Domain 5.0 Chapter 13

Question 1

1. Control physical and logical access to assets
   Note that assets can be tangible or intangible.
   1.1 Information
   1.2 Systems
   1.3 Devices
   1.4 Facilities
   1.5 Applications

Question 2

1.
1.1 Information An organization’s information includes all of its data. Data is stored in simple files on servers, computers, and smaller devices. It can also be stored in databases within a server farm. Logical access controls attempt to prevent unauthorized access to the information.
1.2 Systems An organization’s systems include any IT systems that provide one or more services. For example, a simple file server that stores user files is a system. Additionally, a web server working with a database server to provide an ecommerce service is a system. Permissions assigned to user and system accounts control system access.
1.3 Devices Devices refer to any computing system, including routers, switches, servers, desktop computers, portable laptop computers, tablets, smartphones, and external devices such as printers. Organizations have increasingly adopted policies allowing employees to connect their personally owned devices (such as smartphones or tablets) to an organization’s network. Although the employees may own the devices, organizational data stored on the devices is still an asset of the organization.
1.4 Facilities An organization’s facilities include any physical location that it owns or rents. This could be individual rooms, entire buildings, or whole complexes of several buildings. Physical security controls help protect facilities.
1.5 Applications Applications frequently provide access to an organization’s data. Controlling access to applications provides an additional layer of control for the organization’s data. Permissions are an easy way to restrict logical access to applications and be assigned to specific users or groups.

Answer 2

1.1 Информация Информация об организации включает в себя все ее данные. Данные хранятся в простых файлах на серверах, компьютерах и небольших устройствах. Его также можно хранить в базах данных внутри фермы серверов. Логические средства контроля доступа пытаются предотвратить несанкционированный доступ к информации.
1.2 Системы К системам организации относятся любые ИТ-системы, которые предоставляют одну или несколько услуг. Например, простой файловый сервер, на котором хранятся пользовательские файлы, является системой. Кроме того, веб-сервер, работающий с сервером базы данных для предоставления услуг электронной коммерции, является системой. Разрешения, назначенные учетным записям пользователей и систем, контролируют доступ к системе.
1.3 Устройства Под устройствами понимается любая вычислительная система, включая маршрутизаторы, коммутаторы, серверы, настольные компьютеры, портативные ноутбуки, планшеты, смартфоны и внешние устройства, такие как принтеры. Организации все чаще принимают политики, позволяющие сотрудникам подключать свои личные устройства (например, смартфоны или планшеты) к сети организации. Хотя устройства могут принадлежать сотрудникам, организационные данные, хранящиеся на устройствах, по-прежнему являются активом организации. 1.4 Помещения Помещения организации включают любое физическое помещение, которым она владеет или арендует. Это могут быть отдельные помещения, целые здания или целые комплексы из нескольких зданий. Средства физической безопасности помогают защитить объекты.
1.5 Приложения Приложения часто предоставляют доступ к данным организации. Контроль доступа к приложениям обеспечивает дополнительный уровень контроля над данными организации. Разрешения — это простой способ ограничить логический доступ к приложениям и назначить их конкретным пользователям или группам.

Question 3

1. Controlling Physical and Logical Access
   A physical security control is one you can touch, such as perimeter security controls (fences, gates, guards, and turnstiles) and environmental controls such as heating, ventilation, and air-conditioning (HVAC) systems and fire suppression.

Logical access controls are the technical controls used to protect access to information, systems, devices, and applications. They include authentication, authorization, and permissions. Combined, they help prevent unauthorized access to data and configuration settings on systems and other devices.

Answer 3

К элементам физического контроля безопасности можно прикоснуться, например, к элементам управления безопасностью по периметру (заборы, ворота, охрана и турникеты) и к средствам контроля окружающей среды, таким как системы отопления, вентиляции и кондиционирования воздуха (HVAC), а также пожаротушения.

