Module 7: Identity and Access Management

Lesson 1: Understanding Identity and Access Management

All users must be identified, authenticated, authorized, and accountable before getting access to any asset on an
information system
Identity is claiming to be a subject when attempting access
Identities should be unique, nondescriptive, and controlled by a trusted authority
Unique identities associate system logs and data to a specific individual, and nondescriptive credentials do not indicate
the user role
Authentication verifies the user is who they claim to be
o Authentication occurs after the user or the system has been identified
o 1:1 authentication is using 1 identification source
o 1:Many (n) authentication is using multiple identification source
o Single-Factor Authentication (SFA) is using 1 (single) authentication type
o Multi-Factor Authentication (MFA) requires the use of at least two of the three authentication factors
Type 1 authentication is something you know
Type 2 authentication is something you have
Type 3 authentication is something you are or do
“Type 4” authentication is somewhere you are
Authorization are the permissions or restrictions for an identified and authenticated user
Authorization involves rules or configuration to permit or restrict a user’s access
Accountability ensuring authenticated users are accountable for their actions
User actions should be recorded to keep users accountable

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 7: Identity and Access Management

Lesson 2: Managing System and User Accounts

Accounts allow a subject to identify/authenticate
System accounts are used by the information system for system level services
User accounts are used by a human subject for access to system resources
An organization policy must be created defining the specific steps required for authorization to create the account
The account creation process must require some kind of registration form and require the proof of identity
Before a device is authorized, the user must have an active user or guest account
Account management systems automate:
o User account creation
o Modification
o Termination tasks
Provisioning is the review of subject information and the initial creation and activation of the user account
Account review is the periodic review of system and user accounts
Account revocation is disabling or terminating a system or user account
Passwords must be tightly managed, controlled, and changed often
o Password synchronization reduces the number of passwords a user needs to remember
o Self-service password management allows a user to reset or change their password
o Assisted password resets require system administrators to help change or reset a user’s password
Warning banners are an initial message or statement presented to a user prior to being granted access
Screensavers are designed to protect the contents on a computer screen after a set period of time
Session timeouts are designed to terminate a user session after a period of inactivity
Account lockouts are designed to protect the information system from unauthorized access

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 7: Identity and Access Management

Lesson 3: Implementing Identity and Access Mechanisms

Identity and access mechanisms verify the identity and authenticate a subject, then provide access based on
authorizations
Identity management (IdM) is a broad range of activities, technologies, and functions
o Users must be uniquely identified to ensure they are who they say they are
o Users can be identified using username/passwords, badges, smart cards, or tokens
Centralized authentication is a single-point within the information system that provides IAM
Decentralized authentication utilizes multiple mechanisms throughout the information system to provide IAM
Directories store information on an organization’s network and its users
X.500 is a standard for directory services
Directory services manages user identification, authentication, authorization, and access control functions
LDAP is the most common directory services protocol
o LDAP allows subjects interact with the X.500 directory services standard
Single Sign-On allows a user to authenticate to the system once
Kerberos is a single sign-on authentication system
o Key Distribution Center (KDC) hosts the TGS and the AS and stores secret keys
o Kerberos Authentication Server (AS) authenticates the subjects account and receives the TGT
o Ticket-Granting Ticket (TGT) is created using the subjects password or secret key
o Ticket-Granting Service (TGS) receives the TGT and creates another TGT key for access to the object
o SESAME and KryptoKnight were failed alternative to Kerberos
AAA refers to a collection of protocols that provides a centralized authentication for Network IAM
RADIUS, TACACS, and Diameter are AAA protocols

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 7: Identity and Access Management

Lesson 4: Integrating Identity and Access Mechanisms

On-premise are IAM mechanisms are locally installed on organizational components
Off-premise are IAM mechanisms are hosted by a vendor or service provider outside of the organizations control
Off-premise is great for organizations that do not have the infrastructure or personnel for IAM, disaster recovery, and
single-sign-on
On-premise IAM components must be connected to the off-premise IAM mechanisms to sync information
Third party IdP offer a consistent and dependable process for managing IAM
Off-premise IdP can support a very efficient way to implement single-sign-on and is a must for cloud environments
The main way to integrate the on-premise and off-premise IAM mechanisms is by federating them
Federated identities link user profile information at multiple locations
o SAML and XACML are protocols used for federated IAM
 SAML is used to share authentication data between multiple services and applications
 XACML is used to let web services and applications interpret security policies and access permissions
Web portals are frequently used to support federated IAM
Web portals are comprised of multiple portlets that feed information from other systems through pluggable user
interfaces
Administrators must be careful to ensure that the right users only have access to the right portlets

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 7: Identity and Access Management

Lesson 5: Biometric Authentication

Biometric technologies enable information systems to provide user authentication through their unique biometric or
genetic data
Biometric data includes both:
o Physiological / Physical attributes
 Unique attributes based on the shape or physical features of the body
 Includes things like fingerprints, palm prints and facial features
 Iris scans are the best biometric system

o Behavioral attributes
 Unique attributes based on a subjects speech or movement patterns
 Includes signature dynamics, keystroke dynamics, or speech patterns
Drawbacks to biometrics are things like accuracy, user attribute changes, and errors
Biometric Errors:
o Type I Errors are false rejections
o Type II Errors are false acceptance
CER is a measure of when the false rejection rate equals the false acceptance rate as a percentage value
Biometrics privacy concerns are intrusiveness, collecting more data than necessary, and protecting stored data

Lesson 6: Understanding Access Control Models

Access is what gives a subject direct contact with information system assets
Access controls ensure only trusted subjects are granted authorized access
Access involves permissions (object access), rights (subject authorization), and privileges (both)

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 7: Identity and Access Management

Access controls enforce the security control layers (administrative, technical, physical)
Access control models are the framework that controls interaction between a subject and an object
Access control models: Discretionary (owner controlled) and non-Discretionary (pre-determined rules)
DAC allows object owners to control access directly to their objects
An access control matrix is made of a table of subjects and objects and the actions that can occur between them
Capability tables determines access rights between a subject and certain objects
ACLs detail which subjects can access which objects and at what authorization level
DAC models are weaker in terms of security than Non-DAC models and prone to errors and attacks
Non-DAC uses a common set of access rules for all subjects wanting to access objects
Both models require a good balance between security and functionality
Mandatory Access Controls (MAC)
o Applies mandatory rules within the operating system to enforce access
o Depends on label security to enforce rules for security domains
Rule-BAC applies set of simple or complex rules to interact with an object
Rule-BAC is most common in MAC models
Role-BAC applies controls based on a subjects role
o RBAC reduces authorization (privilege) creep and simplifies enforcing need-to-know and least privilege
o RBAC employs core RBAC (roles mapped to security policy) and hierarchical RBAC (inherited level of trust)
ABAC is policy based and combine different attributes together to grant access
TBAC relies controls for subject-object interaction based on duties or tasks

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.