Domain 5: Identity and Access Management Flashcards

1
Q

Access Control System

A

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Tokens

A

The system decides if access is to be granted or denied based on the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Accounting

A

An access control process that records information about all attempts by all identities to access any resources of the system. See also authentication, authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authentication

A

Access control process that validates the identity being claimed by a user or entity is known to the system by comparing one or more factors of identification. Factors typically include something the user is, something they have, and something they know (such as a fingerprint, hardware security token, or answers to challenge questions). Single-factor authentication (SFA) authenticates with only one of these; multi-factor authentication (MFA) uses two or more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authorization

A

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Crossover Error Rate (CER)

A

This is the point at which the false acceptance (or Type 2) error rate equals the false rejection (Type 1) error rate, for a given sensor used in a given system and context. This is only the optimal point of operation if the potential impacts of both types of errors are equivalent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Custodian, Custodian

A

The individual who manages permissions and access on a day-to- day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Owner/ Data Controller

A

The individual or entity who is responsible to classify, categorize, and permit access to the data. The data owner is most familiar with the data’s importance to the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Discretionary Access Control (DAC)

A

Access control in which the system owner decides who gets access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

False Acceptance Rate (FAR or Type 2)

A

Incorrectly authenticating a claimed identity as legitimate and recognized and granting access on that basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

False Rejection Rate (FRR or Type 1)

A

Incorrectly denying authentication to a legitimate identity and thus denying it access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Identity Proofing

A

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, credential, or other special privilege is indeed who they claim to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Identity as-a-Service (IDaaS)

A

Cloud-based services that broker IAM functions to target systems on customers’ premises or in the cloud, or both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Logical Access Control System

A

Automated systems that authorize or deny access to and use of an information system and its assets to an individual user, based on verification that the identity presented matches that which was previously approved.

Technical controls for protection, Only people that can auth are good.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Mandatory Access Controls (MAC)

A

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

An access control mechanism that uses classification-based
security labels to regulate subject access to objects. Implementations include using a hierarchical
MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment

Use of classification labels ‘ Top Secret’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Multi-Factor Authentication (MFA)

A

Ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Open Authorization (OAuth)

A

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Privilege Creep

A

The unnecessary accumulation of access privileges by a user, typically due to failing to remove privileges when they are no longer needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Self-Service Identity Management

A

Elements of the identity management life cycle and provisioning process, which the end user (the identity in question) can initiate or perform with little or no interaction or assistance from administrators. Examples include password resets, postal address updates, or changes to challenge questions and answers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Single-Factor Authentication (SFA)

A

Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

context-aware authentication

A

An authentication system that evaluates the origin and
context of a user’s attempt to access a system. It can include multiple elements such as the
location of the user, time of day, type of connection, and endpoint device. Aka context-based
authentication. See attribute-based access control (ABAC)

22
Q

asynchronous dynamic password token

A

A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a
challenge, and the user enters the onetime password created by the token as the response.

23
Q

synchronous dynamic password token

A

Token used in a token device that generates passwords at fixed time intervals. Time interval tokens require that the clock of the authentication server and the token device be synchronized. The generated password is entered by the
subject along with a PIN, passphrase, or password.

24
Q

centralized access control

A

A form of access control in which authorization verification is
performed by a single entity within a system. See decentralized access control and distributed
access control.

25
Q

decentralized access control

A

System of access control in which authorization verification
is performed by various entities located throughout a system. See centralized access control.

26
Q

Active Directory

A

The replacement for NT Directory Service (NTDS) that is included
with Windows 2000. Because it’s an X.500-based directory service, it’s similar to Novell’s
Directory Services (NDS), which is also called eDirectory

27
Q

directory service

A

A centralized database of resources available to the network, much like a
telephone directory for network services and assets. Users, clients, and processes consult the
directory service to learn where a desired system or resource resides.

28
Q

cloud-based federation

A

A single sign-on solution that uses a third-party service to share
federated identities.

29
Q

federated identity management (FIM)

A

A single sign-on–based identity solution.

30
Q

just-in-time (JIT) provisioning

A

A federated identity solution that automatically creates the
relationship between two entities so that new users can access resources. A JIT solution creates the connection without any administrator intervention.

