avatarHemant Patkar

Summary

The provided content offers a comprehensive overview of CISSP Domain 5 - Identity and Access Management (IAM), detailing key concepts, methodologies, and technologies essential for passing the CISSP certification in 2024–25.

Abstract

The CISSP Domain 5 encompasses the principles of controlling physical and logical access to assets, managing identification and authentication processes, implementing federated identity services, and authorization mechanisms. It emphasizes the importance of lifecycle management for identity and access provisioning, as well as the deployment of single and multi-factor authentication systems. The text delves into various access control models such as Discretionary (DAC), Non-Discretionary (NDAC), Role-Based (RBAC), Rule-Based (RuBAC), and Attribute-Based (ABAC) access controls. It also discusses the significance of federated identity management systems like SAML and OAuth 2.0, and the role of cloud-based Identity as a Service (IDaaS) in the context of cloud security challenges. The content serves as a study guide, highlighting the need for a robust IAM framework to ensure secure access to information systems.

Opinions

  • The article suggests that centralized administration in IAM is beneficial for maintaining stringent control over information due to the limited number of individuals with the authority to make changes.
  • It posits that decentralized administration allows for more tailored access control, as it places control in the hands of those most familiar with the information.
  • The text indicates a preference for hybrid approaches in IAM, which combine centralized and decentralized management to balance control and flexibility.
  • The author expresses that Single Sign-On (SSO) systems, while convenient, introduce a single point of failure that can be a significant security issue.
  • It is implied that Kerberos, despite its security features, requires careful implementation to avoid making the Key Distribution Center (KDC) a vulnerability point.
  • The content conveys that biometric systems, while providing accurate authentication, face challenges in gaining user acceptance due to privacy and accuracy concerns.
  • The article suggests that Identity as a Service (IDaaS) in the cloud is a growing trend but raises concerns about availability and the need for Cloud Access Security Brokers (CASB) to mitigate cloud-specific identity and access management issues.
  • It is highlighted that understanding the differences between authentication and authorization protocols, such as SAML, OAuth 2.0, and OpenID Connect, is crucial for effectively managing federated identities and access.

CISSP: Domain 5 — Identity and Access Management : Easy Notes to Pass CISSP Certification in 2024–25

DOMAIN OBJECTIVES

CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS MANAGE IDENTIFICATION AND AUTHENTICATION OF PEOPLE, DEVICES AND SERVICES FEDERATED IDENTITY WITH 3RD PARTY SERVICES IMPLEMENT AND MANAGE AUTHORIZATION MECHANISMS MANAGE THE IDENTITY AND ACCESS PROVISIONING LIFECYCLE IMPLEMENT AUTHENTICATION SYSTEMS

Control physical and logical access to assets

o Object: — A passive entity, such as a server, that houses information or functionality. o Subject: —Anyone who asks access to an object or the data contained in an object, such as a user, program, or process. o Access: — information passing from a subject to an object.

Access Control Systems

Systems, either physical or technological, that are intended to regulate who or what has access to a network. The most basic illustration is a door that can be locked, preventing individuals from entering from either side. • By — Whom (Employees, Third Parties, Visitors, Anonymous) What (Device, Named, Anonymous) • To — Assets — Information, Systems, Equipment, and Infrastructure

There are two types of Access Control systems

Physical ( Physical lock) ▪ History of “whom” and “when” ▪ Time and Attendance

Technical/Logical ▪ Built into Operating System ▪ Part of logic of APP or DB ▪ Third Party ▪ Control communication

Administration Approach

  1. Centralized
  2. Decentralized
  3. Hybrid

Centralized administration

1) By centralized administration, we mean that one component is in charge of setting up access controls so that users can access data and carry out their necessary tasks.

2) The key benefit of centralized administration is the ability to keep extremely stringent control over information because very few people have the authority to make changes. Simple to Control.

3) Uniform and consistent standards and procedures.

Decentralized administration (user decides)

1) In contrast to centralized administration, decentralized administration means that the owners or authors of the files, whoever or wherever they may be, control access to information.

2) Control is in the hands of those who are most responsible for the information, most knowledgeable with it, and most equipped to determine who should be able to do what in respect to it, which is a benefit of decentralized administration.