Логический контроль доступа — это технический контроль, используемый для защиты доступа к информации, системам, устройствам и приложениям. Они включают аутентификацию, авторизацию и разрешения. В совокупности они помогают предотвратить несанкционированный доступ к данным и настройкам конфигурации систем и других устройств.

Question 4

1. The CIA Triad and Access Controls
   One of the primary reasons an organization implements access control mechanisms is to prevent losses. There are three categories of IT loss: loss of confidentiality, integrity, and availability (CIA).
   The following list identifies them in the context of access control:

Confidentiality Access controls help ensure that only authorized subjects can access objects. When unauthorized entities can access systems or data, it results in a loss of confidentiality.
Integrity Integrity ensures that data or system configurations are not modified without authorization, or if unauthorized changes occur, security controls detect the changes. If unauthorized or unwanted changes to objects occur, it results in a loss of integrity.
Availability Authorized requests for objects must be granted to subjects within a reasonable amount of time. In other words, systems and data should be available to users and other subjects when they are needed. If the systems are not operational or the data is not accessible, it results in a loss of availability.

Answer 4

Триада ЦРУ и контроль доступа
В следующем списке они идентифицируются в контексте контроля доступа: -
- Конфиденциальность Контроль доступа помогает гарантировать, что только авторизованные субъекты смогут получить доступ к объектам. Когда неавторизованные лица могут получить доступ к системам или данным, это приводит к потере конфиденциальности.
- Целостность Целостность гарантирует, что данные или конфигурации системы не будут изменены без разрешения, а в случае возникновения несанкционированных изменений меры безопасности обнаружат эти изменения. Если происходят несанкционированные или нежелательные изменения объектов, это приводит к потере целостности.
- Доступность Разрешенные запросы на объекты должны быть предоставлены субъектам в течение разумного периода времени. Другими словами, системы и данные должны быть доступны пользователям и другим субъектам, когда они необходимы. Если системы не работают или данные недоступны, это приводит к потере доступности.

Question 5

2. Managing Identification and Authentication
   Identification is the process of a subject claiming, or professing, an identity.
   Providing an identity might entail typing a username, swiping a smartcard, speaking a phrase, or positioning your face, hand, or finger in front of a camera or in proximity of a scanning device.

Authentication verifies the subject’s identity by comparing one or more factors against a database of valid identities, such as user accounts.

Identification and authentication occur together as a single two-step process.
While identification and authentication methods authenticate people, they also authenticate devices and services.

Subject A subject is an active entity that accesses a passive object to receive information from, or data about, an object. Subjects can be users, programs, processes, services, computers, or anything else that can access a resource. When authorized, subjects can modify objects.
Object An object is a passive entity that provides information to active subjects. Examples of objects are files, databases, computers, programs, processes, services, printers, and storage media.

Answer 5

2. Управление идентификацией и аутентификацией

Question 6

2. Registration, Proofing, and Establishment of Identity

Acceptable documentation for in-person identity proofing includes using physical documents such as a passport, driver’s license, birth certificate, and more.

Online organizations often use knowledge-based authentication (KBA) for identity proofing of someone new, such as a new customer. For example, if you create an online savings account, the bank will ask you a series of multiple-choice or fill-in-the-blank questions that only you should know. (What is your driver’s license number?). The organization queries independent and authoritative sources, such as credit bureaus or government agencies, before creating these questions.

Some organizations use a cognitive password (also known as security questions) when a known user is trying to change a password. (What is the name of your first pet?). Later, the system uses these questions for authentication. If the user answers all the questions correctly, the system authenticates the user. Cognitive passwords often assist with password management using self-service password reset systems or assisted password reset systems.

Question 7

2. 2 Authorization and Accountability
   Two additional security elements in an access control system are authorization and accountability:

Authorization Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.
Accountability Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file. Auditing provides accountability.

Question 8

2.3 Authentication Factors
There are three primary authentication factors:

2.3.1 Something You Know The something you know factor of authentication includes memorized secrets such as a password, personal identification number (PIN), or passphrase. Older documents refer to this as a Type 1 authentication factor.

