CISSP Domain 5 Study Guide – Identity and Access Management (IAM) Part 2

Access control

Access control refers to the process of managing how individuals and hosts gain access to other systems and resources. Access control helps ensure that only authorized users and systems have access to the systems and resources they need access to.
This means that unauthorized users and systems are prevented from accessing the organization’s properties, premises, systems and resources.

Subjects and objects

An entity is a user, process, or host that requests access to a system or resource.
An object is a resource or system that subordinates need access to. An object can be a file, a directory, a database, an open tcp/udp port, or a host (computer).


AAA (pronounced triple A) stands for authentication, authorization and accounting.

Identificationis the process of establishing the identity required by the subject. As we said above, the identification process is in most cases a claim without proof. You can insert your debit card at the ATM. This is a requirement. To prove that you are the real owner of the card, you must enter your “secret” PIN number. Similarly, in the SSH connection example, the administrator enters his username when prompted. But will it prove that he is trustworthy? Definitely not; anyone can initiate such a connection and provide the username (the username is echoed on the screen as the user types it, so there’s a good chance someone will catch it over the admin’s shoulder). In this case, a password is required to authenticate the connecting user. In the special case of biometric methods (such as fingerprint and retina), the same method serves as both a means of authentication and identification.

The authorization process determines what the subject is allowed to do with the object. This comes after successful authentication. Authorization usually depends on an access control matrix that defines each subject’s rights to each object.

Each subject must answer for his actions. Accounting is done by collecting logs and audit trails.


Authentication verifies your identity and authentication allows authorization. Anpermissionpolicy dictates what your identity is allowed to do.

Role-Based Access Control (RBAC)

Role-based access control, also called non-discretionary access control, is a common access control method. The role-based access control model is used when network and system administrators need to be able to access resources based on the organizational roles that the user has within the company. Separation of job roles is what drives this access control method. Thus, RBAC is considered good industry standard practice.

Rule-based access control

Rule-based access control implements access control based on predefined rules. Consider the printers available for websites. This is a great way to automate access control and make the process more dynamic. Even when someone transfers sites, the old login will be removed automatically.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) Access control applied by the system is based on entity clearance and object tags. Subjects and Objects have clearances and labels such as confidential, confidential, and top secret, respectively. The MAC method provides privacy. Although not as dynamic as DAC, it provides higher security because the input does not change as quickly between individual users.

Discretionary Access Control (DAC)

In the discretionary access control model, each object is owned by a subject, and the owner has full control over the object. For example, when a user creates a file, the user owns the file and can modify permissions. Common operating systems such as Windows and Linux use the DAC model. DAC is seen as a model that is useful when you need fine-grained control over object rights, such as file sharing. You can also configure inheritance rights for child objects. DAC is decentralized, flexible and easy to manage. As such, it is widely used. Because users can change permissions on the fly, it can be difficult to keep track of all changes and overall permission levels to determine access levels.

Attribute-Based Access Control (ABAC)

The attribute-based access control (ABAC) model is often described as a more nuanced form of role-based access control because it considers more user attributes other than the user’s role to gain access. Attributes can include many different descriptors such as departments, location, etc.

Risk-based access control

Risk-based authentication assesses the likelihood of account compromise with each login. If the request seems unusual or suspicious, the user must do something extra to gain access. Additional factors (eg biometrics) ensure that the request comes from a valid user. Risk-based authentication uses real-time intelligence to provide a complete understanding of the context behind each entry.

When a user tries to log in, a risk-based authentication solution analyzes factors such as:

  • Device:Is the user on a known computer? Or is the user on a mobile device that has never logged in before?
  • Location:Is the user in the same building as the server? Or is the person in a different time zone?
  • Network:Is the person logging in from a familiar IP address? Or is that data foreign?
  • Sensitivity. Is the requested file important to the company? Or is it relatively unimportant information?

Classification of data

Military or Government?

Classified by the type of harm that inadvertent disclosure of data may cause.

  • Top secretis the highest level of classified information. The information is further classified so that special access using the code word after the top secret is a legal way to hide collective and important information. Such material would cause “exceptionally serious harm” to national security if made publicly available.
  • A secretthe material would cause “serious harm” to national security if it were made publicly available.
  • Secretthe material could harm or harm national security if made available to the public.
  • Uncategorizedis not technically a classification level, but it is a feature of some classification schemes used for government documents that do not deserve a particular classification or are classified. This is because the information is low impact and therefore does not require any special protection such as personnel verification.

Private sector

Corporate or organizational classification system. Similarly constructed for military or government classification.

  • Secretis the highest level of this classification scheme. Significant damage can occur to an organization because this confidential information is made public. Proprietary data, among other types of data, falls into this category. This category is reserved for extremely sensitive data and internal data. The “Confidential” level requires the utmost care because this data is extremely sensitive and intended for use by a limited group of people, such as a department or task force, with a legitimate need to know.
  • Privateis data for internal use only, the importance of which is high, and the disclosure of which could lead to a significant negative impact on the organization. All data and information processed within the organization must be processed only by employees and must not fall into the hands of outsiders.
  • Sensitiveis data that is classified and not public data. If this data is disclosed, it could have a negative impact on the company.
  • Publicdata is already published outside the company or has no value. If this data were to be disclosed, there would be no impact on the company.

Identity and access management

User Access Review – Periodic access checks are an important but often overlooked method of reviewing rights and permissions. Do users have the appropriate access to do their jobs? If not, what is the process for increasing availability?

System Account Access Check – System accounts, sometimes called service accounts, are accounts that are not associated with users. They are used to implement automated processes, tasks and jobs. To do this, it is important not to use user accounts. Especially since some system accounts require administrative privileges, these accounts also require regular review. Be sure to keep detailed records of what this account is, what it’s used for, who requested it, etc.

Provision and removal of users. These basic tasks are important to prevent bad actors from accessing dormant accounts. It is better to automate these important tasks, not only to save time, but also because of human errors due to repetitive tasks. They are, of course, defined according to guidelines and other organizational requirements.

The post CISSP Domain 5 Study Guide – Identity and Access Management (IAM) Part 2 appeared first on .

Source link