How does IAM fit in the cybersecurity landscape?

Since I could not find a good enough definition for security – most of the definitions contains only synonyms and dumb verbs which are just simply chasing the tale – I want to pave you a different way to perceive and consider security.

              Since my educational formation is an engineering one, I want to address the perception of security from a more mathematical, scientific, point of view. In this perspective, I want to bring two pillars that basically quantify the perception of security for systems and beings (yes, I know beings are intelligent systems and that heart is an extremely well-engineered pump. That’s my personal lens to see and perceive the world, for sure you may have a different one):

Predictability refers to the degree to which the outcome of a variable or a system can be anticipated based on prior information or patterns. It is often measured or inferred by the consistency and reliability of relationships between variables in a dataset or model. High predictability indicates a clear, regular pattern or strong statistical relationships, while low predictability suggests randomness or weak associations.

Trust, can be understood as confidence (or reliability) in the sense of consistent predictability of an entity, system, or relationship based on its past behaviors or patterns. When something or someone demonstrates a high level of predictability—where outcomes align consistently with expectations—it fosters trust. Conversely, a lack of predictable patterns or behavior can diminish trust, as it introduces uncertainty and undermines confidence in anticipated outcomes. For instance, in interpersonal relationships, trust grows when individuals reliably act in ways that match their commitments or values. Similarly, in technology or systems, users trust a system when its performance and results consistently meet expectations over time.

Hence, security, when understood through the concepts of predictability and trust, can be defined as the state in which predictable patterns and reliable behaviors create confidence in the protection of assets, systems, or relationships from harm or risk. Security emerges when trust is established in consistent measures, controls, and mechanisms designed to safeguard against uncertainties, threats, or vulnerabilities.

              In essence, security relies on predictability to foster trust—when systems, individuals, or structures reliably behave in ways that prevent breaches, uphold integrity, and ensure stability, we perceive them as secure. For example, in cybersecurity, the security of a system depends on the predictable and trustworthy functioning of firewalls, encryption, and access controls to protect sensitive data. Similarly, personal security is tied to the predictability of safe environments and trustworthy individuals.

What does cybersecurity means?

              Well, at its core, Identity and Access Management is all about defining and managing the roles and access privileges of individual network users and the circumstances under which users are granted (or denied) those privileges. It’s a framework that encompasses policies, processes, and technologies to manage digital identities and control user access.

Please do not assume that when I am saying user, I am referring to humans. Later in this course, we will get to the definition of the user. But for now, you need to assume that the user is an interested entity (of any sort) interested in accessing a protected resource (of any sort).

              Because the concept of user includes humans and treats humans as well to technological premises, obviously places this domain as a cybersecurity topic since it handles:

• Interaction between humans and technology
• Security of users and technology in their interactions

              But to better understand what Cybersecurity is actually about, let’s have an overview on the matter. I really like on how International Information System Security Certification Consortium (ISC2) – a nonprofit organization specialized in training and certifications in the cybersecurity area – structures and explains what cybersecurity is.

              But before going to the structure proposed by ISC2, let’s first have a look at the workflow of cybersecurity:

              This workflow needs to be perceived though the verbs it contains:

• Observe: This initial step involves monitoring systems (such as applications or networks) to detect any unusual activity or potential threats. It requires a vigilant eye and sophisticated tools to capture and log relevant data.
• Assess: Once observations are made, it’s crucial to analyze the gathered data to understand the nature and severity of the detected issues. This assessment helps in determining the immediate steps required to address any vulnerabilities.
• Learn: Continuous learning from observations and assessments is vital. It involves staying updated with the latest cybersecurity threats, trends, and best practices to ensure a robust defense mechanism.
• Validate: After learning, the next step is to validate the findings through testing and simulations. This helps in confirming the presence of vulnerabilities and understanding their potential impact.
• Identify Risks: With validated data, it’s time to identify and catalog all potential risks. This step involves recognizing the various threats that can affect the organization and prioritizing them based on their severity and likelihood.
• Mitigate Risks: Once risks are identified, the focus shifts to mitigating them. This involves implementing measures such as patches, updates, and security protocols to reduce the impact of identified risks.
• Improve Processes and Tools: Cybersecurity is an ever-evolving field, and continuous improvement is key. This step involves refining existing processes and upgrading tools to enhance the overall security posture.
• Evaluate Efficiency: Regular evaluation of the implemented measures is essential to ensure they are effective. This involves reviewing the efficiency of processes and tools in place and making necessary adjustments.
• Adapt: Cyber threats are dynamic and so must be the defense mechanisms. Adapting to new threats and changing environments is crucial for maintaining a robust cybersecurity strategy.
• Govern: Effective governance ensures that all cybersecurity measures align with the organization’s policies and regulatory requirements. It involves setting clear guidelines and ensuring compliance across the organization.
• Rule: The final step in the lifecycle is to establish and enforce rules that govern the cybersecurity framework. This includes creating policies, procedures, and standards that ensure consistent and effective cybersecurity practices.

