulnerabilities
- Over-permissioned accounts
- Hardcoded credentials in code or
.env - No MFA on admin accounts
- Long-lived API keys (years-old still active)
- No separation of duties (dev writes/approves/deploys/manages billing)
IAM in Microservices Architecture
For NestJS microservices, Keycloak auth, and SaaS multi-tenancy:
Application-Level IAM
Flow: User -> Login -> Keycloak -> JWT.
JWT should include userId, role, tenantId. Backend must verify signature, expiry, and issuer.
Authorization in SaaS
Always enforce tenant filter at query level:
WHERE tenant_id = currentTenant
Never trust tenant from frontend body/query/URL. Derive from token claims.
Service-to-Service IAM
- Do not share one master credential.
- Do not use user credentials for service auth.
- Use service identity + scoped tokens + managed identity.
Example: order service can read order DB, but cannot access payroll DB.
Cloud IAM Governance Best Practices
- Separate dev, staging, prod subscriptions/accounts
- Use groups (DevOps, Security, Finance) and assign roles to groups
- Avoid direct permissions on individuals
Conditional Access (Advanced)
- Allow only office IP
- Allow only specific country/region
- Require compliant device
- Require MFA
Secrets Management
Secrets are part of IAM.
- Never store secrets in code or container images.
- Use Key Vault/Secret Manager with rotation and strict access policies.
Privilege Escalation (Major Risk)
Attack path: low privilege compromised account -> escalation -> admin compromise.
- Misconfigured role inheritance
- IAM role chaining
- Excessive permissions
Audit permissions regularly to prevent escalation paths.
IAM Security Checklist (Production-Ready)
Authorization
- Least privilege
- Role-based access
- No wildcard policies (*)
Service Accounts
- Scoped access
- Short-lived tokens
- Separate identity per service
Governance
- Audit logs enabled
- Quarterly permission reviews
- Separation of duties
Workshop Narrative
"If attacker gets one admin credential, your entire cloud is gone."
Show how one over-permissioned IAM role can delete DB, create admin users, and disable logging.
IAM failures can become total compromise.
The Big Insight
- Network security protects entry.
- Application security protects logic.
- Cloud security protects infrastructure.
- IAM protects everything.
IAM is the control plane of security.