Chapter Three · The Control Plane

Identity and Access Management

Identity is the control plane for everything Meridian owns. This chapter builds the authentication, tokens, authorization, single sign-on, and secret storage that decide who can reach api.meridian.example and the customer database — and every topic is a place the intruder in Chapter 5 will probe first.

6 topics

Most serious breaches are failures of identity, not of cryptography. The password was reused, the MFA was phishable, the token was forged, the authorization check was missing, the cloud key was over-privileged. Identity is where an attacker spends the least effort for the most reward, which is why it is the control plane the rest of Meridian's security hangs from.

Six topics build that control plane: proving who you are with factors and MFA, staying logged in with sessions and tokens, delegating access with OAuth and OpenID Connect, deciding what you may do with RBAC and ABAC, unifying it all with single sign-on, and keeping the secrets that make it work out of code. The recurring principle is least privilege — grant exactly what is needed, verify every request, and assume any credential can be stolen.

Identity, end to end — the questions each topic answers
1
Who are you?
Factors · MFA
2
Stay logged in
Sessions · JWT · OAuth
3
What may you do?
RBAC · ABAC
4
Unify and protect
SSO · secrets management

Topics in This Chapter