Identity and Access Management Solutions Flashcards
A security process that provides identification, authentication, and authorization
mechanisms for users, computers, and other entities to work with organizational
assets like networks, operating systems, and applications
Identity and Access Management
Support the identities of various assets by defining the resources an asset has
permission to access based on the function the asset fulfills
Roles
A policy document that promotes strong passwords by specifying a minimum
password length, requiring complex passwords, requiring periodic password
changes, and placing limits on reuse of passwords
Password Policies
Software used to generate a pseudorandom passphrase for each website a user
needs to log-on
Password Manager
Asks the user for information that only they should know, such as their first
school, first model of car, or their first pet’s name
Challenge Questions
Users provides a secondary communication channel like another email address or
cellphone number to receive a one-time code to verify their identify when
resetting a password
Two-step Verification
An authentication technology that enables a user to authenticate once and
receive authorizations for multiple services
Single Sign-On (SSO)
An authentication scheme that requires the user to present at least two different
factors as credentials, from something you know, something you have, something
you are, something you do, and somewhere you are
Multifactor Authentication (MFA)
The practice of issuing, updating, and revoking digital certificates
Certificate Management
A Sysinternals utility that allows you to verify root certificates in the local store
against Microsoft’s master trust list
sigcheck
A library of software functions supporting the SSL/TLS protocol
OpenSSL
A Windows utility that allows you to display certification authority (CA)
configuration information, configure Certificate Services, backup and restore CA
components, and verify certificates, key pairs, and certificate chains
▪ Installing, updating, and validating trusted root certificates
▪ Deploying, updating, and revoking subject certificates
▪ Preventing use of self-signed certificates
▪ SSH key management
certutil
A process that provides a shared login capability across multiple systems and
enterprises
Federation
Creating an account and giving the user authorization to a particular role,
application, or file share
Provisioning and Deprovisioning
An account is configured by an administrator on the service provider’s
site
Manual Provisioning
Users are enrolled with the service provider without intervention
Automatic Provisioning
The use of authentication and authorization mechanisms to provide an
administrator with centralized or decentralized control of user and group rolebased privilege management
Privilege Management
Access Control Types
o Discretionary Access Control (DAC)
o Mandatory Access Control (MAC)
o Role-Based Access Control (RBAC)
o Attribute-Based Access Control (ABAC)
Access control model where each resource is protected by an Access Control List
(ACL) managed by the resource’s owner (or owners)
Discretionary Access Control (DAC)
Access control model where resources are protected by inflexible, system defined
rules where every resources (object) and user (subject) is allocated a clearance
level (or label)
SELinux provides a method for implementing MAC
Mandatory Access Control (MAC)
An access control model where resources are protected by ACLs that are
managed by administrators and that provide user permissions based on job
functions
RBAC can be partially implemented in Windows through the concept of group
accounts
Role-Base Access Control (RBAC)
An access control technique that evaluates a set of attributes that each subject
possesses to determine if access should be granted
Attribute-Based Access Control (ABAC)
IAM auditing is necessary to detect compromise of a legitimate account, rogue
account use, and insider threat
IAM Auditing
A log of all file access and authentications within network-based operating
system, application, or service
▪ Accounting for user actions
▪ Detecting intrusions or attempted intrusions
Audit Logs
A manual review of accounts, permissions, configurations, and clearance levels at
a given interval
Recertification
Security policies can be used to direct the behavior of end-user employees
Conduct and Use Policies
A defined set of rules, ethics, and expectations for employees in a particular job
role
Code of Conduct
A contract with terms stating a code of conduct for employees assigned high-level
privileges on network and data systems
Privileged User Agreement (PUA)
A policy that governs employees’ use of company equipment and Internet
services
Acceptable Use Policy (AUP)
