CISSP Domain 5: Identity and Access Management Guide

Created by A F M Bakabillah

CISSP Domain 5, "Identity and Access Management (IAM)," accounts for 13% of the CISSP exam. This domain is crucial for understanding how to manage the digital identities of individuals and systems, and how to control their access to resources. It covers the entire lifecycle of identity management, from provisioning to de-provisioning, and the various access control models and technologies.

Key Areas of CISSP Domain 5: Identity and Access Management

1. Control Physical and Logical Access to Assets

This section distinguishes between physical and logical access controls and their importance in a comprehensive security program.

1.1 Physical Access Controls

Purpose: Restrict unauthorized physical entry to facilities, data centers, and sensitive areas.
Examples: Fences, gates, locks (key, combination, electronic), mantraps, security guards, CCTV, alarm systems.

1.2 Logical Access Controls

Purpose: Restrict unauthorized access to information systems, applications, and data.
Examples: User IDs, passwords, multi-factor authentication (MFA), access control lists (ACLs), firewalls, encryption, intrusion detection/prevention systems (IDS/IPS).

Example: To access a high-security server room, an employee must first swipe their access card (physical control) to enter a mantrap. Inside the mantrap, they must provide a fingerprint scan (physical biometric control). Once physically in the room, they then log into a server using their username, password, and a one-time code from their authenticator app (logical controls).

2. Manage Identification and Authentication of People, Devices, and Services

This section covers the processes by which entities prove their identity to a system.

2.1 Identification, Authentication, and Authorization

Identification: Claiming an identity (e.g., username).
Authentication: Proving that claimed identity (e.g., password, token, biometric).
Authorization: Determining what an authenticated entity is permitted to do.

2.2 Authentication Factors

Something You Know: Passwords, PINs, security questions.
Something You Have: Smart cards, tokens (hardware/software), mobile phone (for OTP).
Something You Are: Biometrics (fingerprint, iris, facial recognition).
Something You Do: Gait, voice patterns, signature dynamics.
Somewhere You Are: Geolocation, IP address.

2.3 Multi-Factor Authentication (MFA)

Definition: Using two or more distinct authentication factors.
Single Sign-On (SSO): Allows a user to authenticate once and gain access to multiple independent systems without re-authenticating.
Federated Identity Management: Allows users to authenticate with one identity provider and access resources across multiple independent systems or organizations (e.g., SAML, OAuth, OpenID Connect).

Example: An employee logs into the corporate network using their username (identification), password (something you know), and a one-time code generated by an app on their phone (something you have), demonstrating Multi-Factor Authentication. After this initial login, they can access their email, HR portal, and project management software without re-entering credentials due to Single Sign-On.

3. Implement and Manage Access Control Mechanisms

This section details the various models and technologies used to enforce authorization decisions.

3.1 Access Control Models

Discretionary Access Control (DAC): Owner of the resource grants/revokes access (e.g., file permissions in Windows/Unix). Least restrictive.
Mandatory Access Control (MAC): System enforces access based on security labels (e.g., Bell-LaPadula, Biba). Most restrictive, used in high-security environments.
Role-Based Access Control (RBAC): Access granted based on a user's role within the organization. Most common in enterprises.
Rule-Based Access Control: Access granted based on a set of predefined rules (e.g., firewall rules).
Attribute-Based Access Control (ABAC): Access granted based on attributes of the user, resource, and environment. Highly flexible.

3.2 Access Control Technologies

Access Control Lists (ACLs): Lists of permissions attached to an object.
Directory Services: Centralized repositories for user identities and access information (e.g., LDAP, Active Directory).
Kerberos: Network authentication protocol using tickets to grant access to services.
RADIUS/TACACS+: Centralized authentication, authorization, and accounting (AAA) for network access.

Example: A large corporation uses Role-Based Access Control (RBAC). All employees in the "Finance" department are assigned the "Financial Analyst" role, which automatically grants them access to the accounting software and sensitive financial reports. An individual in the "HR" department, assigned the "HR Manager" role, has access to employee records but not financial reports, demonstrating how roles define permissions.

4. Manage the Identity and Access Provisioning Lifecycle

This section covers the processes for creating, maintaining, and revoking user identities and their access rights.

4.1 Account Management

Provisioning: Creating user accounts and granting initial access rights.
Review: Periodically reviewing user access rights to ensure they are still appropriate (e.g., quarterly access reviews).
De-provisioning: Revoking access rights and disabling/deleting accounts when an individual leaves the organization or changes roles.