              Now, let’s delve into the structure proposed by ISC2:

I intentionally chose a different representation of the domains, suggesting that some of the pillars are built on top of other pillars. Because there are common requirements and prerequisites between the security pillars.

Any decent security project will require addressing ALL security pillars. Obviously, each will have a different importance/weight in the landscape, some will get more value in a specific state from your project’s lifecycle, but you will still have to look in all of them.

Now, let’s have a look at each of the security pillars to better understand what they do and how they correlate.

Security and Risk Management

Security and Risk Management domain is the backbone of information security. Though this is not fully focused on the tech stack of security, it gives important reasoning and definition of what security is and what is the expected security posture of an organization based on its defined goals and objectives.

But the most added value of the domain is offering a way to understand, quantify and balance risks. This helps to embed security into the culture of the organization.

This is crucial for an organization since the risks address its sole existence, on all levels, depths and domains it operates: legal, financial, branding capital, social and moral compass, vision etc.

Last but not least, Security and Risk Management brings a minimum standard in to the ethics and professionalism of any enterprise, upholding ethical standards to ensure trust and integrity at any organizational level.

Let’s have a short overview of what Security and Risk Management encompasses, according with (ISC)²

CIA Principle

At the foundation of information security lies the CIA Triad: Confidentiality, Integrity, and Availability:

• Confidentiality: Think of this as a secret whisper between trusted friends. It’s about ensuring that sensitive information is accessible only to those you intended to share the secret, and no one else (only to people with authorized access). Techniques like encryption and access controls are the gatekeepers here, keeping prying eyes at bay.
• Integrity: Imagine you put a letter in an envelope (yes, we did that in the past); you wouldn’t want anyone to smudge or alter it without permission. Integrity ensures that data remains unaltered and accurate unless changed in a controlled manner. Checksums, hashes, and audit trails are the tools that help maintain this trustworthiness.
• Availability: This is like having a dependable friend who’s always there when you need them. Availability ensures that information and resources are accessible to authorized users whenever required. It involves maintaining hardware, updating systems, and safeguarding against disruptions like DDOS attacks or natural disasters.

Security Governance Principles

Security governance is the compass that directs an organization’s security efforts

• By establishing a framework: It starts with setting up a structured framework aligned with organizational objectives. This includes policies, procedures, and standards that guide the organization’s security posture.
• Instates accountability and responsibility: Clear roles and responsibilities ensure everyone knows their part in maintaining security. It’s about creating a culture where security is everyone’s nature/role.
• Requires strategic alignment: Security initiatives should support and enhance the organization’s goals. This ensures resources are effectively utilized, and security measures add real value.
• Implies continuous monitoring and improvement: Regular audits, assessments, and reviews help organizations stay ahead of emerging threats and adapt to changing landscapes.

Compliance Requirements

Navigating the maze of laws and regulations is crucial.

• Understanding Obligations: Organizations must be aware of the various legal requirements that apply to their operations, such as data protection laws, industry-specific regulations, and international standards.
• Implementing Controls: Compliance isn’t just about ticking boxes; it’s about integrating necessary controls into daily operations to adhere to these obligations.
• Reporting and Documentation: Keeping detailed records is essential. It demonstrates compliance efforts to regulators and can be vital in incident investigations.

Legal and Regulatory Issues Relating to Information Security

The legal landscape can be a minefield without proper guidance.

