Identity and access management (IAM) allows the “right users” to access the “right technology” (applications, databases, networks, etc.) at the “right time.” But what’s the best way for interviewees to prove to hiring managers that they are the “right fit” for these openings?
A broad spectrum of jobs is available in IAM at organizations of all types, including enterprises, small to medium-sized businesses, and third-party service providers. Titles frequently listed on job boards include IAM system architect, IAM system engineer, IAM access control specialist, IAM administrator and IAM consultant.
Depending on the company and the position, some IAM jobs are more customer-facing than others. Some may focus more on soft skills, such as collaboration and communication, while other positions are more engineering-oriented and focus more on hard skills.
In the IAM field, as with other security disciplines, filling jobs with professionals with the right mix of skills isn’t easy, explained Lance Peterman, president of IDPro, a professional development organization. So, organizations looking to fill IAM positions “have to get creative with respect to hiring,” he said. For a new graduate or someone switching fields, “we often look at job candidates’ willingness and ability to quickly pick up concepts, particularly technical concepts.”
Interview questions for entry-level IAM jobs often touch on security fundamentals, safeguards and controls as well as the basics of identity protection, access management, cloud computing and cryptography. Desirable skills for entry-level candidates or career-changers include experience with identity directories, databases, authentication and authorization models and scripting. If the IAM job is focused on cybersecurity, interview questions may relate to the trade-offs between security and productivity.
Knowing the vocabulary of IAM is also helpful for recent graduates and career-changers. They might read up on the major components of IAM — including the provisioning and deprovisioning of identities, securing and authentication of user identities, and authorization to access resources or perform specific actions. Other terminology worth brushing up on includes privileged identity management, authorization and access control, federation, role-based access control (RBAC) and state transfer. Related terms might include load balancer (for cloud-oriented questions) or spot instances (for interviews related to infrastructure.
Be prepared for open-ended questions. There is often more than one correct answer. Plus, these questions invite follow-up.
1. What can you tell me about yourself?
Whether you’re a recent graduate, a career-changer or a seasoned IAM professional, most interviewers will ask you some form of this question. This open-ended question gives interviewers a chance to try to peel back the onion to learn more about your skills and experience — and get a sense if you can be a fit for their organization.
2. Why is IAM important?
You might explain that as security threats rise and user privacy preferences become more difficult to control, IAM is becoming more essential to organizations of all sizes and in all industries. IAM is crucial at a time when passwords can be hacked in minutes, corporate data breaches occur frequently, and criminals have infiltrated many organizations and government agencies. Only one set of credentials needs to be hacked for a bad actor to infiltrate an enterprise network.
Being enthusiastic and understanding why IAM is such an important element of information security (infosec) are essential. Be prepared for basic and more complex questions that look at your experience, technical and non-technical skills, and the kind of person you are. Here are some examples.
3. Do you have experience implementing IAM solutions and products such as single sign-on (SSO), two-factor authentication (2FA) and multifactor authentication (MFA)?
A Computer Weekly/TechTarget IT Priorities study conducted pre-Coronavirus found that IAM would be increasingly important during 2020, with multifactor authentication the most popular identity-related security initiative planned by the surveyed buyers, cited by 48%. Access management, which 34% planned to deploy, and single sign-on, which was of interest to 30%, were also significant initiatives.
The study also showed that privileged identity management or privileged account management — other important words in the IAM lexicon — is becoming mainstream.
4. Which users have you worked with? Have you managed customer identity in addition to employee and other internal staff identities?
The users IAM professionals deal with vary depending on the company and the job, from customers and privileged accounts to service accounts, internal employees, business partners and more.
5. What is your experience with identity directory services such as Active Directory?
Most IAM projects involve working with Active Directory or other types of repositories that comply with Lightweight Directory Access Protocol (LDAP). According to a blog posting by Avatier, LDAP skills are needed throughout an IAM project for data conversions, QA testing, directory consolidation and other tasks. “Being able to write scripts that push and pull data between databases and the target LDAP directory provides a great deal of power that can be leveraged to accelerate project work,” the Avatier blog states.
6. What is your experience with IAM in the cloud?
The cloud platform that a company uses would likely be included in the job description, IDPro’s Peterman explained. Among entry-level professionals and career changers, “employers are looking for some exposure to the cloud,” he noted. “If you have experience using one type of cloud, you can probably learn another,” he said.
Entry-level candidates and career changers might be asked the following:
- How much experience do you have promoting code in the cloud?
- What technologies and tools have you worked with?
- What are some of the pluses and minus you have encountered with these tools and cloud providers?
- What is your experience with virtual machines?
- What is your experience with containers?
Interviewees at a higher technical experience level might be asked for details about specific cloud platform. For example, interviewees familiar with Amazon Web Service (AWS) IAM might be asked about its key features, how it works, its key benefits, its permissions and its policies. Be familiar with Amazon’s best practices such as AWS Multi-Factor Authentication (MFA), which is designed to provide an additional layer of protection on top of the username and password.
According to online tutorial site GoLinuxCloud, key points about AWS IAM include the following:
- A new user in IAM does not have any permission.
- AWS IAM assigns an Access Key and a Secret Access Key to a new user.
- An Access Key cannot be used to log in to AWS Console.
- We use Access Key to access AWS via an API or command-line interface.
- IAM is a universal application. It is common across all the regions in AWS.
7. What are your favorite IAM tools and solutions?
According to web infrastructure and security company Cloudflare, IAM may be a single product or a mix of processes, software, cloud services and hardware that give administrators visibility and control over the organizational data that individual users can access.
