Domain Four: Identity and Access Management Flashcards
What is the notion of accountability in IAM ?
The ability to report and understand who, what and when things change
What is authentication ?
This is the process that verifies the identity
What is authorisation ?
Determines what can be done through a process of allowing and denying access to resources.
What is federation ?
Similar to SSO but this covers across enterprises rather than just systems within an enterprise.
Why is identification important ?
We need to be able to identify resources this includes thing such as hardware, software, people and processes.
What is multi factor authentication ?
Is a combination of two or more types of authentication
There are five different types
What you are (biometric)
What you have (token)
What you know (passwords)
Where you are (location)
What you do
What is single sign on ?
This is the transferring of credentials between systems. It is the ability to have a single login for multiple systems
What is transitive trust ?
Transitive trust is the concept that if one domain trust another then the trusted domain can also be trusted by another domain that trusts the initial domain.
If A trust B and B trusts C then A trusts C
What in IAM is the notion of Account Maintenance ?
Account maintenance refers to all the processes that are run to make sure that the account is valid, and appropriated for its needs
Define Guest Accounts ?
Limited access accounts for guest users.
Define privileged accounts ?
They often have higher permissions than general user accounts and are only assumed by certain users needing to do higher order tasks not in their day to day activity. Should be closely monitored.
What is a service account ?
Service accounts are similar to shared account they also are tied to a job function but unlike shared accounts they do not need human interaction to achieve the task at hand.
What is a shared account ?
These are accounts used by multiple people to achieve a job function such as backup administrator. They should be monitored regularly and some organisations only allow them to be assumed rather than log in directly.
Define a user account ?
These are accounts that are attributed to individual users and may have a friendly name and also a unique id. Often it is the unique id that is logged.
You should not immediately delete an account when a user leaves because you get tombstoning. This is where because the user has left there is nothing to tie the log user id back to. Most organisations recommend a 90 day account disablement before deletion.
What is Group based access control ?
This refers to assigning users to groups that have permissions rather than handling individual users. This is done to ease the admin overhead and complexity.
Why do we need a secure JML process ?
We should have a rigorous JML process to stop people having access after they leave the organisation or accumulating access as they move from position to position
What is the concept of least privilege ?
Only assign the minimum required permissions to achieve job function
What is the process of recertification ?
Is the process of verifying that the account is still required and can be done via reports looking when the account was last accessed.
At HMRC there is a process that flags all AWS user accounts that have not been logged into for 30 days.
Why should we have a standard naming convention for accounts ?
Accounts should be named with a standard naming convention that can accommodate growth but not display information that would be useful to an attacker.
mark.teasdale@acme.co.uk is a good example
What is the concept of time managed accounts ?
Only allow access for a specified time period this could be normal working hours or for highly dangerous accounts measured in hours.
What is credential management ?
Refers to the policies, procedures and techniques to manage credentials
What is account lockout ?
Used when suspected nefarious activity is seen or rules are violated such as more than three attempts to login.
What are Group Policy objects ?
Microsoft technology which can be controlled from the enterprise and installed on the local machine to control credential settings and password complexity rules.
What is password history ?
We should also limit the re-using of passwords by having a policy on historical passwords.
What are some of the elements contained in a password policy ?
An enforceable policy that sets out the rules on what constitutes an acceptable password
Password Length
Renewal
Symbols allowed
Case
Numbers
Expiry rules
What is attribute access control ?
Grants access if the attributes of both the resource and the user are sufficient to grant access. Uses boolean logic (IF this user has this attribute, THEN this user has this access to the resource)
What is FAR in biometrics ?
FAR - False Acceptance Rate - Rate at which people incorrectly get access
What is FRR in biometrics ?
False Rejection Rate - Rate at which people incorrectly get refused access
What is CER in biometrics ?
Cross Over Rate - This is the rate when tuning a device where ideal is FRR = FAR
What is Discretionary access control ?
This is where resource owners or administrators determine the permissions of other users over those resources.
What is Mandatory access control ?
Used primarily in government and military settings. In MAC subjects (users) and objects (resources) are assigned classification levels. Rules enforce whether a user has access to a resource or not based on those classification levels.
What is Role based access control ?
Roles and job functions are matched and each role has a set of permissions that grant access to that resource. Users are then assigned to the relevant role.
What is Rule based access control ?
Access is granted based on a set of rules can become cumbersome quickly because maintenance.