[qdeck random=”false” align=”center” scroll=”false” hide_gotit=”true” gotit_active=”false” show_first=”front” style=”min-height: 500px !important; border-color: #ff6633 !important; width: 800px !important; border-width: 4px !important; border-style: solid !important; ” reshow_after=”50″ cards_to_show=”50″]
[h] CISSP Domain 03: Security Architecture and Engineering.
[i] CISSP Domain 05
The primary objective of Domain 5: Identity and Access Management (IAM) is a critical component of information security that focuses on ensuring that the right individuals have access to the right resources at the right times for the right reasons. This domain covers the mechanisms and processes used to manage digital identities and control access to information systems.
Key Topics:
- Identification and Authentication
- Access Control Models
- Identity Management Lifecycle
- Access Control Mechanisms
- Federation and Trust Models
- Accountability and Monitoring
- IAM Policy and Governance
[start]
[q] What is the primary purpose of Identity and Access Management (IAM)?
[a] To ensure that the right individuals have access to the right resources at the right times for the right reasons.
[q] What are the three main functions of IAM?
[a] Identification, authentication, and authorization.
[q] Define Multi-Factor Authentication (MFA).
[a] A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity.
[q] What is Role-Based Access Control (RBAC)?
[a] An access control method that assigns permissions to users based on their role within an organization.
[q] Name and briefly describe the four primary access control models.
- [a] Discretionary Access Control (DAC): Access is based on the owner’s discretion.
- Mandatory Access Control (MAC): Access is based on fixed policies set by a central authority.
- Role-Based Access Control (RBAC): Access is based on the user’s role within the organization.
- Attribute-Based Access Control (ABAC): Access is based on attributes of the user, resource, and environment.
[q] What is Single Sign-On (SSO)?
[a] An authentication process that allows a user to access multiple applications with one set of login credentials.
[q] Explain the concept of Identity Federation.
[a] A process that allows the sharing of identity information across multiple security domains to enable a unified login experience.
[q] What is an Access Control List (ACL)?
[a] A list that specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
[q] Describe the principle of least privilege.
[a] A security principle that ensures users are granted the minimum levels of access – or permissions – needed to perform their job functions.
[q] What is the purpose of auditing and monitoring in IAM?
[a] To track user activities, ensure compliance with policies, detect anomalies, and provide accountability.
[q] What is credential management?
[a] The process of issuing, updating, and revoking user credentials to ensure secure and efficient access control.
[q] Define Attribute-Based Access Control (ABAC).
[a] An access control method where access rights are granted based on user attributes, resource attributes, and environmental conditions.
[q] What is the difference between identification and authentication?
[a] Identification is the process of claiming an identity (e.g., entering a username), while authentication is the process of verifying that claimed identity (e.g., entering a password).
[q] What is a security token?
[a] A physical or virtual device used to authenticate a user’s identity, often used in conjunction with a password for multi-factor authentication.
[q] What is a digital certificate?
[a] An electronic document used to prove the ownership of a public key, issued by a Certificate Authority (CA).
[q] What is a Kerberos ticket?
[a] A credential granted by a Key Distribution Center (KDC) used in the Kerberos authentication protocol to provide secure network authentication.
[q] Define the term “Single Sign-On” (SSO).
[a] A user authentication process that permits a user to enter one set of credentials to access multiple applications or systems.
[q] What is the purpose of a password policy?
[a] To establish guidelines for creating and managing passwords to enhance security, including complexity, length, and expiration requirements.
[q] Explain “Just-in-Time” (JIT) access.
[a] A method of granting users temporary access to resources only when needed and revoking it immediately after use, reducing exposure to security risks.
[q] What is a trust relationship in IAM?
[a] A connection established between two domains that allows for the authentication and access of users from one domain to resources in another.
[q] What is biometric authentication?
[a] A security process that uses an individual’s unique physical characteristics, such as fingerprints or facial recognition, to verify their identity.
[q] What does provisioning refer to in IAM?