2.3.2 Something You Have The something you have factor of authentication includes physical devices that a user possesses and can help them provide authentication. Examples include a smartcard, hardware token, memory card, or Universal Serial Bus (USB) drive. Older documents refer to this as a Type 2 authentication factor.

2.3.3 Something You Are The something you are factor of authentication uses physical characteristics of a person and is based on biometrics. Examples in the something you are category include fingerprints, face scans, retina patterns, iris patterns, and palm scans. Older documents refer to this as a Type 3 authentication factor.

Answer 8

Существует три основных фактора аутентификации:
- Что-то, что вы знаете Фактор аутентификации “то, что вы знаете” включает в себя запомненные секреты, такие как пароль, личный идентификационный номер (PIN) или парольную фразу. В более старых документах это называется фактором аутентификации типа 1.

• Что-то, что у вас есть Фактор аутентификации «что-то, что у вас есть» включает в себя физические устройства, которыми обладает пользователь, и которые могут помочь ему обеспечить аутентификацию. Примеры включают смарт-карту, аппаратный токен, карту памяти или диск универсальной последовательной шины (USB). В более старых документах это называется фактором аутентификации типа 2.
• Что-то, чем вы являетесь Что-то, чем вы являетесь, фактор аутентификации использует физические характеристики человека и основан на биометрии. Примеры категории «то, кем вы являетесь» включают отпечатки пальцев, сканы лица, узоры сетчатки, узоры радужной оболочки и сканы ладоней. В более старых документах это называется фактором аутентификации типа 3.

Question 9

2.4 Single/multi-factor authentication
Single-factor authentication uses only one authentication factor. Multifactor authentication uses two or more authentication factors.

These types are progressively stronger when implemented correctly, with something you know being the weakest and something you are the strongest. In other words, passwords are the weakest form of authentication, and a fingerprint is stronger than a password.

In addition to the three primary authentication factors, attributes are sometimes used for additional authentication. These include the following:

2.3.4 Somewhere You Are The somewhere you are factor identifies a subject’s location based on a specific computer, a geographic location identified by an Internet Protocol (IP) address, or a phone number identified by Caller ID. Controlling access by physical location forces a subject to be present somewhere. Geolocation technologies can identify a user’s location based on the IP address, and some authentication systems use geolocation.

2.3.4 Context-Aware Authentication Many mobile device management (MDM) systems use context-aware authentication to identify mobile device users. It can identify multiple attributes such as the user’s location, the time of day, and the mobile device. Organizations frequently allow users to access a network with a mobile device, and MDM systems can detect details on the device when a user attempts to log on. If the user meets all the requirements (location, time, and type of device in this example), it allows the user to log on using the other methods, such as with a username and password.

Answer 9

Эти типы становятся все сильнее при правильной реализации: что-то, что вы знаете, является самым слабым, а что-то — самым сильным. Другими словами, пароли являются самой слабой формой аутентификации, а отпечаток пальца надежнее пароля.

Помимо трех основных факторов аутентификации, для дополнительной аутентификации иногда используются атрибуты. К ним относятся следующие: Где вы находитесь Фактор “Где вы находитесь” определяет местоположение субъекта на основе конкретного компьютера, географического местоположения, определяемого IP-адресом, или номера телефона, определяемого идентификатором вызывающего абонента. Контроль доступа по физическому местоположению заставляет субъект где-то присутствовать. Технологии геолокации могут определять местоположение пользователя на основе IP-адреса, а некоторые системы аутентификации используют геолокацию.

Контекстно-зависимая аутентификация Многие системы управления мобильными устройствами (MDM) используют контекстно-зависимую аутентификацию для идентификации пользователей мобильных устройств. Он может идентифицировать несколько атрибутов, таких как местоположение пользователя, время суток и мобильное устройство. Организации часто разрешают пользователям доступ к сети с помощью мобильного устройства, а системы MDM могут обнаруживать сведения об устройстве, когда пользователь пытается войти в систему. Если пользователь соответствует всем требованиям (местоположение, время и тип устройства в этом примере), он позволяет пользователю войти в систему, используя другие методы, например, с использованием имени пользователя и пароля.

