CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
Securing information systems and having a tight handle on your organization's identity and access management go hand in hand. Imagine how hard complying with the requirements of Confidentiality, Integrity, and Availability would be if you had no control over who was accessing your information system and resources! It would figuratively bring information security back to the stone age.
Domain 5 of the CISSP certification exam focuses on Identity and Access Management, or IAM. IAM is made up of business process, technology, and information that help organizations use and manage digital identities. It includes the processes, people, and technology necessary to ensure that access to information systems and applications is secure and auditable. The end result is the improvement of the end user experience, efficiency and cost control as well as improved risk mitigation.
Earn your CISSP, guaranteed!
CISSP domain 5: Identity and access management objectives
Below are the subdomains and objectives covered by the 5th of 8 domains of the CISSP certification exam. This domain covers 13% of the weight of exam information that you will encounter on the CISSP.
Control physical and logical access to assets
- Information
- Systems
- Devices
- Facilities
- Applications
Manage identification and authentication of people, devices, and services
- Identity Management (IdM) implementation
- Single/Multi-Factor Authentication (MFA)
- Accountability
- Session management
- Registration, proofing, and establishment of identity
- Federated Identity Management (FIM)
- Credential management systems
- Single Sign On (SSO)
- Just-In-Time (JIT)
Federated identity with a third-party service
- On-premises
- Cloud
- Hybrid
Implement and manage authorization mechanisms
- Role Based Access Control (RBAC)
- Rule based access control
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Attribute Based Access Control (ABAC)
- Risk based access control
Manage the identity access provisioning lifecycle
- Account access review (e.g., user, system, service)
- Provisioning and deprovisioning (E.g., on/off boarding and transfers)
- Role definition (e.g., people assigned to new roles)
- Privilege escalation (e.g., manage service accounts, use of sudo, minimizing its use)
Implement authentication systems
- OPENid Connect (OIDC)/Open Authorization (Oauth)
- Security Assertion Markup Language (SAML)
- Kerberos
- Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
Below is additional information regarding identity and access management that will assist you as you get ready for the CISSP certification exam. Further information, such as a full listing of the domains and CISSPexamination weights, can be found in the CISSP exam outline.
Controlling access to assets
There are two common methods for controlling access to assets. Authentication systems traditionally use a combination of username and password to authentication users. More recently, enhancements such as single sign-on (SSO) and biometrics have buttressed traditional authentication systems. Authorization systems such as an LDAP directory checks to see if a user belongs to a particular department, such as engineering or sales, before the user can gain access to the resources of that department.
Earn your CISSP, guaranteed!
Identity management (IdM)
When implementing an IdM solution, it is necessary to ensure the services and apps are highly available, secure, and site resilient. Since the IdM system is spread across the organization, minimizing latency important to consider and to maximize performance, authentication and authorization should take place as close to the user as possible. Commonly used components in an IdM solution may include Microsoft Active Directory (AD), SSO, a self-service password reset tool and a scanning and reporting tool for auditing and compliance.
Using a third-party service
Some organizations opt to use a third-party service and integrate them with their pre-existing IAM systems. On premises is a third-party service that will physically integrate with the IAM system you are currently using on premises at your organization’s site. An example of such is when you integrate your AD system with a third-party provider that allows certain users to use SSO for authentication. Cloud-based third-party services are being used by organizations that use cloud-based applications and software as a service (SaaS) and need to manage their users’ identities in the cloud. Microsoft Azure Active Directory, Okta, and Pin Identity are examples of cloud-based federated identity solutions. A third option is called Hybrid and organizations that need to use a combination of both on premises and cloud-based federated identity services to best serve the needs of their organization.
Types of access control
There are several types of access control you will be responsible to know for the CISSP certification exam. You will need to be able to explain Role-based access control (RBAC), Rule-based access control, Mandatory access control (MAC), Discretionary access control (DAC), and Attribute-based access control. A new type of access control for the 2021 CISSP update is Risk-based access control which evaluates risk factors based off of metadata such as location and IP address (known malicious IP) and is combined with other access control methods when implemented.
Authentication system implementation
This is a new section for the 2021 CISSP update and is a high-level view of authentication system implementation as it focuses on the authentication systems themselves rather than the process and details of the implementation. The authentication systems you will need to explain on the CISSP exam are:
- OpenID Connect (OIDC)/Open Authorization (OAuth)
- Security Assertion Markup Language (SAML)
- Kerberos
- RADIUS/TACACS+
Earn your CISSP, guaranteed!
Other considerations
The information above is not the only angle you need to be thinking about this material from – you also need to consider the design and implementation of your IAM system. Design considerations you need to keep in mind (which I touched briefly on above) is high availability, site resilience, performance, and security. These are the same considerations for the implementation side of things with the addition of figuring out how you can achieve the intended design and validating the implementation outcome.
Conclusion
Identity and access management is a crucial aspect of overall information security that the 5th domain of the CISSP covers. Controlling access to your resources and assets is one of the most fundamental aspects of securing your information systems. You’ll need a solid understanding of this material both on the job and when sitting for the CISSP certification exam.
For more on the CISSP certification, view our CISSP hub.
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
