Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security+ > 4.6 Given a scenario, implement and maintain identity and access management > Flashcards

4.6 Given a scenario, implement and maintain identity and access management Flashcards

1
Q

Identity and Access Management (IAM)

A
  • Four Main IAM Processes:
    • Identification:
      • User says who they are (e.g., with a username or email).
    • Authentication:
      • Confirms identity with passwords, biometrics, or multi-factor authentication (MFA).
    • Authorization:
      • Decides what users are allowed to do or access, often using role-based access control (RBAC).
    • Accounting (Auditing):
      • Tracks activities like logins, actions, and changes to find problems and ensure rules are followed.
  • Key IAM Concepts:
    • Provisioning and Deprovisioning
    • Identity Proofing: Checks who someone is before creating their account, using details or documents.
    • Interoperability: Makes sure different systems work together using standards like SAML or OpenID Connect.
    • Attestation: Regularly checks that user accounts and access rights are correct and up-to-date.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SSO Protocols

A
  • LDAP: Effective for directory services but limited in SSO across external applications. Provides both authentication and authorization.
  • SAML: Ideal for SSO in multinational corporations; enables single credential use across multiple cloud-based applications. Uses XML and web.
    • Facilitates secure integration between identity provider and external service providers
    • Provides a seamless user experience across diverse applications
  • OAuth (Open Authorization)
    • Purpose: Token-based access for third-party apps without sharing passwords.
    • Function: Uses JWT (JSON Web Tokens) to securely transfer data.
    • Use Case: Popular in RESTful APIs for sharing user data with external services (e.g., Google Login).
    • Security: Authorization server provides tokens; app gets limited access based on user consent.
    • Key Point: Primarily used for auTHOrization, not authentication.
    • Kerberos: Strong for internal network authentication but lacks versatility for cloud-based SSO
  • Key Differences:
    • LDAP: Centralized storage for both authentication and authorization (internal networks).
    • SAML: Authentication for SSO, SSO for web-based applications. Used in enterprises.
    • OAuth: Authorization through tokens (external services, limited access). E.g. OAuth pop-up authorizing the Doodle app access to Google Calendar
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Federation

A
  • What it is: Links identities across multiple organizations.
  • How it works:
    • Users log in once with their organization’s credentials and access external services (e.g., partner or supplier apps).
    • Trust relationship between different organizations allows shared authentication.
  • Use Case: Accessing services across different companies (e.g., a supplier portal). This is in contrast with SSO, which could be email, HR, and CRM systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Privileged Access Management (PAM)

A
  • PAM: Controls and monitors privileged access, preventing misuse
    • Ensures least privilege for tasks, reducing breach risks
  • Components of PAM
    • JIT Permissions: Temporary admin access only for tasks, revoked after
    • Password Vaulting: Secure password storage with MFA and audit trail
    • Temporal Accounts: Short-term access, auto-disabled after use
    • Could be used w/o knowing password
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Control Models

A
  • MAC (Mandatory Access Control): typically in environments with a high level of data security. Uses matching security labels on users and objects to grant or block access.. Also see SELinux (Security Enhanced Libux).
  • DAC (Discretionary Access Control): Owners set access (e.g., File owner grants access to colleagues). Microsoft NTFS uses it.
  • RBAC (Role-Based Access Control): Permissions by roles (e.g., Managers access reports, not HR data)
  • RBAC Rule-Based Access Control: Uses approved rules (e.g., ACLs) that trigger on events to adjust permissions. E.g. You can configure a database rule to trigger a change permissions of Bart when the system recognizes that Marge is absent.
  • ABAC (Attribute-Based Access Control): Access by attributes (e.g., User allowed only during office hours, of geo-data). Uses attributes defined in policies to grant access to resources. It’s commonly used in software-defined networks (SDNs).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Security+ (29 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions