Security+ Domain #5: Access control and Identity Management (SY0-401) [DECOMMISSIONED ARTICLE]

October 20, 2017 by Lester Obbayi

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


The “access control and identity management” domain is aimed at teaching and testing on industry-accepted practices, such as determining and implementing good password policies, mitigating issues associated with users who have multiple or shared accounts, and granting and terminating access rights when necessary, among many others.

Before taking the test, it is important to become familiar with the structure of the course in order to gauge one’s expectations. However, there may be a few commonly asked questions that should be dealt with concerning the domain. They are:

What percentage of the Security+ Exam material covers access control and identity management?

It is important to understand how much of the Security+ certification covers this domain. This allows students to adequately strategize and estimate effort. Around 12% of the exam material is about this top and you should bear that in mind during your preparation for the exam. However, frequent practice is a key.

Are there performance-based questions?

Although performance-based testing has been incorporated into Security+ as an effective way of determining the concepts understood by students, this domain doesn’t contain any performance-based questions as other domains such as cryptography do.

What topics are covered in this domain?

The domain holds various topics that deal with performing access control and identity management. They include:

  1. Role-based authorization: This topic covers the how-to’s of restricting system access within an organization only to authorized users. The effectiveness of this is commonly felt within a large organization with, say, more than 500 employees. Various methods of restricting authorization are discussed: mandatory access control, access control lists and discretionary access control. Advanced authorization techniques are also discussed in this topic.
  2. Using access control lists such as Windows NTFS file permissions: This topic covers file and folder permissions within NTFS systems, discussing standard and advanced permissions. Other permission types are also discussed in detail, such as allowed versus deny permissions, inherited versus explicit permissions and permission precedence.
  3. Setting policies for usernames and access cards: Here various identification methodologies are discussed. These include multifactor authentication, usernames and biometrics authentication and single sign-on for users. Best practices are also discussed for existing accounts: effective and industry-accepted password policies, terminating access, and account monitoring.
  4. Implementing account and password policies: This topic discusses password policy enforcement and settings, such as password history, maximum and minimum password ages, accepted password lengths and password complexity requirements. These are discussed in much detail.
  5. Combining authentication factors for multi-factor authentication: This topic discusses, in detail, the importance of multi-factor authentication and how this can be achieved to improve the security of systems. Differences among the various methods, such as possession-based, inherent, and knowledge-based authentication, are discussed, along with the different advantages and disadvantages. Single sign-on, federation RADIUS, and TACACS are also covered in detail.
  6. Implementing biometrics: In this topic, the importance of biometrics in identity management and access control is discussed, with the accepted devices discussed in detailed. Comparison is made with other access controls and industry accepted standards regarding biometrics reviewed.
  7. Using a Kerberos access control system: This topic covers the inner working of the Kerberos access control system, discussing how cryptography can be used to protect users authenticating on a network. Authentication of system users and validation of their identities and access control (limiting the activities of legitimate users) are reviewed in detail.

Where should I focus my study time?

Since time is limited while taking the topics, more time should be invested in understanding the “Setting policies for usernames and access cards” and the “Using access control lists such as Windows NTFS file permissions” topics due to the technicality involved with them.

Sections such as “Allowed versus deny permissions” and “Inherited versus explicit permissions” require frequent practicing in order to gain a firm grasp of the concept, as well.

How is this information useful in the real world?

According to the Cybersecurity Ventures Cyber Crime Report, it is estimated that cybercrime will cost the world in excess of 6 trillion USD by 2021. Threats such as damage to and destruction of data, attacks on critical infrastructure, loss of intellectual property, espionage, fraud, ransomware, and state-sponsored attacks have raised the importance of and need for security structures within organizations.

The information security industry is one of the fastest (if not the fastest) growing industries in the world, requiring at least 10,000 professionals in almost every country globally. Various job opportunities are thus shaping up with:

  1. Big four companies seeking to increase their capabilities by massive hiring to improve their information technology risk services.
  2. Industries hiring security professionals, with the oil and gas industry in the lead.
  3. Companies massively hiring to combat the threat to businesses by cyber-threats, with a shocking statistic of a business collapsing every 40 seconds to a ransomware attack.
  4. Governments hiring massively to protect against cyberattack threats. Motivation for attackers seems to have shifted from an economic focus to a more politically and religiously inclined one.

The fact that there were 1 million cyber-security job openings as per last year alone brings a perspective to the need for security professionals, with the number ever increasing. This course therefore provides a skill set that is essential in today’s cyber-security industry, shaping professionals who are conversant with accepted industry standards and the implementation procedures for security features in computers and security systems.

The topics are thus applicable in the real world because they create knowledge of security best practices that effectively allow for a defensive strategy or preparedness in case of an attack or breach. Some acceptable practices include ensuring:

  1. That defense systems are in place to protect systems from failures. Such systems include intrusion detection systems and firewalls, among various others covered in the topic.
  2. That commonly known vulnerabilities are resolved within an organization’s systems. This helps protect against system exploitation by attackers.
  3. That password policies are effectively adhered to. This prevents attackers from implementing commonly used and default credentials that do not meet accepted industry best practices.
  4. That suspended accounts are disabled. In many cases attackers gain access to systems by using accounts that have been left active. Disabling such accounts ensures that there is guaranteed accountability and that actions can be traced back to legitimate system users.
  5. That access to systems is controlled by working access control lists. This allows rights to be distributed to individuals who are qualified to perform certain actions within the organization. This prevents system users from having excessive rights over multiple systems.
  6. Educating employees about the various threats that they are exposed to daily, such as spear-phishing attacks that spread ransomware and allow attackers to have an entry point into organizations.
  7. Ensuring that security policies lay out a proper plan of how the organization employees need to behave online by specifying email, network, Internet and removable media policies, and restrict the spread of an attack in the unfortunate event that an organization should be attacked.

The Security+ course teaches a variety of skills required for security professionals who are required to protect the various systems that are at the heart of organizations and ensure that aspiring security professionals and employees working at organizations get the best in terms of securing their organizations. To register for the course, follow the link below to get an overview of what the course offers you and the current pricing:

The course is part of the Security+ course and is CompTIA-accredited. It will allow students to develop the necessary skill set to fit into the current and ever-growing information security industry and are in line with today’s acceptable industry standards.


On completing the course, it is expected that students will be conversant with security technologies that perform identity management and access control within systems and information technology setups. The student will be ready to take on the next course.

Posted: October 20, 2017
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.