DEV Community: Njuguna Wilfred

Understanding IAM (Identity and Access Management) in Cybersecurity

Njuguna Wilfred — Tue, 29 Jul 2025 12:16:10 +0000

As applications scale and digital infrastructure becomes more complex, controlling who can access what becomes critical. That’s where Identity and Access Management (IAM) steps in: it's the cornerstone of modern cybersecurity and governance. In this blog post, we’ll dive into what IAM is, why it matters, and how it works in practice for developers and security professionals.

What Is IAM?

IAM (Identity and Access Management) refers to the policies, processes, and technologies used to manage digital identities and control access to resources within an organization.

In simple terms, IAM ensures that:

The right individuals (or systems)
Have the right access
To the right resources
At the right time
For the right reasons

Why IAM Matters in Cybersecurity

Cybersecurity is about protecting confidentiality, integrity, and availability (CIA) of systems. IAM plays a direct role in all three:

Confidentiality: Ensures unauthorized users can't access sensitive data.
Integrity: Prevents unauthorized changes by restricting edit permissions.
Availability: Minimizes risks of service disruption via role-based access controls.

IAM is your first line of defense against insider threats, data breaches, privilege escalation, and lateral movement by attackers.

Core Components of IAM

IAM is more than just "logging in." It consists of several interrelated building blocks:

1. Identity Management

This involves creating, managing, and deleting user identities. Examples include:

Employee accounts in Microsoft Entra ID (formerly Azure AD)
Customer profiles in an e-commerce system
Machine identities like API tokens or IoT devices

2. Authentication

Authentication answers the question: “Are you who you claim to be?”
Common methods:

Passwords (not recommended as the sole method)
Multi-Factor Authentication (MFA)
Biometrics (Face ID, fingerprints)
OAuth tokens or SSO (Single Sign-On)

3. Authorization

Once authenticated, the system determines what you can access.
Authorization models include:

Role-Based Access Control (RBAC) – access based on roles like "admin" or "viewer"
Attribute-Based Access Control (ABAC) – access based on attributes like department or time of day
Policy-Based Access Control (PBAC) – dynamic rules using policies (used in AWS IAM and GCP IAM)

4. Access Governance

This focuses on:

Reviewing who has access to what
Detecting excessive or unused privileges
Conducting periodic access audits
Enforcing segregation of duties (SoD)

5. Privileged Access Management (PAM)

PAM handles users with elevated privileges (admins, root users, DBAs), by:

Vaulting credentials
Rotating secrets
Session monitoring
Just-In-Time (JIT) access

How IAM Works in Practice

Let’s walk through a typical flow in an enterprise environment:
1. User Onboarding
- HR system sends a trigger to IAM platform.
- IAM provisions an identity with appropriate roles.
- MFA is enforced.
2. Authentication
- User logs in via SSO.
- System verifies identity using password + push notification.
3. Authorization
- User attempts to access a resource (e.g., an internal Git repository).
- IAM checks policies (e.g., only devs in the Engineering group can access).
- Access granted or denied.
4. Audit & Monitoring
- All access events are logged.
- IAM dashboard flags anomalies (e.g., after-hours logins from a new location).
5. Offboarding
- User leaves company.
- IAM revokes all access and deactivates accounts automatically.

I recently discovered an excellent platform called Forage that offers realistic job simulations across various industries. It's a great way to practice real-world scenarios, build on existing skills, and gain hands-on experience in a risk-free environment.

Some Of The Challenges Experienced by Developers While Working With React.

Njuguna Wilfred — Wed, 11 Jun 2025 06:54:55 +0000

React is a framework in Javascript, and on the most crucial aspects it has is State Management, Server-side rendering(SSR) and Hook Pitfalls.

-State Management

Let's start from the basics, what is State?
State can be defined as an object that houses data which changes over time in an application. In other words, state is a dynamic data storage that provides a mechanism for components to manage, keep track of changing data, and trigger re-rendering when it is updated.

State management is like the brain of your app. It remembers everything the app needs to know at any moment — such as what you've typed in a form, whether you're signed in, or what screen you're looking at. When something changes (like you click a button), state management updates that memory and tells the app to show the right thing. Without it, your app wouldn't know what to do next, and the user experience would be messy.

Most Popular Types of State Management

Local State Management
It involves managing the state within a component or a small group of components. It’s suitable for simple applications where state changes are minimal and contained.

  //using useState
  const [count, setCount] = useState(0); // Initial value = 0
  //can adjust the setcount to be setCount(count + 1)[increament by 1]

  //using shared state(parent to child)
  function Parent() {
     const [theme, setTheme] = useState("dark");
    // Pass attributes to children
    return <Child theme={theme} setTheme={setTheme} />;
  }

_Global State Management _
As applications scale in complexity, managing state locally within individual components becomes inefficient and error-prone.