Question 10

2.3.1 Something You Know
The most common authentication technique is the password.
A static password stays the same for a length of time, such as 60 days, but static passwords are the weakest form of authentication.
One way of strengthening a password is by using a passphrase.

The following list includes some common password policy settings:

Maximum Age This setting requires users to change their password periodically, such as every 45 days. Some documents refer to this as password expiration.

Password Complexity Password complexity refers to how many character types it includes. Complex passwords use three or four character types.

Password Length The length is the number of characters in the password, such as at least eight characters long.

Minimum Age This setting prevents users from changing their password again until a certain time has passed.

Password History A password history remembers a certain number of previous passwords and prevents users from reusing passwords.

Several authoritative sources of password policy:
- NIST SP-800-63B, “Digital Identity Guidelines: Authentication and Lifecycle Management”
- Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1

Question 11

2.3.1.1 NIST SP-800-63B, “Digital Identity Guidelines: Authentication and Lifecycle
he following list summarizes the changes recommended by NIST:

Passwords must be hashed. Passwords should never be stored or transmitted in cleartext.
Passwords should not expire. Users should not be required to change their passwords regularly, such as every 30 days. Users often changed a single character when forced to change their password. For example, they would change Password1 to Password2. Although this complies with the requirement to change the password, it doesn’t add to security. Attackers use the same methods when guessing passwords.
Users should not be required to use special characters. Requiring users to include special characters often challenged users’ memory, and they wrote these passwords down. Further, NIST analyzed breached password databases and discovered that special characters in passwords didn’t provide the desired benefits.
Users should be able to copy and paste passwords. Password managers allow users to create and store complex passwords. Users enter one password into the password manager to access stored passwords. They can then copy passwords from the password manager and paste passwords into the password text box. When copy and paste is restricted, users must retype the password and typically default to easier passwords.
Users should be able to use all characters. Password storage mechanisms have commonly rejected spaces and some special characters. By allowing spaces, users can create longer passwords that are easier to remember. Systems sometimes reject special characters to prevent attacks (such as a SQL injection attack), but properly hashing the password masks these characters.
Password length should be at least eight characters and as many as 64 characters. A longer length allows users to create passphrases that are meaningful to them.
Password systems should screen passwords. Before accepting a password, password systems should check them against a list of commonly used passwords, such as 123456 or password.

Question 12

2.3.1.2 PCI DSS Password Requirements
The PCI DSS (version 3.2.1) has the following requirements, which differ from NIST SP 800-63B:

Passwords expire at least every 90 days.
Passwords must be at least seven characters long.

Question 13

2.3.2 Something You Have
Smartcards and hardware tokens are both examples of the Type 2, or something you have, factor of authentication. They are rarely used by themselves but are commonly combined with another authentication factor, providing multifactor authentication.

Smartcards
A smartcard is a credit card–sized ID or badge and has an integrated circuit chip embedded in it. Smartcards contain information about the authorized user that is used for identification and/or authentication purposes. Most current smartcards include a microprocessor and one or more certificates. The certificates are used for asymmetric cryptography such as encrypting data or digitally signing emails.
Users insert the card into a smartcard reader when authenticating.
Tokens
A token device, or hardware token, is a password-generating device that users can carry with them. Tokens are typically combined with another authentication mechanism. For example, users might enter a username and password (in the something you know factor of authentication) and then enter the number displayed in the token (in the something you have factor of authentication). This provides multifactor authentication.

Hardware token devices use dynamic onetime passwords, making them more secure than static passwords. These are typically six or eight PINs.