4.2 Identity Governance and Administration (IGA)

Automated Provisioning: Using systems to automatically create/modify/delete accounts based on HR events.
Segregation of Duties (SoD) Enforcement: Ensuring that no single user can perform conflicting critical tasks.
Privileged Access Management (PAM): Solutions for managing and monitoring highly privileged accounts (e.g., administrators, root).

Example: When a new employee joins, an automated system provisions their user account and assigns initial access based on their job role (provisioning). Every quarter, managers review their team's access rights to ensure they are still appropriate (access review). When an employee leaves, their accounts are immediately disabled and eventually deleted (de-provisioning) to prevent unauthorized access.

5. Implement Identity as a Service (IDaaS)

This section covers cloud-based identity and access management solutions.

5.1 IDaaS Concepts

Definition: Cloud-based service offering identity and access management capabilities (e.g., authentication, SSO, user provisioning).
Benefits: Scalability, reduced on-premise infrastructure, expertise from vendor, rapid deployment.
Challenges: Vendor lock-in, data privacy concerns, reliance on third-party security.

5.2 Common IDaaS Features

SSO and Federation: Centralized authentication for multiple cloud and on-premise applications.
MFA Integration: Providing various MFA options.
User Provisioning: Automated account creation and management across various applications.
Access Governance: Reporting and auditing of access rights.

Example: A startup decides to use an IDaaS provider like Okta or Azure AD to manage all employee identities. This allows them to centralize user accounts, enforce MFA for all logins, and enable SSO for cloud applications like Google Workspace and Salesforce, simplifying access for users and reducing the IT burden.

Key Points to Remember (Exam Tips)

AAA Concepts: Clearly differentiate Identification (claiming), Authentication (proving), and Authorization (permitting). These are fundamental. (e.g., Your username is *identification*, your password is *authentication*, and the permissions granted to your user account are *authorization*.)
Authentication Factors: Memorize the "something you know/have/are/do/are" categories and examples for each. MFA requires at least two *different* factors. (e.g., A password and a PIN are both "something you know" – not MFA. A password and a fingerprint *is* MFA.)
Access Control Models: Understand the core principles and use cases for DAC (owner-controlled, least restrictive), MAC (system-controlled, labels, most restrictive), RBAC (role-based, common in enterprises), and ABAC (attribute-based, most flexible). (e.g., A file owner setting permissions is DAC. A government system enforcing "Top Secret" labels is MAC. Granting all "Sales" department users access to the CRM is RBAC.)
SSO vs. Federation: SSO provides convenient access to multiple applications within one organization. Federation extends this across different organizations or identity providers. (e.g., Logging into your company's internal apps with one login is SSO. Logging into a partner's system using your company credentials is Federation.)
IAM Lifecycle: Know the phases: Provisioning (create), Review (audit), De-provisioning (remove). Timely de-provisioning is critical. (e.g., An employee leaving means their accounts must be *de-provisioned* immediately to prevent insider threats.)
Privileged Access Management (PAM): Understand the importance of securing and monitoring highly privileged accounts. (e.g., Using a PAM solution to rotate root passwords daily and require check-out for admin access significantly reduces risk.)
Directory Services: Recognize LDAP and Active Directory as central components for identity management. (e.g., Active Directory is where most Windows networks store user accounts and apply group policies.)
IDaaS Benefits/Challenges: Know the advantages (scalability, reduced overhead) and disadvantages (vendor lock-in, data sovereignty) of cloud-based IAM. (e.g., An IDaaS solution can quickly scale to millions of users, but you must trust the vendor with your identity data.)
Physical vs. Logical Controls: Be able to identify examples of each and understand how they complement each other in a layered security approach. (e.g., A locked server rack is physical; the password to log into the server is logical.)

Quiz Time!

Choose the best answer for each question.

Question 1: Which of the following is an example of a "something you are" authentication factor?

A) Password B) Smart Card C) Fingerprint Scan D) PIN

Question 2: What is the process of determining what an authenticated user is permitted to do?

A) Identification B) Authentication C) Authorization D) Accountability

Question 3: Which access control model is most commonly used in large enterprise environments due to its scalability and ease of management?