• Data Protection Laws: Regulations like the General Data Protection Regulation (GDPR) in Europe set strict rules on how personal data is handled, emphasizing user consent and data rights.
• Intellectual Property Rights: Respecting copyrights, trademarks, and patents is essential to avoid legal disputes and maintain ethical standards.
• Cybercrime Legislation: Laws addressing hacking, unauthorized access, and other cyber offenses help protect organizations but also impose obligations to report breaches and cooperate with authorities.
• Cross-Border Considerations: Operating globally introduces complexities, as laws vary between countries. Understanding these differences is key to maintaining compliance internationally.

IT Policies and Procedures

Policies and procedures are the playbook for an organization’s security efforts:

• Policy Development: Crafting clear, concise policies that reflect the organization’s objectives and comply with legal requirements is fundamental.
• Procedures and Guidelines: These provide step-by-step instructions for implementing policies, ensuring consistency and effectiveness in security practices.
• Training and Awareness: Educating employees about policies and procedures fosters a security-conscious culture and reduces human error risks.
• Regular Review and Updates: As the threat landscape evolves, so should the policies and procedures. Continuous improvement keeps the organization resilient.

Risk-Based Management Concepts

              Risk management is like navigating a ship through stormy seas; it requires vigilance and adaptability.

• Risk Identification: Recognizing potential threats that could negatively impact assets. This includes everything from cyberattacks to natural disasters.
• Risk Analysis and Evaluation: Assessing the likelihood and impact of identified risks helps prioritize response efforts. It involves both qualitative and quantitative methods.
• Risk Mitigation Strategies: Determining how to address risks, whether by avoiding, transferring, mitigating, or accepting them. Implementing controls and safeguards is a central part of this process.
• Continuous Monitoring: Risks aren’t static! Ongoing monitoring ensures new threats are identified promptly, and responses remain effective.

Security Architecture and Engineering

              This domain includes assessing and mitigating vulnerabilities, applying cryptographic solutions, and ensuring physical security measures. The goal is to create resilient systems that can withstand and recover from security threats, ensuring the confidentiality, integrity, and availability of data and services. It emphasizes a comprehensive approach to integrating security into all aspects of system development and operation.

• Engineering Processes Using Secure Design Principles: This involves incorporating security considerations into every phase of the system development lifecycle. Secure design principles include practices like least privilege, defense in depth, and fail-safe defaults to ensure that systems are resilient against attacks and can maintain security even when components fail.
• Fundamental Concepts of Security Models: Security models provide frameworks for implementing and managing security policies. These models, such as Bell-LaPadula, Biba, and Clark-Wilson, help define how data should be accessed, modified, and protected, ensuring consistency and reliability in enforcing security policies.
• Security Capabilities of Information Systems: This refers to the built-in security features and functionalities of information systems, such as access controls, encryption, and auditing capabilities. These capabilities are essential for protecting data integrity, confidentiality, and availability, and ensuring that systems can effectively respond to security incidents.
• Assessing and Mitigating Vulnerabilities in Systems: This involves identifying, evaluating, and addressing weaknesses in systems that could be exploited by attackers. Vulnerability assessments, penetration testing, and patch management are key activities in this process, aimed at reducing the risk of security breaches.
• Cryptography: Cryptography is the practice of using mathematical techniques to secure information. It includes methods like encryption, hashing, and digital signatures to protect data from unauthorized access and ensure its integrity and authenticity during transmission and storage.
• Physical Security: Physical security focuses on protecting the physical assets and environments that house information systems. This includes measures such as access controls, surveillance, and environmental controls to safeguard against physical threats like theft, vandalism, and natural disasters.

Communications and network

              The Communications and Network Security domain in CISSP focuses on the design, implementation, and management of secure networks. It covers topics such as network architecture, secure network components, and communication channels. The domain emphasizes protecting data as it travels across networks, ensuring confidentiality, integrity, and availability. It also includes securing network infrastructure, implementing security protocols, and mitigating risks associated with network communication. The goal is to maintain a robust and secure network environment that supports the organization’s operations while protecting against internal and external threats.

• Network Architecture: This involves designing and implementing the overall structure of a network. It encompasses the layout of physical and logical components, including devices, connections, and protocols. A well-designed network architecture ensures efficient data flow, scalability, and robust security measures to protect against threats.
• Network Components: These are the individual elements that make up a network, such as routers, switches, firewalls, and servers. Each component plays a specific role in managing data traffic, enforcing security policies, and maintaining the overall functionality and performance of the network.
• Communication Channels: These are the pathways through which data is transmitted within a network. They include wired and wireless connections, as well as various communication protocols. Ensuring the security and reliability of communication channels is crucial for protecting data integrity and preventing unauthorized access.

