Domain 3: Cloud Platform & Infrastructure Security Module 35 of 70

Module 35: Identification, Authentication, and Authorization

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section C 6–8 min read
The CCSP exam treats identity as the new perimeter. In cloud, where traditional network boundaries dissolve, identity and access management is the primary control plane.

Identity Is the New Perimeter

In traditional IT, the network perimeter defined trust. Inside the firewall was trusted; outside was not. Cloud eliminated this model.

Now, identity determines trust. The exam tests whether you understand this shift:

  • Every API call to the cloud is authenticated and authorized
  • Network location no longer implies trust level
  • A compromised identity can do more damage than a compromised network segment
  • The cloud management plane is accessed entirely through authenticated APIs
If the exam presents a scenario where a cloud account is compromised, the blast radius is typically the ENTIRE cloud environment — not just one server. This is why IAM is the highest-priority control in cloud.

Authentication Factors in Cloud

The exam expects you to know the three authentication factors and how they apply to cloud:

  • Something you know — passwords, PINs (weakest factor)
  • Something you have — hardware tokens, mobile authenticator apps, smart cards
  • Something you are — biometrics (fingerprint, facial recognition)

Multi-factor authentication (MFA) combines two or more factors. The exam consistently positions MFA as a critical control for cloud access, especially for:

  • Root/admin account access
  • Cloud management console login
  • Programmatic API access for privileged operations
  • Break-glass emergency access accounts

Exam trap: Two passwords are NOT multi-factor — they are both “something you know.” MFA requires different categories of factors.

Federation and Single Sign-On

Cloud environments heavily rely on federated identity. The exam tests these concepts:

  • SAML 2.0 — XML-based standard for exchanging authentication data between an identity provider (IdP) and service provider (SP)
  • OAuth 2.0 — authorization framework (not authentication) that grants access tokens for API access
  • OpenID Connect (OIDC) — authentication layer built on top of OAuth 2.0
  • Identity Provider (IdP) — the authoritative source of identity (Active Directory, Okta, Auth0)

The exam distinction that matters: SAML is for web-based SSO. OAuth is for API authorization. OIDC adds authentication to OAuth. If the question asks about granting a mobile app access to cloud resources on behalf of a user, the answer is OAuth/OIDC — not SAML.

Authorization Models

The exam tests several authorization approaches in cloud context:

  • RBAC (Role-Based Access Control) — permissions assigned to roles, users assigned to roles. Most common in cloud
  • ABAC (Attribute-Based Access Control) — permissions based on attributes (department, location, time of day, resource tags)
  • Policy-based access control — JSON/YAML policies defining who can do what on which resources
  • Just-in-time (JIT) access — temporary elevation of privileges for a defined period
RBAC is the baseline. ABAC adds context. JIT adds time limits. The exam rewards candidates who layer these approaches rather than relying on a single model.

Privileged Access Management

Cloud environments have powerful administrative accounts that require special protection:

  • Root accounts should have MFA and should almost never be used for daily operations
  • Service accounts (machine identities) need the same least-privilege treatment as human accounts
  • API keys and access credentials must be rotated regularly
  • Break-glass accounts provide emergency access but must be heavily audited

The exam may present a scenario where a developer has permanent administrative access. The correct answer involves implementing JIT access or role elevation with time-limited sessions — not permanent standing privileges.

Zero Trust and Continuous Authentication

The exam increasingly tests zero trust principles applied to cloud IAM:

  • Never trust, always verify — even for internal traffic
  • Continuous authentication re-evaluates trust throughout a session
  • Conditional access policies enforce context-aware decisions (device health, location, risk score)
  • Micro-segmentation at the identity level limits blast radius

If a scenario describes a user accessing cloud resources from an unusual location at an unusual time, the correct answer involves conditional access or step-up authentication — not blocking the user outright.

Next Module Module 36: Business Continuity and Disaster Recovery