Domain 5

Question 1

Access Control The basics

Answer 1

• IEC 2700:2016 Useful starting point for access control

Question 2

IAM Administration Choice

Answer 2

• Management of information related to physical and logical control is accomplished in three ways
  - Centralized - means that one function is responsible for configuring access control so users can access data and perform relevant activities
   advantages include strict access control and everyone’s account can be centrally monitored and closing all user access can be easily accomplished
  - Decentralized - access to information is control by the owners or creators of the file
  - Hybrid

Question 3

Access Control As a System

Answer 3

• built using 3 categories of security controls
  - administrative controls - the human facing policies directives procedures training and education programs standards and compliance requirements
  - physical access control system - simplest example would be a door that can be locked and unlocked
  - and a smart card a physical entryway controller provides an example of combination of physical and logical controls
• many logical access controls are built into the operating system and can be designed as features of application platforms or major utilities such as database management systems

Question 4

Credential Management Systems

Answer 4

• A credential is the binding between authenticator and an identifier (user- service- system)
• can be part of public key infrastructure and used to issue 2 factor authentication identities
• credential examples
  - smart cards
  - public private key infrastructure
  - digital certificate
• FICam was established in 2009 this provided the federal government with a framework for identity management
• has a five step enrollment process
  - sponsorship
  - enrollment
  - credential production
  - insurance
  - credential lifecycle management
• NIST Digital identity guidelines 800-63

Question 5

Authentication

Answer 5

• Authentication is the real time decision that a system issued identity claiming to have access rights to that system can be verified to be a system issued valid identity
• not to be confused with identity proofing

Question 6

Session Management

Answer 6

• Create and manage and support it on layer five of the OSI model
• Most cases they will be based on X .509 certificates
• Open web application security project #2 is broken authentication and session management
• session management is the process of tracking and securing multiple requests to any service coming from the same subject
• Session ID’s are long random values to make them infeasible to guess and they are only to be used once hence the term nonce

Question 7

Identity and access management implementation

Answer 7

• The hardest part is implementing the policy created
• the first step is to understand the needs challenges and desires of the organization

Question 8

ISO Identity Model

Answer 8

• ISO/IEC FDIS 24760-1 is the standard that’s being developed for identity management
  - will include references to terminology architecture and requirements

Question 9

Federated identity management

Answer 9

• one or more systems are allowed to log in based on authenticating against one of the systems participating in the federation
  o think of businesses that use social media platforms like LinkedIn and Twitter but have different business models and corporate goals and missions
• uses two different widely accepted standards
  - SAML
  - OAuth
• implementation frameworks such as open ID connect or based on one of these architectures
• they consist of three components
  - the client or principal
  - the service provider or resource provider
  - identity provider