Global state management solves this by establishing a centralized data store that serves as a single source of truth. Any component in the application can directly access or update this shared state, eliminating the need to pass data through multiple layers of components.

This approach ensures consistency across the UI, reduces prop-drilling complexity, and simplifies state synchronization in large applications.
```
     // Step 1: Create Context
const ThemeContext = createContext();

    // Step 2: Wrap app in a Provider (stores state)
function App() {
const [theme, setTheme] = useState("dark");
return (
<ThemeContext.Provider value={{ theme, setTheme }}>
  <Header />
  <Page />
</ThemeContext.Provider>
);
}

   // Step 3: Use state in any child with useContext()
function Header() {
const { theme, setTheme } = useContext(ThemeContext);
return <button onClick={() => setTheme("light")}>Light Mode</button>;
}
```
Server-side State Management
Server-side state storage maintains critical application data on remote servers rather than in the user's browser.
This approach is indispensable when state persistence is required across user sessions—like remembering login credentials or shopping carts between visits—or when state needs to be shared among multiple users simultaneously, such as in collaborative editing tools or live dashboards.
```
  //Example uses Zustand
  import create from 'zustand';

  // Centralized store
  const useCartStore = create((set) => ({
items: [],
  addItem: (item) => set(state => ({ items: [...state.items, item] })),
}));

 // Use anywhere
  function CartButton() {
     const addItem = useCartStore(state => state.addItem);
     return <button onClick={() => addItem("Shoes")}>Add to Cart</button>;
  }
```

- Hooks Pitfalls.

Stale state in closure When you use state inside asynchronous code (like setTimeout or promises), it captures the state value at the moment the function was created, not the latest value. This happens because closures "lock in" old state. For example, if you update a counter rapidly, a setTimeout(() => console.log(count), 1000) might log an outdated value. To resolve this use functional updates setCount(prev => prev + 1) or store the latest state in a useRef to bypass closure capture.
Dependency Array Traps useEffect, useMemo, useCallback rely on dependency arrays to know when to re-run. Forget a dependency (like forgetting fetchData in useEffect(fetchData, [])), and your code uses stale data. Also add too many (like including an object that changes every render), and it triggers infinite loops. To resolve this let ESLint's react-hooks/exhaustive-deps rule guide you. For objects, memoize them with useMemo first.
useEffect Overuse & Side Effects
Using useEffect for everything (like data fetching, subscriptions, or DOM updates) can lead to race conditions if async operations complete out-of-order.
Worse, forgetting cleanup (e.g., not removing event listeners) causes memory leaks.
To fix this cancel pending requests with AbortController, and always return a cleanup function:
```
    useEffect(() => {
       const timer = setTimeout(doSomething, 1000);
       return () => clearTimeout(timer); // Cleanup!
    }, []);
```
Breaking Hooks' Golden Rules
Hooks must run in the same order every render. If you call them conditionally (if (loading) useEffect(...)), inside loops, or after early returns, React loses track of state, leading to cryptic errors.
To fix this always call hooks at the top level of your component.
Ignoring Custom Hook Isolation
Each call to a custom hook (e.g., useAuth()) creates separate state.
If two components use useAuth(), they won’t share data unless you designed it that way.
To fix this lift shared state into context or a global store.

Server-Side Rendering

Server-Side Rendering(SSR) is the aspect of rendering React apps to complete HTML on your server.
This sends ready-to-display pages to browsers which helps solve the problem of "black screens" on the client-side rendering.

Its important since it delivers pre-rendered HTML for instant page loads (critical for SEO + user retention).

This is the workflow of how it operates:
- Server fetches data + renders React → HTML
- Browser displays HTML immediately
- React "hydrates" HTML to make it interactive

One of the major hydration trap is server/client HTML mismatch causes errors. The fix is to delay browser-only logic with useEffect and typeof window checks.

Conclusion

Mastering React requires more than just writing components—it demands a deep understanding of its three core pillars: state management, hooks, and server-side rendering (SSR).
State serves as the central nervous system of your app, with local state useState handling UI interactions, global state tools like Context or Zustand managing shared data, and server state libraries like React Query ensuring data persistence across client-server boundaries.
The golden rule? "Lift state until it hurts, then go global." Hooks, while powerful, come with sharp edges—avoiding stale closures and properly managing dependencies with techniques like functional updates and useMemo is essential. Always use useEffect responsibly with cleanup logic, and remember: hooks must run at the top level, no exceptions.
SSR, meanwhile, offers fast, SEO-friendly page loads but requires care to avoid hydration mismatches—frameworks like Next.js and Remix streamline this process, especially when combining SSR for public pages with client-side rendering for private content.
In the end, React gives you freedom, but that freedom comes with responsibility. Start simple, evolve your architecture thoughtfully, and respect each pillar’s nuances. By doing so, you’ll turn React’s complexity into a superpower—building resilient, high-performance applications that both users and search engines love.

