Professional Documents
Culture Documents
Copy Link
Identity and Access Management comprises 13% of the CISSP exam. Domain 5
helps security professionals understand how they can control the way assets are
accessed. Securing access control and management is needed to comply with
the requirements of Confidentiality, Integrity, and Availability.
Having control over who has access to systems and information and the
authorization mechanisms implemented in an organization is one of the most
critical pillars of cybersecurity—for obvious reasons!
CISSP Domain 5: Identity and Access Management (IAM) addresses the following
subdomains:
Access control
Facilities
Systems/Devices
Information
Personnel
Applications
The above point to the use of the RMC, or Reference Monitor Concept, where
some type of rules-based decision-making tool is placed between subjects and
objects to mediate access. All activity is logged and monitored for the sake of
accountability and assurance. And any implementation of the RMC is known as a
security kernel.
Logical access modes
Access control is more granular than simply allowing subjects to access
objects.
Access control rules allow the access control mechanism to be much more
granular.
Specific access rules allow precision concerning what subjects can access
what objects and exactly what those subjects can do with those objects.
Access should be based on the use of concepts like need to know and least
privilege.
Administration approaches
Approach taken by
most organizations,
Control is granted
One central system and it means access to the people
controls access to control utilizes both
closest to the
remote systems approaches resource
(centralized and
decentralized)
Central
administrative Lack of
point represents a standardization,
single point of overlapping rights,
failure and and security holes
potential target of may exist
attack
Peer-to-peer
relationship
Authentication
There are three factors that can be used to verify a user's identity regarding
authentication.
Authentication by knowledge
Authentication by ownership
Asynchronous
Synchronous
Authentication by characteristics
In addition, Crossover Error Rate (CER) represents the intersection between Type
1 (false reject) and Type 2 (false acceptance) errors, and it measures the
accuracy of a biometric system.
Processing speed
User acceptance
Protection of biometric data
Accuracy
The crossover error rate is a useful metric for biometric systems because it's a
way to measure the system's overall accuracy. A number closer to zero means
the system is more accurate.
Biometric templates
If someone's password is exposed, they can just change their password and
memorize the new password. However, if their biometric data is exposed, they
can't just grow a new finger or eyeball.
Factors of authentication
Factors of authentication refer to the three types of authentication:
authentication by knowledge, authentication by ownership, and
authentication by characteristic.
Single-factor authentication refers to any of the three types of authentication
used.
Multifactor Authentication (MFA) refers to two (or more) of the three types of
authentication being used.
Kerberos
One of the major SSO authentication protocols is known as Kerberos. Drawing
from the myth, Kerberos protects access to resources and provides three
primary functionalities:
Accounting
Authentication
Auditing
SESAME
Secure European System for Applications in a Multi-Vendor Environment, better
known as SESAME, is an improved version of Kerberos. Like Kerberos, SESAME
is a protocol for enabling single sign-on.
Also, one of the big advantages of SESAME over Kerberos is that it supports
symmetric and asymmetric cryptography, so it naturally solves the problem of
key distribution.
CAPTCHA
Expect to be tested on: Understand what CAPTCHA is and why it is most often
used.
Session management
Session hijacking
Through simple carelessness or sophisticated technical means, somebody other
than a legitimate user could gain access to a session and use it for malicious
purposes.
AAL levels rank from AAL1 (least robust) to AAL3 (most robust).
Some assurance
AAL1 Single-factor authentication
Secure Authentication protocol
High confidence
Multifactor authentication
AAL2 Secure Authentication protocol
Approved cryptographic techniques
OpenID and OAuth are open-standard federated access protocols that provide
authentication via OpenID and authorization via OAuth.
1. First, the user (principal) must authenticate via the identity provider.
2. The identity provider will authenticate the user through the process of
identification and authentication, at which point the user will be issued
a SAML assertion ticket.
3. Once the SAML assertion ticket is provided to the user, the user will
pass it on to the service provider.
Component Function
Provisioning
Administration
Single Sign-on (SSO)
Multifactor authentication (MFA)
Directory Services
On-premise and in the Cloud
Identity and Access Management (IAM) solutions can use any of these three
models: on-premise, cloud, and hybrid.
Role-Based
Access Access to resources is based on user roles (e.g., firewall
Control administrator or accounts payable clerk)
(RBAC)
Attribute-
Based Access to resources is based on user attributes (e.g., OS,
Access browser version, IP address)
Control
Mandatory
Access System determines access rules based on labels
Control (MAC)
Discretionary Access Control (DAC) means an asset owner determines who can
access the asset; access is given at the discretion of the owner. In other words, it
means somebody determines who can access an asset. That somebody is the
owner.
Three primary types of DAC exist: rule-based access control, role-based access
control, and attribute-based access control.
Within the realm of discretionary access control, three primary types of DAC
exist:
1. Rule-Based Access Control: Access to an object by a given subject is based upon one or
more rules determined by the owner.
2. Role-Based Access Control (RBAC): Access to an object by a given subject is based upon
the role or job function and related authorizations needed to perform duties.
3. Attribute-Based Access Control: Access to an object by a subject is much more
granularly controlled and based upon attributes, such as job function, type of device
being used to access the object, time of day, classification of the asset, and so on.
Mandatory Access Control is very rare to see in use and only typically used in
government organizations, where confidentiality is often of primary importance,
requiring every asset in an organization to have a classification and every user to
be assigned a clearance level. It determines access based upon the clearance
level of the subject and classification, or sensitivity, of the object.
The system itself makes access control decisions based upon the classification
of the objects being accessed and the clearance of the subject requesting
access. In a MAC environment, every single object should be classified with a
specific classification label, e.g., public, secret, top secret, and so on.
Correspondingly, all users should have a security clearance that aligns with the
classification system used for objects. Within this framework, access will then be
granted or denied accordingly.
Non-discretionary Access Control means that somebody other than the asset
owner determines who gets access. It should be avoided, if possible. Although
this isn't a security best practice, it's an existing working practice in many
companies and leads to someone in the IT department.
Vendor access
Vendor identity and access provisioning for systems and data should be
considered with the same or more care than employee identity and access
provisioning. It might also include a security review component that includes a
deeper review of the vendor or inspection of a vendor's facilities, systems, and
other relationships.
The identity life cycle comprises three parts: provisioning, review, and
revocation.
Privilege escalation
In addition to more frequent reviews of privileged accounts, a recommended
security practice is for system administrators (users with admin, root, and similar
privileges) to only use their privileged accounts when strictly necessary.
Privileged users should utilize two accounts. They should use a standard user
account for regular business purposes, such as checking email, participating in
meetings, and so on, and they should use a separate account with elevated
privileges only when performing administrative tasks that require a higher level
of access.
Authentication systems
Authentication systems are used to prove or verify an identity or system
assertion. Popular authentication systems include:
On the other hand, OpenID Connect (OIDC) is an identity layer built on top of the
OAuth 2.0 framework. It allows third-party applications to verify the identity of
the end user and obtain basic user profile information. While OAuth 2.0 is about
resource access and sharing, OIDC is about user authentication.
CISSP Guidebook
CCSP
CCSP MasterClass
Flashcard App
Follow Us