Time-Based One-Time Passwords Time-based one-time passwords (TOTPs) are generated by devices and applications that are synchronized with an authentication server. They generate a new OTP periodically, such as every 60 seconds. This requires the authenticator and the server to have accurate and synchronized clocks. For this reason, TOTP approaches are also known as synchronous authenticators.

Hash-Based One-Time Passwords HMAC-based one-time passwords (HOTP) do not use a clock. Instead, the hardware authenticator generates OTPs based on an algorithm and an incrementing counter. When using an incrementing counter, the user clicks a button, causing the authenticator to create a dynamic one-time password that stays the same until it is used for authentication. For this reason, HOTP approaches are also known as asynchronous authenticators.

Question 14

2.3.3 Something You Are
Another common authentication and identification technique is the use of biometrics. Biometric factors fall into the Type 3.
Fingerprints Fingerprints are the visible patterns on the fingers and thumbs of people. Fingerprints have loops, whorls, ridges, and bifurcations (also called minutiae) and fingerprint readers match the minutiae to data within a database. Отпечатки пальцев имеют петли, завитки, гребни и раздвоения (также называемые мелочами), а считыватели отпечатков пальцев сопоставляют мелочи с данными в базе данных.
Face Scans Face scans use the geometric patterns of faces for detection and recognition.
Retina Scans Retina scans focus on the pattern of blood vessels at the back of the eye.
Iris Scans Focusing on the colored area around the pupil, iris scans are the second-most accurate form of biometric authentication.
Palm Scans Palm scanners scan the palm of the hand for identification.
Voice Pattern Recognition This type of biometric authentication relies on the characteristics of a person’s speaking voice, known as a voiceprint.

Biometric Registration. For a biometric device to work as an identification or authentication mechanism, enrollment (or registration) must occur. During enrollment, a subject’s biometric factor is sampled and stored in the device’s database. This stored sample of a biometric factor is the reference profile (also known as a reference template).
The throughput rate is the amount of time the system requires to scan a subject and approve or deny access

Question 15

2.3.3 Something You Are
Biometric Factor Error Ratings
False Rejection Rate A false rejection occurs when an authentication system does not authenticate a valid user. This is sometimes called a false negative authentication. The ratio of false rejections to valid authentications is known as the false rejection rate (FRR). False rejection is sometimes called a Type I error.

False Acceptance Rate A false acceptance occurs when an authentication system authenticates someone incorrectly. This is also known as a false positive authentication. The ratio of false positives to valid authentications is the false acceptance rate (FAR). False acceptance is sometimes called a Type II error.

Most biometric devices have a sensitivity adjustment. When a biometric device is too sensitive, false rejections (false negatives) are more common. When a biometric device is not sensitive enough, false acceptance (false positives) are more common.

The overall quality of biometric devices with the crossover error rate (CER), also known as the equal error rate (ERR). The point where the FRR and FAR percentages are equal is the CER, and the CER is used as a standard assessment value to compare the accuracy of different biometric devices. Devices with lower CERs are more accurate than devices with higher CERs.

Question 16

2.4 Multifactor Authentication (MFA)
Multifactor authentication (MFA) is any authentication using two or more factors. Two-factor authentication (2FA) requires two different proofs of identity to provide authentication. In contrast, any authentication method using only a single factor is single-factor authentication.
Multifactor authentication must use multiple types or factors, such as the something you know factor and the something you have factor. In contrast, requiring users to enter a password and a PIN is not multifactor authentication because both methods are from a single authentication factor (something you know).

Question 17

2.4.1 Two-Factor Authentication with Authenticator Apps
Smartphones and tablets support authenticator apps, such as the Microsoft Authenticator or Google Authenticator. These provide a simple way to implement 2FA without a hardware token.
Let’s say you configure Google Authenticator on your smartphone and then configure a website to use Google Authenticator. Later, after you enter your username and password to log into your account, the site prompts you to enter a verification code. You open Google Authenticator on your smartphone and see a six-digit PIN displayed. After entering the six-digit PIN, you have access.

