The fifth domain of CISSP certification’s ‘Identity and Access Management’ is the fifth. Identity and Access Management is one aspect of our daily lives. This domain is expected that the candidate has knowledge of the following topics:
“Physical and Logical Access to Assets
Identification and authentication of persons and devices
Implementation of identity management
Identity as a Service (IDaaS).
Integrate third-party identity services
Manage authorization mechanisms
Protect against or mitigate access control attacks
Identity and Access Provisioning Lifecycle (Official (ISC), Guide to the CISSP BK)
Let’s examine these topics more closely:
1.Physical and Logical Access to Assets
Access control (permission granted to certain people) is the key point that allows an individual to access their physical and logical assets.
The lock is used to restrict access in a house or building. This is the simplest example of “physical access” to an asset. Only the owner of the key can gain access to the building or house. Electronic locks allow for the control of access to buildings and facilities. Physical locks are no longer necessary. Biometric systems, such as fingerprints, hand geometry, and voice, can also be used to restrict physical access to facilities.
Logical access to assets is the same. It is access that is granted to authorized personnel to access information stored on different systems. Logical access control can also be used to control access in different ways. These three modes of access are: read only (users have permission to only read information), read/write (users can read and write information), and execute (users have permission to execute the program). What is the most difficult part of logical access control? It is the administration for the different logical accesses to the resources. “Administration” refers to “implementing, monitoring and modifying, testing, terminating” accesses for various users based on their roles in the system.
Common sense suggests that logical access to multiple systems is possible. There are many access control mechanisms that can be used to support an organization’s security policy. Distributed access control is implemented using Kerberos, LDAP (Lightweight Directory Access Protocol), Kerberos, and XACML [Extensible Control Markup Language] in such a scenario.
2. Identification and authentication of persons and devices
Identification is the first step to uniquely identify the person in order to control access. Authentication is the next step to determine “who you are”. Authorization is the final step that allows you to access information resources based upon your role.
The most commonly used identification methods include account number/PIN (personal ID number), combination, identification badges and user ID.
3. Implementation of identity management
Once you have established security policies, procedures, and guidelines, it is time to start looking at the implementation of access control in a business. Identity management solutions are designed to manage multiple user IDs, accounts, and their roles within a large organization. These are the most popular identity management solutions:
Passwords are still the most straightforward way to authenticate a user. It is possible that the same password could be used for multiple systems. A password management system for enterprises can solve this problem. Password management systems help users create passwords, recover forgotten passwords, and trigger alerts when there are failed login attempts.
Management of accounts
Account management involves the creation, management, and deletion of user accounts across multiple platforms. Account management is time-consuming.