Domain 5: Identity and Access Management Flashcards
Identity and Access Management
Focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems
Identity Management
Controls the life cycle of all accounts in a system
Verifies someone is who they say they are
Access Management
Controls the assignment of rights/privileges to those accounts
Verifies someone has the right accesses to do what is requested
Identity Proofing
Precedes creation of a user account
Not the same as authentication
Requires the prospective employee to prove their identity to the employer
Provisioning/Deprovisioning Identities
Traditionally different cloud vendors used non-standard provisioning APIs
Enterprises to develop and maintain proprietary connectors to integrate with multiple SaaS providers
Alternatively can be made easier, cloud, etc.
Type 1 Authentication
Something you know
Type 2 Authentication
Something you have
Type 3 Authentication
Something you are
Multifactor
combination of the 3 types of authentication
Mutual Authentication
Both parties authenticate to each other
Token
A one time use passcode from device that synchs with authentication server, or time based
Physiological traits for Authentication
Fingerprint, hand geometry, iris, retina
Behavior based traits for authentication
voice, gait, signature, keyboard cadence
Type I Error
False Rejection - legitimate user is barred from access. caused by identifying too much information
Type II Error
False Acceptance - an impostor is allowed access. Security threat and a system that doesn’t have enough info
CER Crossover Error Rate
Where Type I and Type II errors intersect on a graph. Goal is to have a low number
Biometrics concerns
User acceptance Intrusive (Retina scans can reveal health information) Time for enrollment and verification Cost/benefit Cannot revoke biometrics
Single Sign-on (SSO)
Allows a user to provide credentials to an authentication server and receive accessed to interconnected or disparate systems
Kerberos
Network authentication protocol designed from MITs project Athena. Tries to ensure authentication security in an insecure environment
Kerberos password Transmission
Does not transmit password over the network
Kerberos Authentication Server (AS)
Allows authentication of the user and issues to a Ticket Granting Ticket (TGT)
Kerberos Ticket Granting Service (TGS)
After receiving the TGT from the user, the TGS issues a ticket for a particular user to access a particular service