I am picking up Domain 5 next because it has advanced concepts tied to Domain 2, which I have covered earlier. This article will discuss the points that the candidate must keep in mind in order tackle questions from Domain 5, which revolve around the “Identity and Access Management” domain.
So the objective of this domain is to provide a basis for understanding the management of identification and authorization of people and devices, how to integrate Identity as a service and third party as a service, implementing and managing the authorization mechanisms and preventing and mitigation strategies around access control attacks. So let’s jump into the concepts for this domain:
Familiarize yourself with the identity and access provisioning lifecycle: This contains three phases, namely:
- Provisioning: When there is a need for access to a resource.
- Review: All the access rights granted while provisioning must be periodically reviewed.
- Revocation: All the roles/rights that are not needed or do not justify a continual business justification must be revoked.
Know all the access control models (very very important): Following are the access control models that one should be familiar with:
Role-Based Access Control (RBAC): This access control model works with mapping of assigned roles to a user in an organization to that against the resource. RBAC has following types:
- Non-RBAC: Access is given on a per-application basis and not with assigned user roles.
- Limited RBAC: In this, users are mapped to application roles rather than their own organizational roles
- Hybrid RBAC: Combination of a single role across multiple applications and per-application role.
- Full RBAC: Access is provided only on the basis of the user’s organizational role.
- Rule-Based Access Control: This access control method works on predefined rules that state what access should be granted against a particular resource. These rules are typically created by the system owners.
- Discretionary Access Control: In DAC, controls are placed on the resource by the owner of the resource, so you can also say that rule-based access control is a part of DAC.
- Nondiscretionary Access Control: This access control model requires the administrator of a system to control the access on a particular resource.
- Understand the relationship between identification, authentication and authorization.
- Common misconception around the ‘user Id’ is that it can be used as an authenticator. ‘User Id’ should only be used as a system identifier and not as an authenticator.
Remember the essential security characteristics regarding identities:
- It should be unique
- Secure issuance
Understand the complete structure of a SID retrieved from active directory (AD).
Format is like : S-1-x-21(domain/local)-z, where:
- S: It identifies ‘S’ as SID
- 1: Revision level. This is a constant value.
- X: Identity authority value. This is typically 5, which represents SECURITY_NT_AUTHORITY
- 21: (Domain/local): This is a 48-bit string that identifies the SID relevance to local computer or domain computer.
Z: This is the relative ID, which uniquely identifies a security principal relative to local or domain security authority. Some values for this:
- 500: Administrator
- 501: Guest
- 512: Domain Admins
Directory Technologies: Understand the below directory technologies:
Concept of Single-Sign on and Implementation using Kerberos : I am not discussing Kerberos in great depth but below are main points about Kerberos tickets:
- When the user is authenticated, authentication server (AS) sends the TGT to client.
- With his TGT, client requests service ticket from TGS. Upon verification, TGS grants user a ST.
- Possession of ST signifies that user has been authenticated and access can be provided. Client presents the ST to application server and obtains access.
- Difference between SSO and OIUA: OIUA is once-in-unlimited-access; it is assumed that if the user is able to access the system in the first place, then the user is authorized.
Multi Factor Authentication: Follows the methodology of:
- Someone you are
- Something you know
- Something you have
Types of Hard Tokens: To address the ‘something you have’, the following hard tokens can be used:
- Lookup Secret Token: This token stores a set of secrets and is used to look up the secret based on a prompt.
- Out of Band Token: Token is received over a separate channel and presented to authentication protocol.
- One-Time Password Device: These are synchronous and generate one-time passwords that are either sequence-based or time-based.
- Cryptographic Device: These are asynchronous and contain non-programmable logic and non-volatile storage.
Types of failure in Biometric Identification: Following types of failure in biometric identification:
- Training – Resources (InfoSec)”]
- False Rejection: This is failure by rejecting a legitimate user
False Acceptance: This accepts an imposter user.
Of these, false acceptance is more deadly. Also, on an x-y series graph with ‘Sensitivity’ on x-axis and ‘Error’ on y-axis, the point at which False Rejection and False Acceptance intersect each other is known as Cross-Over Error Rate.
CISSP Instant Pricing- Resources
- Understanding of various types of Biometric Readers: Biometric reader falls into two main categories, i.e., physiological or behavioral. Following table illustrates this:
Players involved in SAML and their roles:
- The principal, who is typically a user
- The identity provider, who identifies and authorizes the identity
- The service provider, who provides service for user.
- Concept of IDaaS: It is all about providing identity and access management services to target customer’s system either on-premise or cloud or both.
Some salient points on how to tackle access control attacks:
- Control physical access to system.
- Encrypt password and other sensitive files.
- Strong password management systems, policies, etc.
- Use of multi-factor authentication.
- User awareness
- Vulnerability scanning
- Auditing of access controls
These are all the important concepts for Domain 5: be sure to go through these concepts in great detail as you prepare.