A) Discretionary Access Control (DAC) B) Mandatory Access Control (MAC) C) Role-Based Access Control (RBAC) D) Attribute-Based Access Control (ABAC)

Question 4: What is the primary benefit of Single Sign-On (SSO)?

A) It eliminates the need for passwords. B) It allows users to authenticate once and gain access to multiple independent systems. C) It provides stronger authentication than multi-factor authentication. D) It automatically provisions user accounts in all applications.

Question 5: When an employee leaves an organization, which phase of the identity and access provisioning lifecycle is most critical for security?

A) Provisioning B) Review C) De-provisioning D) Auditing

Question 6: Which of the following is a physical access control?

A) Access Control List (ACL) B) Biometric Scanner for a server room door C) Firewall D) Password policy

Question 7: What is the primary purpose of Privileged Access Management (PAM) solutions?

A) To manage access for all standard users. B) To automate the provisioning of new user accounts. C) To secure and monitor highly privileged accounts. D) To provide Single Sign-On capabilities.

Question 8: Which authentication factor relies on a user's unique biological characteristics?

A) Something You Know B) Something You Have C) Something You Are D) Something You Do

Question 9: What is the main characteristic of Discretionary Access Control (DAC)?

A) Access decisions are based on security labels enforced by the system. B) The owner of the resource determines and grants access permissions. C) Access is granted based on a user's role within the organization. D) Access is dynamically granted based on attributes of the user and resource.

Question 10: Which protocol is commonly used for centralized authentication, authorization, and accounting (AAA) services for network access?

A) LDAP B) Kerberos C) RADIUS D) SAML

Question 11: What is the primary benefit of using an Identity as a Service (IDaaS) solution?

A) It eliminates the need for any on-premise identity infrastructure. B) It provides complete control over data sovereignty. C) It offers scalability and reduces operational overhead for identity management. D) It guarantees zero trust for all users and devices.

Question 12: Which of the following is an example of "Federated Identity Management"?

A) A user logging into multiple applications within the same company using one set of credentials. B) A user logging into a partner company's system using their existing corporate credentials. C) An administrator creating a new user account in Active Directory. D) A system automatically disabling an account after 90 days of inactivity.

Question 13: What is the primary goal of "Segregation of Duties (SoD)" enforcement in IAM?

A) To ensure all employees have equal access to resources. B) To prevent a single individual from performing conflicting critical tasks. C) To automate the entire identity provisioning process. D) To reduce the number of privileged accounts.

Question 14: Which access control model is the most restrictive and typically used in high-security environments, based on security labels?

A) Discretionary Access Control (DAC) B) Mandatory Access Control (MAC) C) Role-Based Access Control (RBAC) D) Attribute-Based Access Control (ABAC)

Question 15: A company implements a system that requires users to provide their username, a password, and a code from a hardware token to log in. This is an example of:

A) Single Factor Authentication B) Multi-Factor Authentication (MFA) C) Federated Identity Management D) Biometric Authentication

Question 16: Which of the following is a common challenge associated with implementing an IDaaS solution?

A) High upfront infrastructure costs. B) Increased complexity for end-users. C) Potential for vendor lock-in and data privacy concerns. D) Limited scalability and performance.

Question 17: What is the purpose of periodic "access reviews" in the identity and access provisioning lifecycle?

A) To create new user accounts. B) To revoke access for terminated employees immediately. C) To ensure user access rights are still appropriate and necessary. D) To automate password resets.

Question 18: Which of the following is a logical access control?

A) Security Guard B) CCTV Camera C) Access Control List (ACL) D) Mantrap

Question 19: Kerberos is a network authentication protocol that primarily uses what to grant access to services?

A) Digital Certificates B) Shared Secrets C) Tickets D) Biometrics

Question 20: What is the main advantage of Attribute-Based Access Control (ABAC) over RBAC?

A) Simpler to manage in large organizations. B) Less granular and easier to implement. C) Provides more granular and flexible access decisions based on dynamic attributes. D) It eliminates the need for user authentication.

Question 21: Which of the following is an example of "something you have" authentication factor?

A) A memorized passphrase. B) A security token generating one-time passwords. C) A voice recognition system. D) Your unique typing rhythm.

Question 22: What is the primary risk if de-provisioning processes are not timely and effective?

A) Increased operational costs for maintaining unused accounts. B) Compliance violations and potential for unauthorized access by former employees. C) Reduced system performance due to too many active accounts. D) Difficulty in auditing user activity.