• HOTP. The hash message authentication code (HMAC) includes a hash function used by the HMAC-based One-Time Password (HOTP) standard to create onetime passwords. It typically creates HOTP values of six to eight numbers.
• TOTP. The Time-based One-Time Password standard is similar to HOTP. However, it uses a timestamp and remains valid for a certain time frame, such as 30 seconds.

Answer 17

Допустим, вы настраиваете Google Authenticator на своем смартфоне, а затем настраиваете веб-сайт для использования Google Authenticator. Позже, после того как вы введете имя пользователя и пароль для входа в свою учетную запись, сайт предложит вам ввести проверочный код. Вы открываете Google Authenticator на своем смартфоне и видите шестизначный PIN-код. После ввода шестизначного PIN-кода вы получаете доступ.

Question 18

2.4.2 Passwordless Authentication
Passwordless authentication allows users to log into systems without entering a password (or any other memorized secret). As an example, many smartphones and tablets support biometric authentication.
Once you get past the logon screen, many internal applications use the same authentication methods to access sensitive data.
The Fast Identity Online (FIDO) Alliance is an open industry association with a stated mission of reducing the over-reliance on passwords. Some of the problems they’ve identified with passwords are:

Users have as many as 90 online accounts.
Up to 51 percent of passwords are reused.
Passwords are the root cause of over 80 percent of data breaches.
Users abandon one-third of online purchases due to forgotten passwords.
FIDO has created several recommended frameworks and protocol standards. The FIDO2 project (now known as Web Authentication or WebAuthn) began in 2014 and has gone through multiple revisions. In 2019, the World Wide Web Consortium (W3C) released it as a W3C recommendation.

Question 19

2.4.3 Device Authentication
One method is device fingerprinting. Users can register their devices with the organization and associate them with their user accounts. During registration, a device authentication system captures the characteristics of the device. This is often accomplished by having the user access a web page with the device. The registration system then identifies the device using attributes such as the operating system and version, web browser, browser fonts, browser plug-ins, time zone, data storage, screen resolution, cookie settings, and HTTP headers.
Organizations typically use third-party tools, such as the SecureAuth Identity Provider (IdP), for device authentication.

As mentioned previously, many MDM systems use context-aware authentication methods to identify devices. They typically work with network access control (NAC) systems to check the device’s health and grant or restrict access based on requirements configured within the NAC system.

802.1X is another method used for device authentication. It can be used for port-based authentication on some routers and switches. Additionally, it is often used with wireless systems, forcing users to log on with an account before being granted access to a network. Many MDM and NAC solutions implement 802.1X solutions to control user access from mobile devices.

Question 20

2.4.4 Service Authentication
Many services also require authentication, and they typically use a username and password. A service account is simply a user account that an administrator created for a service or application instead of a person.

Because a service account has a high level of privileges, administrators configure it with a strong, complex password that is changed more often than regular users. However, administrators need to change these passwords manually. The longer a password remains the same, the more likely it will be compromised. Another option is to configure the account to be noninteractive, which prevents a user from logging onto the account using traditional logon methods.

Services can be configured to use certificate-based authentication. Certificates are issued to the device running the service and presented by the service when accessing resources. Web-based services often use application programming interface (API) methods to exchange information between systems. These API methods are different depending on the web-based service. As an example, Google and Facebook provide web-based services that web developers use, but they use different implementations.

Question 21

2.4.5 Mutual Authentication
There are many occasions when mutual authentication is needed. As an example, when a client accesses a server, both the client and the server provide authentication. This prevents a client from revealing information to a rogue server. Mutual authentication methods commonly use digital certificates.

For example, when employees are connecting to a company network while working from home, they typically connect to a virtual private network (VPN) server. Both the server and the client present digital certificates to the other endpoint, providing two-way authentication. If this mutual authentication fails, the two endpoints don’t start a communication session.

