Domain 5 Identity and Access Management (IAM)

Question 1

Control of Physical Access to Assets

Answer 1

Physical access control represents the tangible layer of security, focusing on measures that restrict unauthorized access to an organization’s facilities, equipment, and resources.

Question 2

Information:

Answer 2

Ensuring secure storage and handling of sensitive documents is paramount. Hospitals might use locked cabinets to store patient records, employing shredding protocols for no longer needed documents.

Question 3

Systems:

Answer 3

Access to computers and servers can be restricted through locked rooms, cabinets, or cages. Data centers might employ biometric scanners, limiting entry solely to authorized personnel.

Question 4

Devices:

Answer 4

Security measures for portable devices like laptops and mobile phones are essential. Corporations might use cable locks for laptops in shared spaces or store them in locked cabinets when not in use.

Question 5

Facilities:

Answer 5

Implementing access control systems, such as card readers or security personnel, is vital. Research laboratories might utilize retina scanners, ensuring only authorized scientists can enter sensitive areas.

Question 6

Control of Logical Access to Assets

Answer 6

Logical access control, in contrast, focuses on the virtual realm, securing digital assets by managing user access and permissions within IT systems.

Question 7

Information:

Answer 7

Implementing access controls on databases and file systems is vital. Banks might limit access to customer financial data based on employee roles, ensuring that only authorized staff can view sensitive information.

Question 8

Systems:

Answer 8

Employing security controls like firewalls and intrusion detection systems is essential. Ecommerce companies might deploy advanced firewalls, preventing unauthorized access to internal networks.

Question 9

Devices:

Answer 9

Enforcing device security policies such as password protection and encryption is crucial. Government agencies might uphold strict encryption standards on mobile devices to protect classified information.

Question 10

Applications:

Answer 10

Managing user access within applications ensures role-appropriate access. Universities might configure student information systems so that professors can access only the grades and attendance records relevant to their courses.

Question 11

Understanding Access Control Models

Answer 11

Access control models are the architectural blueprints for managing and securing access to an organization’s resources. These models articulate the principles and mechanisms that define how permissions are granted, ensuring that users can only access the data and resources necessary for their job functions.

Question 12

Discretionary Access Controls (DAC)

Answer 12

Discretionary access controls empower resource owners to determine who has access to their resources and to what extent. In the DAC model, users can grant or revoke permissions for other users at their discretion.

Example: In a shared file system within a collaborative research project, a lead scientist with the necessary permissions can grant read or write access to specific files or folders to other team members, tailoring access based on individual responsibilities.

Question 13

Mandatory Access Controls (MAC)

Answer 13

Mandatory access controls enforce access based on predefined security policies and classification levels. The MAC model is rigid, allowing access only to those with the appropriate security clearance and need-to-
know basis.

Example: In a government agency handling classified information, a user with “Secret” clearance can access only “Secret” or lower documents. Access to “Top Secret” documents is restricted, maintaining the integrity of sensitive information.

Question 14

Nondiscretionary Access Control (Role-Based Access Control or RBAC)

Answer 14

Nondiscretionary access control assigns permissions based on users’ roles within an organization rather than their identities. The RBAC model grants access based on job responsibilities and functions.

Example: In a hospital’s patient management system, nurses are granted access to patient medical records, while administrative staff members are granted access to billing information. Each role has specific permissions, aligning access with job functions.

Question 15

Rule-Based Access Controls

Answer 15

Rule-based access controls enforce access permissions based on predefined rules or conditions, such as time of day, location, or network conditions.

Example: A financial institution might implement a rule-based access control policy that allows traders to access certain internal trading platforms only during market hours or from secure trading floors.

Question 16

Content-Dependent and Context-Dependent Access Controls

Answer 16

Content-dependent access controls grant or deny access based on the content of the resources accessed. At the same time, context-dependent access controls consider the context in which the access request is made.

Example: A content-dependent policy in a law firm might restrict access to legal documents based on their confidentiality level. A context-dependent policy might grant access to specific resources only when a lawyer is connected to the firm’s secure network using a firm-issued device.
The landscape of access control models is diverse and nuanced, reflecting the complexity of modern organizational structures and technological environments. Understanding these models is more than a theoretical exercise; it is a practical necessity for securing an organization’s resources.

Question 17

Identity Management (IdM) Implementation

Answer 17

Identity Management involves creating, maintaining, and validating unique user identities across an organization. IdM implementation is the bedrock of access control, ensuring that users are accurately identified and authenticated.

Example: In a multinational corporation, IdM might include a centralized directory service that manages employee identities, roles, and permissions, ensuring consistency and security across global operations.

Question 18

Single-factor authentication

Answer 18

Single-factor authentication relies on one method, such as a password or PIN. While simple, it can be vulnerable to attacks.