Understanding APIs: A Technical Overview with Examples

Njuguna Wilfred — Tue, 27 May 2025 19:03:56 +0000

Introduction to APIs

An API (Application Programming Interface) is a contract between software applications that defines how they can interact. APIs specify the methods and data structures that developers can use to request and exchange information between systems.

Importance of APIs

APIs play a crucial role in software development by enabling modular, scalable, and efficient interactions between different applications. Key benefits include:

Interoperability: Different applications, regardless of programming language, can communicate using APIs.
Efficiency: Reduces development time by leveraging existing services instead of building functionalities from scratch.
Security: Restricts access to specific functionalities, protecting sensitive operations and data.
Scalability: Enables microservices and cloud-native architectures by decoupling services.

Types of APIs

APIs can be categorized based on their usage and communication style:

Web APIs – Facilitate communication over the web using HTTP protocols. Examples: REST, SOAP, GraphQL, WebSockets, and gRPC.
Library APIs – Allow interaction with predefined functions within a programming language or framework. Example: Python’s NumPy API.
Operating System APIs – Enable applications to interact with the OS for resource management. Example: Windows API, POSIX API.
Database APIs – Provide access to databases using queries. Example: JDBC (Java Database Connectivity), MySQL API.

Web API Protocols and Architectural Styles

REST API (Representational State Transfer)
- Uses standard HTTP methods: GET, POST, PUT, DELETE.
- Stateless and scalable.
- Returns data in lightweight formats like JSON or XML.
- Real world examples include Twitter and GitHub.
- Example: Use Case -> Book Library Management Endpoints: GET /books → Get all books POST /books → Add a new book GET /books/{id} → Get a single book by ID
```
       //Request//
 POST /books HTTP/1.1
 Content-Type: application/json

 {
   "title": "The API Handbook",
   "author": "Jane Doe"
 }

 //Response//
  {
    "id": 123,
    "title": "The API Handbook",
    "author": "Jane Doe"
  }
```
SOAP API (Simple Object Access Protocol)
- Uses XML-based messaging and follows strict standards.
- Supports stateful operations with built-in security features.
- More complex but widely used in enterprise and financial applications.
- Real world application is in the banking systems.

Example: Use Case -> Weather Service

    //Request//
    POST /WeatherService HTTP/1.1
    Content-Type: text/xml

    <soap:Envelope>
     <soap:Body>
       <GetWeather>
         <City>London</City>
       </GetWeather>
     </soap:Body>
    </soap:Envelope>

    //Response//
    <soap:Envelope>
      <soap:Body>
        <GetWeatherResponse>
          <Temperature>22°C</Temperature>
          <Condition>Sunny</Condition>
        </GetWeatherResponse>
       </soap:Body>
    </soap:Envelope>

GraphQL API

Developed by Facebook as an alternative to REST.
Allows clients to specify exactly what data they need.
Uses a single endpoint instead of multiple REST endpoints.
Ideal for applications with complex data relationships (e.g., social media platforms).
Example: Use Case -> Social Media Profile

  //Query//
  query {
    user(id: "456") {
       name
       email
       posts(limit: 2) {
         title
       }
    }
  }

  //Response//
  {
    "data": {
      "user": {
        "name": "Alice",
        "email": "alice@gmail.com.com",
        "posts": [
           { "title": "GraphQL 101" },
           { "title": "API Trends" }
         ]
       }
     }
   }

Web Sockets API

Provides full-duplex communication between client and server.
Unlike REST, it maintains an open connection for real-time updates.
Commonly used for chat applications, live notifications, and online gaming.
Example: Use Case -> Live Chat App

     //Handshake//
     GET /chat HTTP/1.1
     Upgrade: websocket
     Connection: Upgrade

     //Client message//
     {
       "user": "Bob",
       "message": "Hello!"
     }

     //Server broadcast//
     {
      "user": "Bob",
      "message": "Hello!"
     }

gRPC API (Google Remote Procedure Call)

Uses Protocol Buffers (protobuf) instead of JSON/XML for efficiency.
Faster and ideal for micro-services.
Supports bi-directional streaming.
Real world application includes Kubernetes.
Example:Use Case -> Employee Directory

   //protobuf file(.proto File)//
   service EmployeeService {
   rpc GetEmployee (EmployeeRequest) returns (EmployeeResponse);
    }

   message EmployeeRequest { string id = 1; }
   message EmployeeResponse {
   string name = 1;
   string role = 2;
     }

   //Client call//
   # Client code (simplified)
   response = stub.GetEmployee(EmployeeRequest(id="789"))
   print(response.name)  # Output: "Charlie"

Conclusion

APIs are the foundation of modern software applications, enabling seamless data exchange and integration across platforms. Understanding API protocols and their implementation helps developers build scalable, efficient, and secure applications. Whether using REST, GraphQL, WebSockets, or gRPC, choosing the right API type is crucial for optimizing performance and usability.