Asset security

The Asset Security Domain in CISSP focuses on the identification, classification, and protection of organizational assets. It gathers topics such as information ownership, data classification, privacy protection, retention periods, and secure data handling. The domain emphasizes the importance of understanding the value of assets, implementing proper security controls, and ensuring compliance with relevant laws and regulations. It also covers data lifecycle management, from creation and storage to disposal, ensuring that assets remain protected throughout their existence. The goal is to maintain the confidentiality, integrity, and availability of valuable information assets within an organization.

Here are brief descriptions of each item within the Asset Security Domain of CISSP, as described by ISC2:

• Classification and Ownership of Information Assets: This involves identifying and assigning a level of sensitivity to assets, and designating responsibility for their protection to appropriate owners. Proper classification helps prioritize security efforts and ensures that data receives appropriate protection based on its value and sensitivity.
• Privacy: This encompasses safeguarding personal information and ensuring compliance with privacy regulations. It involves implementing measures to protect individual privacy rights, such as data minimization, consent management, and access controls.
• Retention Policies: These policies dictate how long data should be kept and the processes for securely disposing of it when it is no longer needed. Proper retention policies help manage data storage costs, reduce risks associated with data breaches, and ensure compliance with legal and regulatory requirements.
• Security Controls: These are the technical, administrative, and physical safeguards put in place to protect information assets. They include measures such as encryption, access controls, and monitoring systems designed to prevent, detect, and respond to security incidents.
• Handling Requirements: These requirements specify how data should be managed and protected throughout its lifecycle, from creation and use to storage and disposal. This includes guidelines for data access, transfer, and destruction to ensure consistent security practices and compliance with policies.

Security Assessment and Testing

              The Security Assessment and Testing domain in CISSP focuses on evaluating the effectiveness of an organization’s security controls. It involves conducting various types of assessments, such as vulnerability assessments, penetration testing, and security audits, to identify weaknesses and ensure compliance with security policies. The domain also covers the development and implementation of testing strategies, security metrics, and continuous monitoring techniques. The goal is to maintain a robust security posture by identifying and mitigating risks, validating the effectiveness of security measures, and ensuring that security controls operate as intended throughout the system lifecycle.

• Designing and Validating Assessment and Test Strategies: This involves creating comprehensive plans for security assessments and tests to ensure they effectively evaluate security controls. Validation ensures that the strategies are aligned with organizational objectives and compliance requirements.
• Security Control Testing: This involves evaluating the effectiveness of security controls through techniques such as vulnerability assessments, penetration testing, and other testing methods. The goal is to identify weaknesses and ensure controls are functioning as intended.
• Collecting Security Data: This includes gathering and analyzing data from various sources such as logs, network traffic, and security tools. The data collection process helps in identifying security incidents, trends, and areas needing improvement.
• Test IO: This refers to testing input/output processes to ensure they are secure and free from vulnerabilities. It involves validating that data being processed, stored, and transmitted is adequately protected against unauthorized access and manipulation.
• Security Audits: These are systematic evaluations of an organization’s security policies, procedures, and controls. Security audits help ensure compliance with regulatory requirements and internal policies and identify areas for improvement to enhance the overall security posture.

Security Operations

              The Security Operations domain in CISSP focuses on the implementation and management of security practices to protect an organization’s information assets. It covers incident response, disaster recovery, and business continuity planning. This domain includes managing and monitoring security operations, enforcing access controls, and ensuring compliance with policies and procedures. It also involves the use of security tools and technologies to detect and respond to security incidents. The goal is to maintain confidentiality, integrity, and availability of information while minimizing the impact of security threats and incidents on the organization’s operations.

