Lesson 4: Implement Identity and Access Management Flashcards
What is the purpose of authentication?
Verifies that only the account holder can use an account.
List the key considerations in authentication design.
- Confidentiality
- Integrity
- Availability
What does confidentiality in authentication aim to achieve?
Prevent credential theft.
(You are who you say you are)
What does integrity in authentication ensure?
Reliability and resistance to bypassing.
(The data is unchanged, what I sent is what is received)
What is meant by availability in authentication?
The system must be user-friendly and efficient.
(The system is available to use)
What are the authentication factors?
- Something You Know
- Something You Have
- Something You Are
- Somewhere You Are
Give an example of ‘Something You Know’ in authentication.
Passwords, passphrases, PINs.
What falls under ‘Something You Have’ in authentication?
Smart cards, OTP tokens, security keys.
What is an example of ‘Something You Are’ in authentication?
Biometric data like fingerprints or facial recognition.
What does ‘Somewhere You Are’ refer to in authentication?
Location-based factors using IP addresses or geolocation.
What are strong password management policies?
Policies for password length, complexity, age, and reuse.
What are the risks associated with password managers?
- Weak master password
- Vendor being compromised
- Impersonation attacks
What is multifactor authentication (MFA)?
Combines multiple factors (e.g., password + smartphone) for stronger security.
What is the enrollment process in biometric authentication?
Creates a unique template for each user.
Define False Rejection Rate (FRR).
Legitimate users denied access.
Define False Acceptance Rate (FAR).
Unauthorized users accepted.
What is the Crossover Error Rate (CER)?
Intersection of FRR and FAR; lower is better.
Differentiate between hard tokens and soft tokens.
- Hard Tokens: Hardware-based (smart cards, U2F security keys, OTP devices)
- Soft Tokens: Software-based (e.g., authenticator apps, SMS/email OTPs)
What is passwordless authentication?
Uses FIDO2/WebAuthn for local gesture or biometric unlocks for authentication.
What is Discretionary Access Control (DAC)?
Resource owner controls access and can modify the Access Control List (ACL).
Define Mandatory Access Control (MAC).
Access control based on security clearance levels.
What is Role-Based Access Control (RBAC)?
Permissions assigned based on roles.
What does Attribute-Based Access Control (ABAC) use for decisions?
Combination of attributes and context.
What is Rule-Based Access Control?
Permissions assigned by system-enforced rules, not by system users.
What does the principle of Least Privilege entail?
Users and accounts are granted only the permissions needed for their tasks.
What is the purpose of user account provisioning?
Setting up a service according to a standard procedure or best practice checklist.
List the steps involved in provisioning.
- Identity Proofing
- Issuing Credentials
- Issuing Hardware and Software Assets
- Teaching Policy Awareness
- Creating Permissions Assignment
In regards to Provisioning, what is Identity Proofing?
The process of setting up a service according to a standard procedure or best practice checklist.
In regards to Provisioning, explain Issuing Credentials?
Lets the user select a password known only to them and/or enrolls them with biometric or token-based authenticators.
In regards to Provisioning, explain Issuing Hardware and Software Assets.
Providing a computer or phone to the user.
In regards to Provisioning, explain Teaching Policy Awareness.
Scheduling training and providing learning material so the employee is aware of security policies and risk.
In regards to Provisioning, explain Creating Permissions Assignment.
Identifying the work roles that the account must support and configuring role-based or attribute-based control models.
What is deprovisioning?
Removing access rights and permissions from an employee.
What is an example of location-based account restrictions?
Restricting logins by IP address, VLAN, or geolocation.
What are time-based restrictions in account access?
Set login hours, maximum durations, impossible travel time, or temporary permissions.
What does Privileged Access Management (PAM) refer to?
Policies, Procedures, and Technical Controls to prevent privileged accounts from being compromised.
What is Zero Standing Privilege (ZSP)?
Temporary elevation of admin rights for a limited time.
What is the purpose of password vaulting/brokering?
Privileged accounts must be ‘checked out’ from a repository for a limited time.
Define ephemeral credentials.
Credentials generated or enabled for a task and destroyed or disabled afterward.
What is Directory Services?
Centralized repository for managing accounts and attributes.
Ex. Active Directory (AD), or Lightweight Directory Access Protocol (LDAP)
What is a Distinguished Name (DN)?
A collection of attributes that define a unique identifier for any given resource.
The DN is made up of attribute-value pairs, separated by commas.
What is Single Sign-On (SSO)?
Authenticate once and access multiple services.
What does Kerberos use for secure authentication?
Ticket Granting Ticket (TGT) and service tickets.
This encrypts the date and time on the local computer with the users password hash as the key.
Kerberos is implemented by Microsoft Active Directory.
What is federation in identity management?
Allows trust relationships between different networks.
A user just needs to log in once with an identity provider (IdP) and is able to access multiple service providers (SPs)
What are claims-based identities?
Identity provider issues signed claims (tokens) for authentication.
What is Security Assertion Markup Language (SAML)?
Uses XML for identity assertions.
Is common in cloud services like AWS.
What is Simple Object Access Protocol (SOAP) used for?
Used to establish communications along with HTTP/HTTPS.
Tightly specified, not used in many public cloud Application Programming Interfaces (API).
What is Representational State Transfer (REST) used for?
Is used in many public cloud Application Programming Interfaces (API).
Rest has looser framework, allowing the service provider more choice over the implementation.
What is the purpose of Open Authorization (OAuth)?
Facilitates sharing of user resources between sites.
Used to Authenticate and Authorize a RESTful API.
What is JSON Web Tokens (JWT) used for?
Used for lightweight claims data.