Question 19

Multifactor authentication

Answer 19

Multifactor authentication combines two or more factors (e.g., something you know, something you have, and something you are) to provide a higher level of security. These factors are typically categorized into

Question 20

Something you know (knowledge-based factors):

Answer 20

These are pieces of information that the user must know to authenticate, such as passwords, PINs, or answers to security questions.

Question 21

Something you have (possession-based factors):

Answer 21

These are physical devices or objects the user must have to authenticate, such as a security token, smart card, or mobile phone with an authentication app.

Question 22

Something you are (inherence-based factors):

Answer 22

These are biometric characteristics unique to the individual, such as fingerprints, facial recognition, or voice patterns.

Question 23

Somewhere you are (location-based factors):

Answer 23

This newer category includes the user’s location as a factor, such as a specific geographical location verified through GPS.

Question 24

Something you do (behavior-based factors):

Answer 24

This includes the unique ways in which a person interacts with a system, such as typing rhythm or mouse movement patterns.

Question 25

Accountability

Answer 25

Accountability in information security is the mechanism that ensures users are held responsible for their actions within a system.

Question 26

Audit trails:

Answer 26

Audit trails are chronological records of user activities, providing evidence of system usage and helping trace unauthorized activities back to the responsible individual.

Example: In a healthcare system, audit trails might record who accessed patient records, when, and what changes were made, ensuring compliance with privacy regulations.

Question 27

Monitoring:

Answer 27

Continuous monitoring of user activities is essential for detecting potential security breaches, anomalies, and policy violations.

Example: An ecommerce platform might employ real-time monitoring to detect and alert unusual purchasing patterns, potentially indicating fraudulent activity.

Question 28

Access controls:

Answer 28

Enforcing strict access controls, such as the principle of least privilege, ensures that users have the minimum necessary access to perform their job functions. Example: In a manufacturing company, access controls might restrict engineers from designing files relevant to their projects, while managers have broader access to project management tools.

Question 29

Federated Identity Management (FIM):

Answer 29

FIM allows users to use the same Identity across different organizations or services. It’s commonly used in collaborations between businesses.

Question 30

Credential Management Systems:

Answer 30

These systems manage user credentials securely, often in conjunction with MFA.

Question 31

Single Sign-On (SSO):

Answer 31

SSO enables users to log in once and gain access to multiple related systems without reauthenticating.

Question 32

Just-in-Time (JIT) provisioning:

Answer 32

JIT provisioning creates user accounts on the fly when needed, often used in cloud environments to enhance efficiency.

Question 33

Session Management

Answer 33

Session management is a multifaceted process that ensures a secure and continuous user experience within a system. It involves the creation of unique session identifiers, secure maintenance of session information, and proper termination to prevent unauthorized access.

Example: In an online healthcare portal, session management ensures patients can securely access their medical records, schedule appointments, and communicate with healthcare providers without interruption.

Question 34

Creation:

Answer 34

A unique session identifier is generated when users log in, allowing the system to track their activities and preferences.

Question 35

Maintenance:

Answer 35

The system must securely maintain session information, such as session cookies and tokens, to ensure that the user’s interaction remains seamless and secure.

Question 36

Termination:

Answer 36

The session must be terminated adequately upon logout or timeout, and any session data must be invalidated to prevent unauthorized access.

Question 37

Registration:

Answer 37

Users must provide personal information, such as name, email address, and phone number, to create an account.

Question 38

Proofing:

Answer 38

The system verifies the user’s Identity by validating the provided information, often through multi-step verification processes.

Question 39

Establishment:

Answer 39

Once verified, a unique identifier and authentication credentials are assigned, forming the basis of the user’s digital Identity within the system.

Question 40

Storage:

Answer 40

Credentials are stored in encrypted formats, often in secure hardware or virtual vaults, to prevent unauthorized access.

Question 41

Management:

Answer 41

Regular updates, deactivation of obsolete credentials, and immediate revocation are managed systematically in case of suspected compromise.

Question 42

Single Sign-On (SSO) Deployment Options

Answer 42

Single Sign-On (SSO) is a user-friendly authentication process that allows users to access multiple systems with a single set of credentials.

Example: A multinational corporation may use a hybrid SSO solution to enable employees to access local intranet resources and global collaboration platforms with a single login.

Question 43

On-premise:

Answer 43

Managed within the organization’s local data center, allowing complete control but requiring significant investment in infrastructure and maintenance

Question 44

Cloud:

Answer 44

Leveraging third-party cloud services, reducing maintenance overhead and providing scalability

Question 45

Hybrid:

Answer 45

Combining on-premise and cloud-based solutions, offering flexibility and a tailored approach to different systems or applications

Question 46

Federated Identity with a Third-Party Service

Answer 46

Federated Identity Management (FIM) extends the principles of SSO across organizational boundaries

Example: Universities in a research consortium may use Federated Identity to allow researchers to access shared research databases and collaboration tools across institutions.

