4.0 Identity and Access Management Flashcards
Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.
cybersecurity frameworks (CSF)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
National Institute of Standards and Technology (NIST)
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
security controls
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
Gap analysis
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
Identification
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
identity and access management (IAM)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
authentication, authorization, and accounting (AAA)
In zero trust architecture, functions that define policy and determine access decisions.
control plane
Security settings that control access to objects including file system items and network resources.
permissions
An access control model where each resource is protected by an access control list (ACL) managed by the resource’s owner (or owners).
Discretionary access control (DAC)
An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Mandatory access control (MAC)
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
Role-based access control (RBAC)
A group account is a collection of user accounts that is useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.
group account
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
Attribute-based access control (ABAC)
A nondiscretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Rule-based access control
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Least privilege
The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.
Provisioning
The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.
Deprovisioning
The value assigned to an account by Windows and that is used by the operating system to identify that account.
security identifier (SID)
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
group policy objects (GPOs)
The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
geolocation
Policies or configuration settings that limit a user’s access to resources.
time-of-day restrictions policy
Authentication token generated by a cryptoprocessor on a dedicated hardware device. As the token is never transmitted directly, this implements an ownership factor within a multi-factor authentication scheme.
Hard authentication token
A security device similar to a credit card that can store authentication information, such as a user’s private key, on an embedded cryptoprocessor.
Smart cards
Portable HSM with a computer interface, such as USB or NFC, used for multi-factor authentication.
Security key
OTP sent to a registered number or email account or generated by an authenticator app as a means of two-step verification when authenticating account access.
Soft authentication token
Multi- factor authentication scheme that uses ownership and biometric factors, but not knowledge factors.
Passwordless
A challenge-response authentication protocol created by Microsoft for use in its products.
NT LAN Manager (NTLM) authentication
Capability of an authenticator or other cryptographic module to prove that it is a root of trust and can provide reliable reporting to prove that a device or computer is a trustworthy platform.
Attestation
A framework for implementing authentication providers in Linux.
Pluggable authentication module (PAM)
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
Directory service
Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
Lightweight Directory Access Protocol (LDAP)
A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.
Distinguished name (DN)
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
Single sign-on (SSO)
A single sign-on authentication and authorization service that is based on a time-sensitive, ticket-granting system.
Kerberos
A component of Kerberos that authenticates users and issues tickets (tokens).
Key distribution center (KDC)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
Ticket Granting Ticket (TGT)
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
Federation
In a federated network, the service that holds the user account and performs authentication.
Identity provider (IdP)
An XML-based data format used to exchange authentication information between a client and a service.
Security Assertion Markup Language (SAML)
An XML-based web services protocol that is used to exchange messages.
Simple Object Access Protocol (SOAP)
A standardized, stateless architectural style used by web applications for communication and integration.
Representational State Transfer (REST)
A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
Open Authorization (OAuth)
A file format that uses attribute-value pairs to define configurations in a structure that is easy for both humans and machines to read and consume.
JavaScript Object Notation (JSON)
An authentication mechanism that allows a user to perform a biometric scan to operate an entry or access system. Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, fingerprint pattern, and signature recognition.
Biometric authentication
A biometric assessment metric that measures the number of valid subjects who are denied access.
False Rejection Rate (FRR)
A biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
False Acceptance Rate (FAR)
A biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
Crossover Error Rate (CER)
Granting a user on the computer system the right to use a resource.
Authorization
A collection of access control entries that determines which users are allowed or denied access to an object and the privileges given to that user.
Access control list (ACL)
Access rights are cumulative, giving the user combined permissions from multiple groups.
Effective permissions
Always override Allow permissions.
Deny permissions
A domain is an administratively defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.
Domain
A tree is a group of related domains that share the same contiguous DNS namespace.
Tree
A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.
Forest
An organizational unit is similar to a folder. It subdivides and organizes network resources within a domain.
Organizational unit (OU)
Each resource within Active Directory is identified as an object.
Object
A domain controller is a server that holds a copy of the Active Directory database. It is also the copy of the Active Directory database on a domain controller that can be written to.
Domain controller
Replication is the process of copying changes to Active Directory on the domain controllers.
Replication
Member servers are servers in the domain that do not have the Active Directory database.
Member servers
A policy is a set of configuration settings applied to users or computers.
Policy
The process of accessing a smart card’s chip surface directly to observe, manipulate, and interfere with the circuit.
Microprobing
The wireless, non-contact use of radio frequency waves to transfer data.
Radio frequency identification (RFID)
AAA protocol used to manage remote and wireless authentication infrastructures.
Remote Authentication Dial-in User Service (RADIUS)
a network security protocol that provides centralized authentication, authorization, and accounting (AAA) services for users attempting to access network resources.
Terminal Access Controller Access-Control System Plus (TACACS+)
