Domain 5: Identity and Access Management Flashcards
Access Control System
Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.
Access Control Tokens
The system decides if access is to be granted or denied based on the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.
Accounting
An access control process that records information about all attempts by all identities to access any resources of the system. See also authentication, authorization.
Authentication
Access control process that validates the identity being claimed by a user or entity is known to the system by comparing one or more factors of identification. Factors typically include something the user is, something they have, and something they know (such as a fingerprint, hardware security token, or answers to challenge questions). Single-factor authentication (SFA) authenticates with only one of these; multi-factor authentication (MFA) uses two or more.
Authorization
The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.
Crossover Error Rate (CER)
This is the point at which the false acceptance (or Type 2) error rate equals the false rejection (Type 1) error rate, for a given sensor used in a given system and context. This is only the optimal point of operation if the potential impacts of both types of errors are equivalent.
Data Custodian, Custodian
The individual who manages permissions and access on a day-to- day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.
Data Owner/ Data Controller
The individual or entity who is responsible to classify, categorize, and permit access to the data. The data owner is most familiar with the data’s importance to the organization.
Discretionary Access Control (DAC)
Access control in which the system owner decides who gets access.
False Acceptance Rate (FAR or Type 2)
Incorrectly authenticating a claimed identity as legitimate and recognized and granting access on that basis.
False Rejection Rate (FRR or Type 1)
Incorrectly denying authentication to a legitimate identity and thus denying it access.
Identity Proofing
The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, credential, or other special privilege is indeed who they claim to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.
Identity as-a-Service (IDaaS)
Cloud-based services that broker IAM functions to target systems on customers’ premises or in the cloud, or both.
Logical Access Control System
Automated systems that authorize or deny access to and use of an information system and its assets to an individual user, based on verification that the identity presented matches that which was previously approved.
Technical controls for protection, Only people that can auth are good.
Mandatory Access Controls (MAC)
Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.
An access control mechanism that uses classification-based
security labels to regulate subject access to objects. Implementations include using a hierarchical
MAC environment, a compartmentalized MAC environment, and a hybrid MAC environment
Use of classification labels ‘ Top Secret’
Multi-Factor Authentication (MFA)
Ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
Open Authorization (OAuth)
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Privilege Creep
The unnecessary accumulation of access privileges by a user, typically due to failing to remove privileges when they are no longer needed.
Self-Service Identity Management
Elements of the identity management life cycle and provisioning process, which the end user (the identity in question) can initiate or perform with little or no interaction or assistance from administrators. Examples include password resets, postal address updates, or changes to challenge questions and answers.
Single-Factor Authentication (SFA)
Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.