[a] The process of creating, configuring, and enabling user accounts and associated access rights within an IT system.
[q] Define de-provisioning.
[a] The process of removing or disabling user accounts and access rights when they are no longer needed.
[q] What is an Identity Provider (IdP)?
[a] A service that creates, maintains, and manages identity information for users and provides authentication services within a federation or network.
[q] Explain the concept of a “Federated Identity.”
[a] A user’s identity that is linked across multiple identity management systems, allowing for seamless access across different domains or services.
[q] What is a “Credential Service Provider” (CSP)?
[a] An entity that issues and manages credentials used for authentication purposes.
[q] What is the difference between static and dynamic access controls?
[a] Static access controls are based on fixed rules or policies, while dynamic access controls adjust permissions based on current conditions or contexts.
[q] Define “identity proofing.”
[a] The process of verifying the identity of an individual before issuing credentials.
[q] What is an OAuth token?
[a] A token used in the OAuth protocol to authorize access to resources on behalf of a user without sharing the user’s credentials.
[q] Explain the importance of logging and monitoring in IAM.
[a] Logging and monitoring are crucial for tracking access, detecting unauthorized activities, ensuring compliance, and providing accountability within an IAM system.
[q] What is a smart card in the context of IAM?
[a] A physical card with an embedded microprocessor used to securely store and process authentication credentials.
[q] What is the principle of “Separation of Duties” (SoD)?
[a] A security principle that divides critical tasks among multiple individuals to reduce the risk of fraud or error.
[q] Define “entitlement management.”
[a] The process of managing and controlling the access rights and privileges granted to users.
[q] What is the difference between a user and a service account?
[a] A user account is intended for human users to access systems, whereas a service account is used by applications or services to perform automated tasks.
[q] What are “privileged accounts”?
[a] Accounts that have elevated access rights and permissions, often used by administrators to manage systems and applications.
[q] Explain the concept of “access recertification.”
[a] The process of regularly reviewing and validating users’ access rights to ensure they are still appropriate for their roles.
[q] What is a “directory service” in IAM?
[a] A centralized repository that stores, organizes, and manages user identities and related information.
[q] Define “context-aware authentication.”
[a] An authentication method that considers various contextual factors, such as location, time, and device, to determine the level of authentication required.
[q] What is a “Security Assertion Markup Language” (SAML)?
[a] n open standard for exchanging authentication and authorization data between parties, commonly used for single sign-on (SSO).
[q] What is the purpose of “identity governance”?
[a] To ensure that identity and access management practices comply with policies and regulations, and to manage risks associated with user access.
[q] Describe “Zero Trust” in IAM.
[a] A security model that assumes no entity, whether inside or outside the network, should be trusted by default and requires continuous verification of identity and access.
[q] What is “credential stuffing”?
[a] A type of cyberattack where attackers use stolen credentials to gain unauthorized access to user accounts.
[q] Explain the purpose of “time-based one-time password” (TOTP).
[a] A temporary passcode generated based on the current time, used for two-factor authentication.
[q] What is an “access token”?
[a] A digital token used to grant a user or service access to resources without exposing the user’s credentials.
[q] Define “identity federation.”
[a] A system that allows users to authenticate across multiple IT environments using a single set of credentials, typically managed by an identity provider.
[q] What is “OAuth”?
[a] An open standard for access delegation, commonly used to grant third-party applications limited access to user resources without exposing user credentials.
[q] Explain the concept of “user provisioning.”
[a] The process of creating, configuring, and managing user accounts and access permissions in an IT system.
[q] What is the role of a “Certificate Authority” (CA)?
[a] An entity that issues and manages digital certificates, verifying the identity of certificate holders.
[q] What is “access management”?
[a] The process of controlling who is allowed to access resources in an information system, and what actions they are permitted to perform.
[q] What is “LDAP”?
[a] Lightweight Directory Access Protocol, used to access and manage directory information services over an IP network.
[x] [restart]
[/qdeck]