The fifth domain of the CISSP certification is ‘Identity and Access Management’. ‘Identity and Access Management’ is one aspect of life that surrounds us all. The candidate is expected to know the following topics in this domain:
Let us see these topics in greater detail:
1.Physical and logical access to assets
‘Access control’ (the permission that is given to certain individuals) is the crucial point that is needed by an individual to access their logical and physical assets.
The simplest example of ‘physical access’ to asset is the lock that is used to restrict access to a house or a building. Only the person who has the key can access the house or building. Physical locks have also given way to electronic locks that control access to a building or facility. In addition, biometric systems (such as fingerprint, hand geometry, voice) can also be used in restricting physical access to facilities.
Similarly, ‘logical access to assets’ is the access that is given to appropriate personnel to access information that is stored on various systems. Logical access control also deals with various modes of access. The three modes are – read only (users are given permission only to read information), read and write (users are given permission to read and write information) and execute (users are given permission to execute the program) What is the most challenging part in logical access controls? It is the administration of the different logical access to the different resources. ‘Administration’ involves “implementing, monitoring, modifying, testing and terminating” the accesses of various users according to their roles for the systems.
Common sense indicates that logical access is not restricted to a single system. There are distributed systems that are made up of different types of access control mechanisms which must support an organization’s security policy. In such a situation, distributed access control is implemented by LDAP (Lightweight directory access protocol), Kerberos and XACML (Extensible Access Control Markup Language)
2.Identification and authentication of people and devices
‘Identification’ is the first step that is used to uniquely identify the person for access control. ‘Authentication’ is the next step that determines “you are who you are”. Authorization is the last step that lets you access the information resources based on your role.
The most common identification methods are account number/PIN (personal identification number) combination, identification badges, user ID, MAC address, IP address, RFID( Radio frequency identification), email id.
3.Identity management implementation:
Once the security policies, procedures and guidelines have been laid out, it is next time to look into the implementation of access control for a business. Identity management solutions focus on managing different user IDs, accounts and their roles across a big organization. The most popular identity management implementations are:
Passwords are still the simplest way to authenticate a user. And if multiple systems require a password, it is a distinct possibility that the same password will be reused. This can be solved by using a ‘password management system’ for enterprises. Password management systems assist users with creating passwords, help them with forgotten passwords, or trigger alerts when there are more failed login attempts.
Account management is the creation, management and deletion of user accounts across multiple systems. The difficulty of account management is the time required to do it, the cost of the total process along with the interface issues across multiple systems.
A complete profile is name, telephone number, home address, work address, email address and managing them is profile management.
A directory consists of files, servers, groups, printers and other assortment of different file structures. Managing the files and their directories in a single place prevents replication of data in the enterprise architecture. LDAP, X.500, Active directory and X.400 are some directory standards.
Single sign on is the ability of the user to sign onto one master system thereby being able to access other system without having to retype a new password each time. Single sign on also includes ‘Federated identity management’ which was discussed about in an earlier blog post.
4.Identity as a service(IDaaS):
‘IDaaS’is a cloud based solution which involves providing Identity and access management solutions to in-premise customers or in the cloud. The functionality of IDaaS solutions includes identity governance and administration, access and intelligence.
5.Integrate third party identity services
Even though companies can make use of cloud computing resources and IAM solutions in-house, it is the sheer cost, required elasticity, network access and on-demand service that make third party cloud computing services and third party cloud service for IAM requirements a necessity for businesses.
AWS Identity and Access management (IAM) service, Oracle Identity management platform are some third party cloud IAM solutions.
6.Implement and manage authorization mechanisms:
Role based access control or RBAC is also known as ‘non-discretionary access control’. In Role based access control, as the name suggests, access to a particular resource is governed by the “role” an employee is mapped to. There are four types of RBAC models: Non-RBAC, Limited RBAC, Hybrid RBAC and full RBAC.
In discretionary access control, the “owner” of the data decides who can access which data. This is widely used in VAX, VMS, UNIX and other minicomputers.
The ‘mandatory access control’ is much more structured and organized than the DAC. In this type of access control, the system has the final say on access control measures which is based on the organization’s security policies. This type of access control is used where security is of utmost importance.
7.Prevent or mitigate access control attacks:
Hackers perform access control attacks by stealing user credentials by bypassing authentication and authorization stage of access control. Once a user’s credentials are stolen, they can be misused in various places. In order to prevent this, a set of preventive precautionary measures such as the following can be adopted:
8.Identity and access provisioning lifecycle:
Identity and access process takes place through three stages:
Creating new user accounts and assigning them to appropriate permissions.
The various user accounts have to be monitored constantly. If there are user accounts with excessive permission for their role, that has to be altered accordingly.
Revocation involves deleting accounts when users leave an organization. It can also be a temporary revocation when a user leaves an organization.
By implementing the steps in the identity and access provisioning lifecycle, the broader objectives of identity and access solution for a business system will be met.
We have seen a brief overview of the fifth domain of the CISSP certification exam. For more of our trainings, please do visit our page at this link.
(n.d.). In A. Gordon, Official (ISC) Guide to the CISSP CBK.