Question 23: Which of the following is a benefit of using Federated Identity Management?

A) It eliminates the need for any external identity providers. B) It simplifies user access to resources across different organizations or domains. C) It provides stronger physical security for data centers. D) It reduces the number of passwords an individual user has to remember to one.

Question 24: What is the primary function of a Directory Service like LDAP or Active Directory?

A) To store and manage cryptographic keys. B) To provide centralized storage and management for user identities and access information. C) To monitor network traffic for suspicious activity. D) To enforce data loss prevention policies.

Question 25: A company's policy states that all financial transactions over $10,000 require approval from two different managers. This is an example of implementing:

A) Least Privilege B) Role-Based Access Control (RBAC) C) Segregation of Duties (SoD) D) Mandatory Access Control (MAC)

Question 26: Which of the following best describes "Identification" in the AAA framework?

A) Proving who you claim to be. B) Determining what resources you can access. C) Claiming an identity to a system. D) Logging all user actions for auditing.

Question 27: A company uses a smart card that generates a new one-time password every 60 seconds for user logins. This is an example of which authentication factor?

A) Something You Know B) Something You Are C) Something You Have D) Something You Do

Question 28: Which access control model provides the most flexibility and granularity by making access decisions based on multiple attributes of the subject, object, and environment?

A) Discretionary Access Control (DAC) B) Mandatory Access Control (MAC) C) Role-Based Access Control (RBAC) D) Attribute-Based Access Control (ABAC)

Question 29: What is the primary purpose of "automated provisioning" in the IAM lifecycle?

A) To manually create and manage user accounts. B) To streamline and accelerate the creation, modification, and deletion of user accounts based on HR events. C) To conduct periodic reviews of user access rights. D) To enforce multi-factor authentication for all users.

Question 30: Which of the following is a key challenge when implementing an Identity as a Service (IDaaS) solution?

A) The need to build extensive on-premise infrastructure. B) Limited scalability to support a growing number of users. C) Potential for vendor lock-in and reliance on the provider's security posture. D) Difficulty in integrating with common enterprise applications.

Quiz Answers:

Question 1:

C) Fingerprint Scan

Explanation: "Something you are" refers to biometric characteristics, such as fingerprints, iris scans, or facial recognition.

Question 2:

C) Authorization

Explanation: Authorization is the process of determining what an authenticated entity (user, device, service) is permitted to access or do. Identification is claiming an identity, and authentication is proving it.

Question 3:

C) Role-Based Access Control (RBAC)

Explanation: RBAC is widely adopted in enterprises because it simplifies access management by assigning permissions based on a user's organizational role, making it scalable and easier to manage than DAC or MAC.

Question 4:

B) It allows users to authenticate once and gain access to multiple independent systems.

Explanation: SSO enhances user convenience and reduces password fatigue by allowing a single authentication event to grant access to multiple applications or services.

Question 5:

C) De-provisioning

Explanation: De-provisioning (revoking access and disabling/deleting accounts) is critically important when an employee leaves to prevent unauthorized access by former personnel, which can lead to data breaches or insider threats.

Question 6:

B) Biometric Scanner for a server room door

Explanation: A biometric scanner on a door controls physical access to a restricted area. ACLs (A), Firewalls (C), and Password policies (D) are logical controls.

Question 7:

C) To secure and monitor highly privileged accounts.

Explanation: PAM solutions are specifically designed to manage, monitor, and secure accounts with elevated privileges (e.g., administrator, root), as these accounts pose the highest risk if compromised.

Question 8:

C) Something You Are

Explanation: "Something you are" refers to biometrics, which are unique biological characteristics (e.g., fingerprint, iris, facial recognition).

Question 9:

B) The owner of the resource determines and grants access permissions.

Explanation: In DAC, the owner of a resource has the discretion to grant or deny access to other users, making it the least restrictive access control model.

Question 10:

C) RADIUS

Explanation: RADIUS (Remote Authentication Dial-In User Service) and TACACS+ are common protocols for centralized Authentication, Authorization, and Accounting (AAA) services, especially for network access. LDAP (A) is a directory service, Kerberos (B) is an authentication protocol, and SAML (D) is for federation.

Question 11:

C) It offers scalability and reduces operational overhead for identity management.

Explanation: IDaaS solutions leverage cloud infrastructure to provide highly scalable identity management services, reducing the need for organizations to build and maintain their own complex on-premise IAM systems.

