Domain 5 - Identity and Access Management

Question 1

What are the components of Access Control?

Answer 1

Access Controls control how users and systems interact with other systems and resources.

Components include:

• Subject: an active entity that requests access to an object or the data within an object. Can be a user, program, or process.
• Object is a passive entity that contains information.e.g computer program, directory or field contained in table.
• Users permissions and rights may be based on their identity, clearance, and/or group membership.

Question 2

What is the difference between identification, authentication, authorisation, and accountability (IAAA)?

Answer 2

Logical access control are technical tools used for identification & AAA, and can be embedded within the OS and applications.

• Identification method a subject (user, program, or process) claims to have a specific identity (e.g username, account number, email)
• Authentication system verifies the identity of the subjec e.g password, pin, token, anatomical attribute.
• Authorisation access control matrix or security labels to verify that a subject may access the requested resource and perform the actions it is attempting.
• Accountablity is ensured when the subject is uniquely identified and the subject’s actions are recorded.

Question 3

What are the components of Identification and authentication?

Answer 3

• Authentication can be based: on something a person knows, _something a person ha_s, something a person is.
• Strong authentication (MFA) contains two or all three methods of authentication.
• Creating or issuing secure identities should include three key aspects:
  
  • Uniqueness every user must be unique for accountability.
  • Nondescriptive: Neither piece of the credential set should indicate the purpose
  • Issuance: ID provided by another authority as a means of proving identity. eg. ID cards
• Mutual authentication is when two communicating entities must authenticate to each other.
• Computers and devices can be identified, authenticated, monitored and controlled based upon their hardware or IP address. NAC technology that authenticates systesm before they are allowed to access the network.

Question 4

What is Identity managment?

Answer 4

• Includes users account management, access control, credential management, SSO, managing rights and permissions.
• Traditional identity management process has been manual, using directory services with permissions, access control lists (ACLs), and profiles.
• Directories contains information pertaining to the company’s network resources and users. Hierarchial database format, based on the X.500 standard and LDAP - allows subjects and applications to interact with the directory.
• Objects within a directory are managed by a directory service which allows an admin to configure and manage how Identity, authentication, authorisation, and access control take place.
• In a windows environment logging into a domain controller (DC), active directory is a directory service which organises the network resources and carries out user access control functionality.
• Directory services use namespaces which is a way of identifying and naming the objects they will manage. Directory service assigns distingused names (DNs) to each object which represents a collection of attributes about a specific object and is stored in the directory as an entry. Thus directory services manages the entries and data in the directory and also enforces the configured security policy.
• Directories are the main component of IDM solution, and is the centralised location for all the information they need. Alot of information stored in an IDM directory is scattered throughout the enterprise. Identity management products create meta or virtual directories which gathers the necessary information from multiple sources and stories it in one central directory. Meta-directory physically has the identity data in its directory where virtual directories does not and points to where the actual data resides.

Question 5

What is Web access management (WAM)?

Answer 5

WAM software controls what users can access when using a web browser to interact with web-based enterprise assets.

• User sends in credentials to web server
• Web server requests the WAM platform to authenticate the user, against the LDAP directory and retrieves authorisations from the policy database.
• User requests to access a resource (object)
• Web server verifies that object access is authorised and allows access

WAM is the main gateway between users and the corporate web based resources.

Also provides a SSO capability so that once a user is authenticated at a website, she can access different web-based applications and resources without having to log in multiple times. Must keep track of users authentication state and context as the user moves from resource to resource. Cookies are generated by the server and sent to the client which has authentication status and authorisation levels defined. Server will periodically check this to ensure session hasnt been hijacked

Question 6

What are credential management systems?

Answer 6

Deals with creating user accounts on all systems, assigning and modifying the account details and privileges, and decommisioning accounts.

• Registration: when a new user needs an account, someone needs to vouch for the identity. i.e proofing of identity carried out by HR.
• Profile update:
• Password managers:
• Password Synchronisation:
• Self-Service password reset:
• Assisted password reset:
• Legacy single sign on: