5. Identity and Access Management

5.1 Understanding Access Control Fundamentals
1. CISSP Exam Tips
  1. Authentication provides validity
  2. Authorization provides control
  3. Accountability provides non-repudiation (sometimes)
2. Access management objectives
3. Types of access controls
4. Access control system attributes
5.2 Examining Identification Schemas
1. Identification guidelines
2. Profiles
3. Identity management systems
4. Directory services including LDAP and MS AD
5. Single sign-on
6. Federated identity management
7. CISSP Exam Tips
  1. Identification information although seemingly benign can contain sensitive or legally protected information
  2. SSO & Federated Identity although convenient can be extremely dangerous if the system is compromised
  3. Accountability is when actions can be traced to their source
5. Identity and Access Management - 5.3 Understanding Authentication Options
1. Factor requirements
2. Out-of-band authentication
3. Password strengths & weaknessess
4. Password management systems
5. One time passwords or passcodes
6. Tokens, memory cards and smartcards
7. Biometrics
8. Credential management systems (CM)
9. CISSP Exam Tips
  1. Hashed passwords should always be "salted"
  2. Biometric markers may be able to detect addiction, illness and pregnancy
  3. Attacks can gain control of a CM system and issue privileged credentials
5.4 Understanding Authentication Systems
1. Authentication authorities
2. Single sign-on
3. Kerberos
4. SESAME
5. Thin clients
6. Federation Authentication
7. Identitity as a service (IDaaS)
8. CISSP Exam Tips
  1. Kerberos uses tikets for authentication
  2. Federated authentication is prominent on the web
  3. Single sign-on systems can be a single point of failure (SPOF)
5.5 Implementing Access and Authorization Criteria
1. CISSP Exam Tips
  1. Privilege trumps rights and persmissions
  2. When in doubt, deny access
  3. Authorization creep is the accumulation of access rights, permissions, and privileges over time
2. Rights and permissions
3. Privilege
4. Need to know and least privilege
5. Default allow and default deny
6. Authorization creep
7. Dual control and separation of duties
5.6 Implementing Access Control Models
1. CISSP Exam Tips
  1. The OS and the Application must support the access control model
  2. Role-based access control (RBAC) can be used to enforce separation of duties
  3. In DAC environment, the owner can delegate control decisions
2. Access control models and techniques
3. Mandatory access controls (MAC)
4. Discretionary access controls (DAC)
5. Role-based access controls (RBAC)
5.7 Implementing Access Control Techniques and Technologies
1. Access control lists
2. Capabilities table
3. Rule-based
4. Content-dependent
5. Context-dependent
6. Constrained interfaces including menus, shells, database views and physically constrained interfaces
7. CISSP Exam Tips
  1. Rules are not bound to a subject or an object
  2. An ATM is an example of a constrained interface
  3. ACLs and Capability tables are generally cumulative
5.8 Identity and Access Provisioning
1. CISSP Exam Tips
  1. Provisioning and review are iterative phases
  2. All rights and permissions should be documented in the assignment phase and checked when revocation occurs
  3. Users are vulnerable to social engineering
2. Identity and Access provisioning lifecycle
3. Oversight and privilege account management - Monitoring and auditing
4. Social engineering

Next up

5. Identity and Access Management

Description

Resource summary

Similar

	Created by Marisol Segade over 8 years ago