• Investigations / Forensics: This involves systematic collection, analysis, and preservation of digital evidence to investigate security incidents and support legal actions. It includes identifying the source of breaches, understanding the impact, and ensuring the integrity of evidence.
• Logging and Monitoring: This involves capturing and analyzing log data from various systems and applications to detect and respond to security incidents. Continuous monitoring helps in identifying suspicious activities, ensuring compliance, and maintaining the security posture.
• Resource Provisioning: This includes the processes and technologies used to allocate and manage IT resources, such as hardware, software, and network components. Proper provisioning ensures that resources are available, secure, and efficiently utilized.
• Security Foundations: This refers to the basic principles and practices that form the foundation of an organization’s security posture. It includes risk management, security policies, access controls, and training programs to build a secure environment.
• Resource Protection: This involves implementing measures to safeguard organizational resources from threats. It includes physical security, access controls, and environmental controls to ensure confidentiality, integrity, and availability of critical assets.
• Incident Management: This involves the processes and procedures used to detect, respond to, and recover from security incidents. Effective incident management minimizes the impact of incidents and helps restore normal operations quickly.
• Disaster Recovery: This refers to the strategies and plans in place to recover IT systems and data after a catastrophic event. It includes backup and restoration procedures, alternate site arrangements, and testing to ensure business continuity.
• Business Continuity: This involves planning and preparation to ensure that an organization can continue to operate in the event of a disruption. It includes identifying critical functions, developing continuity plans, and conducting regular drills and exercises.
• Policy Enforcement: This involves the implementation and enforcement of security policies and procedures to ensure compliance. It includes monitoring adherence to policies, conducting audits, and taking corrective actions to address non-compliance.

Software development security

              The Software Development Security domain focuses on integrating security practices throughout the software development lifecycle. It covers secure coding principles, application security, and threat modeling. This domain emphasizes the importance of building security into software from the design phase to deployment and maintenance. It includes topics such as secure software design, testing, and vulnerability management. The goal is to prevent security flaws, ensure that software is resilient against attacks, and protect data integrity and confidentiality. By embedding security into development processes, organizations can create robust applications that minimize risks and protect against exploitation.

• Security in Software Development Lifecycle: This involves integrating security practices at every stage of the software development lifecycle (SDLC). From initial planning and design to coding, testing, deployment, and maintenance, security considerations are incorporated to ensure that vulnerabilities are identified and mitigated early.
• Security Controls in Development Environments: This includes implementing safeguards within development environments to protect code and resources. It involves access controls, secure configurations, and monitoring to prevent unauthorized changes and ensure the integrity of the development process.
• Assessment of Software Security: This involves evaluating the security of software through various methods such as code reviews, security testing, and vulnerability assessments. The goal is to identify and address security flaws before software is deployed, ensuring it is resilient against attacks.
• Secure Coding Guidelines and Code of Conduct (Coding Standards): These are best practices and standards that guide developers in writing secure code. They include recommendations for avoiding common vulnerabilities, adhering to coding conventions, and maintaining code quality. A code of conduct ensures ethical and secure coding practices are followed consistently.

Identity and access management

              The Identity and Access Management (IAM) domain focuses on managing and controlling user identities and access to resources. It covers the principles of authentication, authorization, and accountability. IAM ensures that the right individuals have appropriate access to resources and that unauthorized access is prevented. This domain includes user provisioning, access review, and the implementation of multifactor authentication. It also addresses identity lifecycle management and the enforcement of access policies. The goal is to protect sensitive information by ensuring that access is granted based on the principle of least privilege and is regularly monitored and audited.

• Physical and Logical Access to Assets: This involves controlling and managing access to both physical and digital resources. Physical access pertains to securing facilities and hardware, while logical access focuses on protecting data and systems through network security measures.
• Authentication and Authorization: Authentication is the process of verifying a user’s identity, while authorization determines the level of access granted to that user. These mechanisms ensure that only authorized individuals can access specific resources.
• Identity Processes and Workflows: This includes the procedures for managing user identities throughout their lifecycle, such as onboarding, role changes, and offboarding. Effective identity workflows ensure that access rights are assigned and revoked appropriately.
• Identity and Access Provisioning: This involves creating, managing, and deleting user accounts and access rights. Provisioning ensures that users have the necessary access to perform their duties while minimizing security risks.
• Identity Federation: This refers to the sharing of identity information across multiple systems or organizations. It allows users to access resources in different domains using a single set of credentials, facilitating seamless and secure interactions.
• Privileged Identity: This pertains to managing identities with elevated access rights, such as administrators and super-users. Proper management of privileged identities is crucial to prevent misuse and ensure accountability.

Privileged Access: This involves controlling and monitoring access to sensitive systems and data by users with elevated privileges. It includes implementing strict access controls, auditing activities, and employing least privilege principles to minimize security risks.