Some security experts consider cryptography a separate field from IAM. However, some IAM professionals may have to address cryptography issues or work with those who do. So, depending on the job, the interview may include some cryptography questions.
8. What is cryptography?
Kaspersky Lab defines cryptography as “the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.” Cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to convert plaintext into ciphertext (a process called encryption), then back again (known as decryption).
9. What is the goal of cryptography?
Cryptography helps keep information confidential; if a transmission or storage medium has been compromised, any encrypted information is practically useless to unauthorized persons without the keys for decryption. Second, by using hashing algorithms and message digests, cryptography helps ensure the integrity (or accuracy) of information. In addition, through digital signatures, digital certificates or a public key infrastructure (PKI), cryptography can be used for authentication (and non-repudiation) services.
10. Why is cryptography important?
Cryptography can prevent hackers from stealing data. Data needs to be secured because the leaking of sensitive information can put businesses, government institutions, financial institutions and individuals at risk.
11. What is the most interesting/rewarding project or initiative in which you’ve been involved?
This question gives interviewees a chance to discuss projects that used skills useful to the position for which they are applying. Interviewees might discuss what made the project interesting to them, how they worked with others, and what they learned. More experienced candidates might talk about the project’s management and technical complexities. New graduates can discuss key elements of projects they worked on at universities, training programs and internships.
On the flip side, a posting on Glassdoor noted that one company asked a candidate for an IAM team lead: “What kinds of projects would you shy away from?” Be careful with this one. Be positive, and don’t say anything bad about your former employer.
Follow-ons to the question about interesting and rewarding projects might be:
What is your ideal next step? What type of projects or initiatives would you like to work on? What skills would you like to add?
12. Are you a team player? Discuss how you have engaged with other departments, such as legal and compliance. How do you manage the internal relationships?
Collaboration and communication skills are crucial. Being a team player is important whether you’re a recent grad, a career-changer or a seasoned IAM professional. Even those in the early stages of building their resumes should be able to address this question. “Many new graduates come from [IT-related programs] that generally have team-based projects,” said Darren Yamaki, director of identity and access management at the University of Southern California.
13. What role have you played in ensuring compliance with government relations?
This question might be worded differently for new graduates or career changers, who may not have been directly involved in compliance; the question for newcomers might be “why is compliance important in IAM?” Experienced IAM professionals are more likely to have had a direct role in compliance and interviewers will ask about how it applied to their jobs.
Compliance is important because U.S., worldwide and industry-specific data security and privacy laws contain specific IAM mandates. For example, HIPAA’s Security and Privacy Rules define access control measures for health information. Depending on their business, organizations might have to comply with regulations such as the Family Educational Rights and Privacy Act, GDPR, the Gramm-Leach-Bliley Act, PCI DSS and the Sarbanes-Oxley Act.
A related term is identity governance. A blog posting by Secret Double Octopus defines identity governance as a subcategory of IAM that “emerged from the needs of organizations to comply with new regulatory requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). IG provides organizations with better visibility to identities and access privileges, and better controls to detect and prevent inappropriate access.”
14. What is the biggest challenge you have faced? What is the biggest mistake you have made?
A variation on this question is “what is the hardest part of your job?”. It’s important to discuss obstacles, how you handled them, what you learned from them and what you might do differently next time.
15. How are changes in technology, from AI to IoT, affecting your job?
More senior employees might be asked about how AI, automation and the internet of things are changing the way they work and what IAM challenges these technologies are posing, USC’s Yamaki suggested. He added that new graduates might be asked how they stay on top of developments in the field — for example, what journals or websites do they read.
In addition to the above questions, Henry Bagdasarian, founder and chief identity officer of the Identity Management Institute, a cybersecurity training and certification group, offers the following IAM interview questions.
- Do you have experience managing third-party service providers?
- Have you been involved in the vendor selection process?
- Have you performed access re-certification? What tools have you used, or what is your strategy?
- Have you supported internal and external audits?
- How do you manage client requests for information? What is the most efficient method to support RFI?
- Do you have experience with IAM product design?
- Have you developed IAM policies and procedures?
- Have you been involved in IAM request for proposal projects?
Don’t forget to come up with questions of your own and anticipate follow-up questions. Before the interview, do some research on the company and the IAM field.
Most of these questions can be modified based on the interviewees’ experience and the nature of the job. IAM career expects recommend tailoring questions based on the specific interview and your background.
Remember, the interviewer’s goal is to see how you think, whether through your answers to questions or through role-playing or other problem-solving task. Examples on Glassdoor include the following:
16. How do you get a computer’s IP address?
An interviewee at WellCare answered the question about obtaining a computer’s IP address. One answer that Glassdoor provided: “Go to Start–cmd –systeminfo or Start–Powershell–systeminfo”.
17. How do you give a user access to a server using Active Directory? How do you disable a user in Active Directory?
WellCare posed these two questions to IAM interviewees, according to Glassdoor. To grant a user access, browse the server in Active Directory and find out associated Access groups in the Server properties. Then add the user to the desired group, which grants access to that server, according to Microsoft’s documentation website. To disable a user in Active Directory, find the user in the correct organizational unit (OU) and then right click and select “Disable Account”; the user account will now be disabled and you will see a down pointing arrow next to the account name, according to Netwrix Blog.
Be prepared as much as possible but be yourself. Job candidates, particularly new graduates or career-changers should focus on their strengths and ways to get up to speed on skills they need to learn. “In IT, in general, often job posts will aim for the stars but settle for the moon,” Peterman said.