Question 22

2.5 Implementing Identity Management
Identity management (IdM) implementation techniques generally fall into two categories:

Centralized access control implies that a single entity within a system performs all authorization verification.
Decentralized access control (also known as distributed access control) implies that various entities located throughout a system perform authorization verification.

A small team or individual can manage centralized access control. Administrative overhead is lower because all changes are made in a single location, and a single change affects the entire system. However, a vulnerability is that centralized access control potentially creates a single point of failure.
Decentralized access control often requires several teams or multiple individuals. Administrative overhead is higher because changes must be implemented across numerous locations. Maintaining consistency across a system becomes more difficult as the number of access control points increases. Changes made to any individual access control point need to be repeated at every access point.

Question 23

2.5.1 Single Sign-On
Single sign-on (SSO) is a centralized access control technique that allows a subject to be authenticated once on a system and access multiple resources without authenticating again.
The primary disadvantage to SSO is that once an account is compromised, an attacker gains unrestricted access to all of the authorized resources.

Question 24

2.5.2 LDAP and Centralized Access Control
Within a single organization, a centralized access control system is often used for SSO. For example, a directory service is a centralized database that includes information about subjects and objects, including authentication data. Many directory services are based on the Lightweight Directory Access Protocol (LDAP). For example, the Microsoft Active Directory Domain Services (AD DS) is LDAP based.
Multiple domains and trusts are commonly used in access control systems. A security domain is a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains. Trusts are established between the domains to create a security bridge and allow users from one domain to access another domain’s resources. Trusts can be one-way only, or they can be two-way.
A public key infrastructure (PKI) uses LDAP when integrating digital certificates into transmissions. There are many times when clients need to query a certificate authority (CA) for information on a certificate, and LDAP is one of the protocols used. LDAP and centralized access control systems can be used to support SSO capabilities.

Question 25

2.5.3 SSO and Federated Identities
Cloud-based applications use federated identity management (FIM) systems, which are a form of SSO.

Identity management is the management of user identities and their credentials. A federated identity links a user’s identity in one system with multiple identity management systems.

FIM extends this beyond a single organization. Multiple organizations can join a federation or group, where they agree to share identity information. Users in each organization can log on once in their own organization, and their credentials are matched with a federated identity. They can then use this federated identity to access resources in any other organization within the group.

A challenge with multiple companies communicating in a federation is finding a common language. The methods used to implement federated identity management systems: Security Assertion Markup Language (SAML), OAuth, and OpenID Connect (OIDC).

Federated identity management systems can be hosted on-premises, in the cloud, or in a combination of the two as a hybrid system.
- Cloud-Based Federation. A cloud-based federation typically uses a third-party service to share federated identities. A common method is to match the user’s internal login ID with a federated identity. Users log on within the organization using their normal login ID.
- On-premises federated identity management system. By creating an on-premises federated identity management system, both companies can share authentication data. This system allows users to continue to log on normally, but they will also have access to the other company’s network resources.
- A hybrid federation is a combination of a cloud-based solution and an on-premises solution.

-Just-in-Time. Some federated identity solutions support just-in-time (JIT) provisioning. These solutions automatically create the relationship between two entities so that new users can access resources.
A JIT solution creates the connection without any administrator intervention. With JIT provisioning, employees log on normally to their employer’s network. The first time the employee accesses the benefits site, the JIT system exchanges data with the employer’s network and creates the employee’s account.
JIT systems commonly use SAML to exchange the required data. SAML provides entities with a lot of flexibility to exchange a wide assortment of data.

Question 26

2.5.4 Credential Management Systems
Credential management systems provide storage space for usernames and passwords. As an example, many web browsers can remember usernames and passwords for any site that a user has visited.
Some federated identity management solutions use the Credential Management API. This allows different web applications to implement SSO solutions using a federated identity provider. As an example, if you have a Google or Facebook account, you can use one of them to sign in to Zoom.
Identity as a service, or identity and access as a service (IDaaS), is a third-party service that provides identity and access management. IDaaS effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based software as a service (SaaS) applications.

