Domain 5: Identity and Access Management

Question 1

Access Control System

Answer 1

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Question 2

Access Control Tokens

Answer 2

The system decides if access is to be granted or denied based on the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

Question 3

Accounting

Answer 3

An access control process that records information about all attempts by all identities to access any resources of the system. See also authentication, authorization.

Question 4

Authentication

Answer 4

Access control process that validates the identity being claimed by a user or entity is known to the system by comparing one or more factors of identification. Factors typically include something the user is, something they have, and something they know (such as a fingerprint, hardware security token, or answers to challenge questions). Single-factor authentication (SFA) authenticates with only one of these; multi-factor authentication (MFA) uses two or more.

Question 5

Authorization

Answer 5

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.

Question 6

Crossover Error Rate (CER)

Answer 6

This is the point at which the false acceptance (or Type 2) error rate equals the false rejection (Type 1) error rate, for a given sensor used in a given system and context. This is only the optimal point of operation if the potential impacts of both types of errors are equivalent.

Question 7

Data Custodian, Custodian

Answer 7

The individual who manages permissions and access on a day-to- day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.

Question 8

Data Owner/ Data Controller

Answer 8

The individual or entity who is responsible to classify, categorize, and permit access to the data. The data owner is most familiar with the data’s importance to the organization.

Question 9

Discretionary Access Control (DAC)

Answer 9

Access control in which the system owner decides who gets access.

Question 10

False Acceptance Rate (FAR or Type 2)

Answer 10

Incorrectly authenticating a claimed identity as legitimate and recognized and granting access on that basis.

Question 11

False Rejection Rate (FRR or Type 1)

Answer 11

Incorrectly denying authentication to a legitimate identity and thus denying it access.

Question 12

Identity Proofing

Answer 12

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, credential, or other special privilege is indeed who they claim to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

Question 13

Identity as-a-Service (IDaaS)

Answer 13

Cloud-based services that broker IAM functions to target systems on customers’ premises or in the cloud, or both.

Question 14

Logical Access Control System

Answer 14

Automated systems that authorize or deny access to and use of an information system and its assets to an individual user, based on verification that the identity presented matches that which was previously approved.

Question 15

Mandatory Access Controls (MAC)

Answer 15

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Question 16

Multi-Factor Authentication (MFA)

Answer 16

Ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

Question 17

Open Authorization (OAuth)

Answer 17

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Question 18

Privilege Creep

Answer 18

The unnecessary accumulation of access privileges by a user, typically due to failing to remove privileges when they are no longer needed.

Question 19

Self-Service Identity Management

Answer 19

Elements of the identity management life cycle and provisioning process, which the end user (the identity in question) can initiate or perform with little or no interaction or assistance from administrators. Examples include password resets, postal address updates, or changes to challenge questions and answers.

Question 20

Single-Factor Authentication (SFA)

Answer 20

Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

Question 21

context-aware authentication

Answer 21

An authentication system that evaluates the origin and
context of a user’s attempt to access a system. It can include multiple elements such as the
location of the user, time of day, type of connection, and endpoint device. Aka context-based
authentication. See attribute-based access control (ABAC)

Question 22

asynchronous dynamic password token

Answer 22

A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a
challenge, and the user enters the onetime password created by the token as the response.

Question 23

synchronous dynamic password token

Answer 23

Token used in a token device that generates passwords at fixed time intervals. Time interval tokens require that the clock of the authentication server and the token device be synchronized. The generated password is entered by the
subject along with a PIN, passphrase, or password.

Question 24

centralized access control

Answer 24

A form of access control in which authorization verification is
performed by a single entity within a system. See decentralized access control and distributed
access control.

Question 25

decentralized access control

Answer 25

System of access control in which authorization verification
is performed by various entities located throughout a system. See centralized access control.

Question 26

Active Directory

Answer 26

The replacement for NT Directory Service (NTDS) that is included
with Windows 2000. Because it’s an X.500-based directory service, it’s similar to Novell’s
Directory Services (NDS), which is also called eDirectory

Question 27

directory service

Answer 27

A centralized database of resources available to the network, much like a
telephone directory for network services and assets. Users, clients, and processes consult the
directory service to learn where a desired system or resource resides.

Question 28

cloud-based federation

Answer 28

A single sign-on solution that uses a third-party service to share
federated identities.

Question 29

federated identity management (FIM)

Answer 29

A single sign-on–based identity solution.