Question 12:

B) A user logging into a partner company's system using their existing corporate credentials.

Explanation: Federated Identity Management extends SSO capabilities across different security domains or organizations, allowing users to use their existing credentials from one identity provider to access resources from another. Option A is SSO within a single organization.

Question 13:

B) To prevent a single individual from performing conflicting critical tasks.

Explanation: SoD aims to reduce the risk of fraud, error, or abuse by ensuring that no single individual has sufficient privileges to complete a critical or sensitive task from beginning to end.

Question 14:

B) Mandatory Access Control (MAC)

Explanation: MAC is the most restrictive access control model, where the system enforces access decisions based on security labels assigned to subjects and objects. It's typically used in government and military environments.

Question 15:

B) Multi-Factor Authentication (MFA)

Explanation: MFA requires a user to present two or more *different* authentication factors (e.g., password - something you know, and hardware token - something you have) to verify their identity.

Question 16:

C) Potential for vendor lock-in and data privacy concerns.

Explanation: While IDaaS offers many benefits, organizations become reliant on the vendor's platform, potentially leading to vendor lock-in. Additionally, storing identity data with a third party raises data privacy and sovereignty concerns.

Question 17:

C) To ensure user access rights are still appropriate and necessary.

Explanation: Access reviews are a crucial part of the IAM lifecycle, ensuring that users' permissions are still aligned with their current roles and responsibilities, preventing privilege creep and maintaining the principle of least privilege.

Question 18:

C) Access Control List (ACL)

Explanation: ACLs are logical controls that define permissions for objects (e.g., files, network devices). Security guards (A), CCTV (B), and mantraps (D) are physical controls.

Question 19:

C) Tickets

Explanation: Kerberos is a network authentication protocol that uses "tickets" (Ticket Granting Ticket and Service Ticket) to provide secure authentication and authorization to services within a domain.

Question 20:

C) Provides more granular and flexible access decisions based on dynamic attributes.

Explanation: ABAC is more flexible than RBAC because it bases access decisions on a combination of attributes (user, resource, environment, action) rather than just predefined roles, allowing for very fine-grained and dynamic control.

Question 21:

B) A security token generating one-time passwords.

Explanation: A security token (hardware or software) that generates a one-time password is an example of "something you have" as it's a physical or virtual item you possess.

Question 22:

B) Compliance violations and potential for unauthorized access by former employees.

Explanation: Ineffective de-provisioning leaves active accounts for former employees or contractors, creating a significant security vulnerability that can be exploited for unauthorized access, data theft, or sabotage, and often leads to compliance failures.

Question 23:

B) It simplifies user access to resources across different organizations or domains.

Explanation: Federated Identity Management allows users to use a single set of credentials to access resources provided by multiple, independent organizations, simplifying access for users and partners.

Question 24:

B) To provide centralized storage and management for user identities and access information.

Explanation: Directory services like LDAP and Active Directory act as central repositories for user accounts, groups, and other network resources, facilitating centralized identity and access management.

Question 25:

C) Segregation of Duties (SoD)

Explanation: Requiring two different managers for approval of a financial transaction is a classic example of Segregation of Duties, designed to prevent a single person from completing a fraudulent activity.

Question 26:

C) Claiming an identity to a system.

Explanation: Identification is the first step in the AAA process, where a user or entity asserts or claims an identity (e.g., by providing a username).

Question 27:

C) Something You Have

Explanation: A smart card or hardware token that generates a one-time password is a physical item that the user possesses, making it a "something you have" authentication factor.

Question 28:

D) Attribute-Based Access Control (ABAC)

Explanation: ABAC provides the highest level of granularity and flexibility by basing access decisions on a combination of attributes associated with the user (subject), the resource (object), the action being performed, and the environment (context).

Question 29:

B) To streamline and accelerate the creation, modification, and deletion of user accounts based on HR events.

Explanation: Automated provisioning integrates with HR systems to automatically manage user accounts and access rights throughout their employment lifecycle, improving efficiency and reducing manual errors.

Question 30:

C) Potential for vendor lock-in and reliance on the provider's security posture.

Explanation: When adopting an IDaaS solution, an organization becomes dependent on the chosen vendor, which can lead to difficulties if they wish to switch providers (vendor lock-in) and requires trusting the vendor's security capabilities.