Question 47

On-premise:

Answer 47

Complete control over the Federated Identity infrastructure, suitable for organizations with strict security requirements

Question 48

Cloud:

Answer 48

Reduced maintenance overhead and scalability, suitable for organizations primarily using cloud-based services

Question 49

Hybrid:

Answer 49

A combination of both, providing flexibility and a tailored approach

Question 50

Just-in-Time (JIT) Provisioning

Answer 50

JIT provisioning is an agile approach to account management

Example: A cloud-based project management tool might use JIT provisioning to create and manage user accounts for external contractors, granting them access only to relevant projects.

Question 51

On-demand creation:

Answer 51

User accounts are created as needed rather than in advance, improving efficiency.

Question 52

Dynamic permissions:

Answer 52

Permissions are assigned dynamically based on predefined rules, such as user roles or group memberships, ensuring that users have the appropriate level of access.

Question 53

Managing the Identity and Access Provisioning Life Cycle

Answer 53

Managing the Identity and access provisioning life cycle is critical to an organization’s security posture. This process includes account access review, provisioning and deprovisioning, role definition, and privilege escalation. Like SSO and Federated Identity Management, the Identity and access provisioning life cycle can be managed using on-premise, cloud, or hybrid approaches.

Question 54

On-premise:

Answer 54

Identity and access provisioning involves deploying and managing an organization’s local data center infrastructure. This approach allows the organization to control its infrastructure and processes completely.

Example: An organization may implement on-premise Identity and access management solutions, such as Microsoft Active Directory, to manage the provisioning life cycle, including user access review, role definition, and privilege escalation within its local network.

Question 55

Cloud:

Answer 55

Cloud-based Identity and access provisioning leverages third-party cloud services to host and manage the infrastructure. This approach offers advantages such as reduced maintenance overhead, scalability, and access to resources from anywhere with an Internet connection.

Example: An organization may use cloud-based Identity and access management services, such as Okta or AWS Identity and Access Management (IAM), to manage the provisioning life cycle for its cloud-based resources.

Question 56

Hybrid:

Answer 56

A hybrid approach combines on-premise and cloud-based solutions, allowing organizations to choose the most appropriate solution for each system or application. This approach is useful for organizations with a mix of on-premise and cloud-
based resources and those transitioning from on-
premise to cloud-based infrastructure.

Example: An organization may use an on-premise solution like Microsoft Active Directory to manage the provisioning life cycle for local resources while integrating with a cloud-based identity and access management service like Azure Active Directory to manage cloud-based resources.

Question 57

Account access review:

Answer 57

Reviewing user, system, and service accounts ensures only authorized users can access resources. This process includes verifying that accounts are still active, permissions are set correctly, and no unauthorized access has been granted. Depending on an organization’s infrastructure, an account access review can be managed through on-premise, cloud, or hybrid tools.

Question 58

Provisioning and deprovisioning:

Answer 58

Provisioning involves granting access rights to new users, systems, or services, while deprovisioning involves removing access rights when no longer needed (e.g., during off-boarding or transfers). Proper provisioning and deprovisioning help maintain a secure environment by ensuring access rights are only granted to authorized users. On-premise, cloud, and hybrid solutions can be used to manage these processes.

Question 59

Role definition:

Answer 59

Defining roles within an organization helps streamline the provisioning process by assigning predefined permissions to users based on their job responsibilities. Role definition can be managed through on-premise, cloud, or hybrid Identity and access management tools, depending on the organization’s infrastructure.

Question 60

Privilege escalation:

Answer 60

Privilege escalation involves temporarily granting elevated permissions to users or services to perform specific tasks. This process should be carefully managed to minimize security risks associated with unauthorized access or misuse of elevated privileges. On-premise, cloud, and hybrid solutions can be used to manage privilege escalation, such as managed service accounts or using sudo in a Linux environment.

Question 61

OpenID Connect (OIDC)/Open Authorization (OAuth)

Answer 61

OIDC is an identity layer built on top of the OAuth 2.0 protocol, which allows users to authenticate and authorize applications to access resources on their behalf. OIDC and OAuth are often used in cloud and hybrid environments to provide secure authentication and authorization for web and mobile applications.

Question 62

Security Assertion Markup Language (SAML):

Answer 62

SAML is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). SAML is commonly used in cloud and hybrid environments for Single Sign-On (SSO) and Federated Identity Management (FIM) implementations.

Question 63

Kerberos:

Answer 63

Kerberos is a network authentication protocol that uses secret-key cryptography to securely authenticate users and services within a local network. Kerberos is typically implemented in on-premise environments, often as part of Microsoft Active Directory infrastructure, to provide secure authentication for internal resources.

Question 64

Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+):

Answer 64

RADIUS and TACACS+ are authentication, authorization, and accounting (AAA) protocols commonly used for controlling access to network devices and services. RADIUS is often used in on-premise and hybrid environments for remote access solutions like VPNs. In contrast, TACACS+ is typically used for managing access to network devices like routers and switches.