Question 30

just-in-time (JIT) provisioning

Answer 30

A federated identity solution that automatically creates the
relationship between two entities so that new users can access resources. A JIT solution creates the connection without any administrator intervention.

Question 31

on-premises federated identity management system

Answer 31

A single sign-on solution hosted
fully on site.

Question 32

Service Provisioning Markup Language (SPML)

Answer 32

A markup language used with federated
identity management systems to exchange user information for federated identity single
sign-on purposes. It is derived from the Standard Generalized Markup Language (SGML),
the Extensible Markup Language (XML), and the Generalized Markup Language (GML).

Question 33

hybrid federation

Answer 33

An identity management (IdM) or single sign-on solution consisting of
elements that are hosted partially on premises and partially in the cloud.

Question 34

credential management

Answer 34

The concept of storing a collection of logon credentials in a
central secure location. Aka credential manager, password locker, and password vault.

Question 35

credential management system

Answer 35

A solution that provides a storage space for users to keep
their credentials when single sign-on (SSO) isn’t available. Users can store credentials for
websites and network resources that require a different set of credentials. The management
system secures the credentials with encryption to prevent unauthorized access.

Question 36

scripted access

Answer 36

A method to automate the logon process with a script that provides the
logon credentials to a system. It is considered a form of single sign-on.

Question 37

identity and access provisioning lifecycle

Answer 37

The creation, management, and deletion of
accounts. Provisioning refers to granting accounts with appropriate privileges when they are
created and during the lifetime of the account.

Question 38

identity as a service, identity and access as a service (IDaaS)

Answer 38

A third-party service
that provides identity and access management. IDaaS effectively provides SSO for the cloud
and is especially useful when internal clients access cloud-based software-as-a-service (SaaS)
applications

Question 39

account revocation

Answer 39

The act of deprovisioning an account by deleting it

Question 40

excessive privilege(s)

Answer 40

More access, privilege, or permission than a user’s assigned work
tasks dictate. If a user account is discovered to have excessive privilege, the additional and
unnecessary benefits should be immediately curtailed.

Question 41

privilege creep

Answer 41

The undesired addition of user privileges as a user gains more privileges
when changing jobs, but unneeded privileges are not renewed. It violates the principle of user
privilege. See also creeping privilege(s).

Question 42

privileges

Answer 42

A combination of rights and permissions. Rights refer to actions a user can perform on a system, such as changing the system time. Permissions refer to the level of access a
user is granted to data such as read, write, modify, and delete

Question 43

constrained interface

Answer 43

An access control used in applications that restrict what users can
do or see based on their assigned privileges. Subjects with restricted privileges have limited
access. Aka restricted interface.

Question 44

content-dependent access control

Answer 44

A form of access control that restricts access to data
based on the contents or payload of an object.

Question 45

context-dependent access control

Answer 45

A form of access control based on the context or surroundings of an object.

Question 46

attribute-based access control (ABAC), attribute based access control

Answer 46

A mechanism
of assigning access and privileges to resources through a scheme of attributes or characteristics. The attributes can be related to the user, the object, the system, the application, the
network, the service, time of day, or even other subjective environmental concerns. See also
discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC, RoBAC, or role-BAC), and rule-based access control (RuBAC, Rule-BAC).

Question 47

Mandatory Access Control (MAC)

Answer 47

An access control mechanism that uses classification-based
security labels to regulate subject access to objects. Implementations include using a hierarchical
MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment.

Question 48

role-based access control (RBAC, RoBAC, Role-BAC)

Answer 48

A type of nondiscretionary access
control wherein the levels of security closely follow the personnel structure of an organization. RBAC employs job function roles to regulate subject access to objects. The role the
person plays in the organization (accountant, salesperson, and so on) corresponds to the level
of security access they have to data. See also discretionary access control (DAC), mandatory
access control (MAC), attribute-based access control (ABAC), and rule-based access control
(RuBAC, Rule-BAC).

Question 49

Security Assertion Markup Language (SAML)

Answer 49

An XML-based open standard convention
for communication authentication and authorization details between security domains, systems, services, and devices, often over web protocols. SAML is often used to provide a webbased single sign-on (SSO) solution.

Question 50

Kerberos

Answer 50

A ticket-based authentication mechanism that employs a trusted third party to
provide identification and authentication. Typically used in private LANs as an SSO solution.

Question 51

Remote Authentication Dial-in User Service (RADIUS)

Answer 51

A service used to centralize
the authentication of remote access connections. This includes legacy dial-up connections,
wireless, and broadband connections via the internet.