Identity and Access Management: CISSP, #5

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

IDENTITY AND ACCESS MANAGEMENT

First edition. April 2, 2020.

Copyright © 2020 Selwyn Classen.

Written by Selwyn Classen.

Table of Contents

Identity and Access Management

Course Outline

Control Physical and Logical Access to Assets

Layered Defense

Controls

Key Points

Manage Identification & Authentication of People and Devices

What You Have

Authorization

Single Sign-On

Kerberos

Credential Management Systems

Summary

Integrate Identity as a Service

Integrate Third-party Identity Services

Implement and Manage Authorization Mechanisms

Rule-Based Access Control

Context-Dependent Access Control

Summary

Prevent or Mitigate Access Control Attacks

Summary

Manage the Identity and Access Provisioning Lifecycle

Summary

Identity and Access Management

This course is an outline of the Identity and Access Management goal for the CISSP, which includes the theories, threats and concepts that are part of managing access to a diverse set of technologies and systems.

Course Outline

Identity and Access Management is one of the 8 domains that make up the CISSP examination. This course is an overview of identity and access management, including the theories, threats and concepts that are part of the managing access to a diverse set of technologies and systems. This course will help you prepare for the Certified Information System Security Professional (CISSP) examination. Some of the main topics we will cover include: theory and concepts of identity in access management, discretionary and mandatory access control, types of controls and related risk, and access control attacks. By the end of this course, you will have an understanding of identity and access management.

Control Physical and Logical Access to Assets

Welcome, to the CISSP - Identity and Access Management domain. This domain - Identity and Access Management - is critically important as you prepare for the CISSP. So in this first area, we're going to look at how do we control physical and logical access to our assets. This starts with controlling access and managing identity, and in this course, we're going to help you prepare for this identity and access management domain of the CISSP examination. We're going to understand the concepts of managing both external and internal access and identities, something that's made our life an awful lot more difficult, and we're going to take a look at some of the threats to access control systems and technologies we use today.

This domain makes up about 13% of the CISSP examination or about 30 questions. The area of access controls includes both physical access and logical or sometimes called technical access. We need to manage access, and that is that we grant access to those who should have it but deny access to those who should not. When we grant access, we grant the correct level of access to the person as well. So thereby, we protect our assets. For example, those assets include information, that which is sensitive, critical, which is protected by regulation. Protecting the information systems that provide access to our various job functions, critical infrastructure, as well as access to information itself. We need to protect devices from contamination or corruption, and of course, protect our buildings, that only authorized personnel can get into our buildings, and only to the areas of our buildings they should be allowed into.

In all of these ways, when we manage access to assets, the primary people we're going to manage are our internal employees. Our customers and so on are external, but the internal employees are the ones that have the highest level of access, and they include everyone from users to some of our administrators who then manage and operate our systems on our behalf. When we take a look at external parties, this is one of the things that has changed the world of access control in the past few decades. As we have moved from an access control where primarily the only people on our systems were internal, and now the majority of people who are accessing our systems and data are external, they are customers, they are web application clients, and we have to carefully manage those external entities so they don't have a level of access that would allow them to compromise our systems. We manage access granted to people but also processes because in some cases, today we have links with other organizations that can pass this information through a defined, but then, carefully regulated process. The area of identity and access management is an important area of responsibility for a security manager. This is one of the areas that are of greatest risk to the organization if it is not properly managed. And the management of identity and access controls includes both the provisioning of access and managing of the access while the persons an employee, but also removing that access when it should no longer be granted.

We also need to check and see how well our access control system is working. We review the logs, we monitor and ensure that no one is trying to access things they shouldn't, or maybe we can detect through our logs some types of attack precursors. Attack precursors can be the indications where somebody's probing and trying to get into our system. There is a lot of risks associated with access control: compromise of the confidentiality of our systems and information, compromise of the integrity of the data we have, but also the loss of availability of our systems or data that is so essential for business processes. All of these are important, and when we consider risk, we should consider the risk to the protection of our assets, which includes both considering the risk of improper access to data, but also of improper access to systems.

An asset is defined as an item or property that's of value to its owner. Many assets are tangible, such as money or a