Question 27

2.5.4 Credential Manager Apps
Windows includes the Credential Manager applet in the Control Panel. It encrypts the credentials and stores them. When a user returns to the website or opens the application, it retrieves the credentials from the Credential Manager.

KeePass is a freeware tool that allows you to store your credentials.
EnPass
Credentials are stored in an encrypted database, and users can unlock the database with a master password. Once the database is unlocked, users can easily copy their passwords to paste into a website form.

Question 28

2.5.4 Scripted Access
Scripted access or logon scripts establish communication links by providing an automated process to transmit login credentials at the start of a login session. Scripted access can often simulate SSO even though the environment still requires a unique authentication process to connect to each server or resource. Scripts can implement SSO in environments where true SSO technologies are not available. Scripts and batch files should be stored in a protected area because they usually contain access credentials in cleartext.

Question 29

2.5.5 Session Management
When you’re using any type of authentication system, it’s important to use session management methods to prevent unauthorized access. This includes sessions on regular computers such as desktop PCs and within online sessions with an application.

• Desktop PCs and laptops include screen savers. These change the display when the computer isn’t in use by displaying random patterns or different pictures or simply blanking the screen. Screen savers have a time frame in minutes that you can configure. They are commonly set between 10 and 20 minutes.
• Secure online sessions will typically terminate after some time too (on-line bank). Even if the user closes a browser tab without logging off, it can potentially leave the browser session open, leaving the user’s account vulnerable to an attack if someone else accesses the browser. Developers commonly use web development frameworks to implement session management. The framework creates a session identifier or token at the beginning of the session. This identifier is included in every HTTP request throughout the session. It’s possible to force the use of Transport Layer Security (TLS) to ensure the entire session (including the identifier) is encrypted. These frameworks also include methods to expire sessions.

Question 30

2.6 Managing the Identity and Access Provisioning Lifecycle
The identity and access provisioning lifecycle refers to the creation, management, and deletion of accounts. As mentioned previously, identification occurs when a subject claims an identity. This identity is most commonly a user account, but it also includes computer accounts and service accounts.

Question 31

2.6.1 Provisioning and Onboarding
An organization typically has an onboarding process after hiring new employees. This includes creating the user account and provisioning it with all the privileges the employee will need in their new job.
Proper provisioning ensures that personnel follow specific procedures when creating accounts (according to the policy). The initial creation of a new user account is often called an enrollment or registration. The only item that must be provided is a username or a unique identifier. However, based on an organization’s established processes, it typically includes multiple details on the user, such as the user’s full name, email address, and more
Many organizations have automated provisioning systems.
If the organization is using groups (or roles), the application can automatically add the new user account to the appropriate groups based on the user’s department or job responsibilities. The groups will already have appropriate privileges assigned, so this step provisions the account with appropriate privileges.

Provisioning also includes issuing hardware such as laptops, mobile devices, hardware tokens, and smartcards to employees. It’s important to keep accurate records when issuing hardware to employees.

Question 32

2.6.2 Deprovisioning and Offboarding
Organizations implement deprovisioning and offboarding processes when employees leave an organization.
The easiest way to deprovision an account is to delete it, sometimes referred to as account revocation.
Many organizations choose to disable the account when the employee leaves. Organizations typically have policies in place to delete these disabled accounts within 30 days, but the time limit can vary depending on the organization’s needs.
Deprovisioning includes collecting any hardware issued to an employee, such as laptops, mobile devices, and authorization tokens.

Question 33

2.6.3Account Access Review
Administrators periodically review accounts to ensure they don’t have excessive privileges. Account reviews also check to ensure accounts comply with security policies. This includes user accounts, system accounts, and service accounts.
It’s important to guard against two problems related to access control: excessive privilege and creeping privileges. Excessive privilege occurs when users have more privileges than their assigned work tasks dictate.
Creeping privileges (sometimes called privilege creep) involves a user account accumulating additional privileges over time as job roles and assigned tasks change.