31
Q

on-premises federated identity management system

A

A single sign-on solution hosted
fully on site.

32
Q

Service Provisioning Markup Language (SPML)

A

A markup language used with federated
identity management systems to exchange user information for federated identity single
sign-on purposes. It is derived from the Standard Generalized Markup Language (SGML),
the Extensible Markup Language (XML), and the Generalized Markup Language (GML).

33
Q

hybrid federation

A

An identity management (IdM) or single sign-on solution consisting of
elements that are hosted partially on premises and partially in the cloud.

34
Q

credential management

A

The concept of storing a collection of logon credentials in a
central secure location. Aka credential manager, password locker, and password vault.

35
Q

credential management system

A

A solution that provides a storage space for users to keep
their credentials when single sign-on (SSO) isn’t available. Users can store credentials for
websites and network resources that require a different set of credentials. The management
system secures the credentials with encryption to prevent unauthorized access.

36
Q

scripted access

A

A method to automate the logon process with a script that provides the
logon credentials to a system. It is considered a form of single sign-on.

37
Q

identity and access provisioning lifecycle

A

The creation, management, and deletion of
accounts. Provisioning refers to granting accounts with appropriate privileges when they are
created and during the lifetime of the account.

38
Q

identity as a service, identity and access as a service (IDaaS)

A

A third-party service
that provides identity and access management. IDaaS effectively provides SSO for the cloud
and is especially useful when internal clients access cloud-based software-as-a-service (SaaS)
applications

39
Q

account revocation

A

The act of deprovisioning an account by deleting it

40
Q

excessive privilege(s)

A

More access, privilege, or permission than a user’s assigned work
tasks dictate. If a user account is discovered to have excessive privilege, the additional and
unnecessary benefits should be immediately curtailed.

41
Q

privilege creep

A

The undesired addition of user privileges as a user gains more privileges
when changing jobs, but unneeded privileges are not renewed. It violates the principle of user
privilege. See also creeping privilege(s).

42
Q

privileges

A

A combination of rights and permissions. Rights refer to actions a user can perform on a system, such as changing the system time. Permissions refer to the level of access a
user is granted to data such as read, write, modify, and delete

43
Q

constrained interface

A

An access control used in applications that restrict what users can
do or see based on their assigned privileges. Subjects with restricted privileges have limited
access. Aka restricted interface.

44
Q

content-dependent access control

A

A form of access control that restricts access to data
based on the contents or payload of an object.

45
Q

context-dependent access control

A

A form of access control based on the context or surroundings of an object.

46
Q

attribute-based access control (ABAC), attribute based access control

A

A mechanism
of assigning access and privileges to resources through a scheme of attributes or characteristics. The attributes can be related to the user, the object, the system, the application, the
network, the service, time of day, or even other subjective environmental concerns. See also
discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC, RoBAC, or role-BAC), and rule-based access control (RuBAC, Rule-BAC).

47
Q

Mandatory Access Control (MAC)

A

An access control mechanism that uses classification-based
security labels to regulate subject access to objects. Implementations include using a hierarchical
MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment.

48
Q

role-based access control (RBAC, RoBAC, Role-BAC)

A

A type of nondiscretionary access
control wherein the levels of security closely follow the personnel structure of an organization. RBAC employs job function roles to regulate subject access to objects. The role the
person plays in the organization (accountant, salesperson, and so on) corresponds to the level
of security access they have to data. See also discretionary access control (DAC), mandatory
access control (MAC), attribute-based access control (ABAC), and rule-based access control
(RuBAC, Rule-BAC).

49
Q

Security Assertion Markup Language (SAML)

A

An XML-based open standard convention
for communication authentication and authorization details between security domains, systems, services, and devices, often over web protocols. SAML is often used to provide a webbased single sign-on (SSO) solution.

50
Q

Kerberos

A

A ticket-based authentication mechanism that employs a trusted third party to
provide identification and authentication. Typically used in private LANs as an SSO solution.

51
Q

Remote Authentication Dial-in User Service (RADIUS)

A

A service used to centralize
the authentication of remote access connections. This includes legacy dial-up connections,
wireless, and broadband connections via the internet.

52
Q
A