3) One drawback, however, is that the methods and standards for granting user access and capabilities may not be uniform among creators/owners.

4) Another drawback is that it could be more challenging to create a system-wide view of all user access to the system at any given time when requests are not centrally processed.

Hybrid approach

  1. A hybrid approach allows for both centralized and decentralized management of certain types of information. One usual approach is that the file creators/owners govern the types of access or users’ capabilities for the files under their control, while central administration is in charge of the broadest and most basic access.

Manage identification and authentication of people, devices, and services

Identification, Authentication, and Authorization

Relationship between Identification, Authentication, and Authorization • Identification provides uniqueness • Authentication provides validity of the identity • Authorization provides control over access levels

Identification 1) It is the first step in all access control and asserts a distinct identity for a person or system. 2) It is impossible to decide how to implement the proper controls without adequate identification.

Authentication 1) It is the process of confirming a user’s identity. 2) The user gives a set of personal information that only they have access to or knowledge of.

Something you own along with something you know and are. Auditing (Accountability) won’t be successful without authentication.

Authorization 1) The process of identifying the precise resources a user requires. 2) And figuring out what kind of access the user might have to those resources.

Identification Methods

▪ Identification / Access Badge ▪ User ID ▪ Mac address ▪ Account Number ▪ RFID / FASTag ▪ IP Address

SSO (SINGLE SIGN ON)

1)Single sign-on (SSO) enables users to log in only once and then be automatically authenticated when accessing other resources. 2) A unified login experience. 3) A central database for user credentials (such as passwords and user IDs linked to a number of applications). 4) Authenticates once 5) The SSO client mimics a user entering his or her own user ID and password. 6) Single Point of Failure is the Main Issue

Weakness of Centralized SSO Systems 1) A single password is used to safeguard all of a user’s credentials in centralized SSO systems. 2) Many SSO systems maintain a single database that contains all user credentials and authentication data.

KERBEROS PROTOCOL

▪ Uses Symmetric Encryption ( AES ) ▪ The primary goal of Kerberos is to ensure private communications between systems over a network. ▪ SSO authentication system that provides enhanced security features.

The Kerberos security system guards a network with three elements • Authentication • Authorization • Auditing

Based on the interaction between three systems • Requesting system • Endpoint destination server • Kerberos or Key Distribution Center ( KDC) who issues the ticket

Kerberos Authentication Process

Kerberos Tickets ▪To request and obtain service tickets, the User must first authenticate themselves once using a conventional log-on process and be confirmed by message encryption. ▪The user just obtains a TGT (Ticket Granting Ticket) after successfully authenticating with the AS (Authenticate Server). ▪The TGT enables the user to ask the TGS (Ticket Granting Service) for a service ticket, authenticate using encryption procedures, and create a ST (Service Ticket) for the user to give to the target resource system. ▪The possession of ST denotes that the user has been verified and that access may now be granted. ▪Ticket have lifeline

Limitations of Kerberos: ○ The security of the whole system depends on careful implementation. ○ KDC can be a target ○ KDC can be a single point of failure and should be supported by backup and continuity plans ○ The length and lifetime of the keys is very important.

SESAME: (Alternative to Kerberos)

Supports both Symmetric and Asymmetric encryption

SINGLE / MULTIFACTOR AUTHENTICATION

• Something you know. e.g. Password or Pin • Something you have. e.g. Token • Something you are. e.g. Biometrics • Somewhere you are e.g. Location-based Authentication.

TOKENS

HARD TOKEN TYPES

SOFT TOKENS

Soft Token implementation • Stored on a general-purpose computer • Require activation through a second factor. • Private keys must be non-exportable. • Never store keys in plaintext or unencrypted form. • Biggest concern: Human Error. Compared to hard tokens: • Generally cheaper to implement • Easier to manage than hard tokens

BIOMETRIC

▪ Biometric system checks for 95% accuracy. ▪ Biometric system accurate authentication and least acceptable. ▪ Biometric system — fingerprint, retina scan. ▪ Biometric devices rely on measurements of the biological characteristics of an individual. ▪ Gaining user acceptance is the most common difficulty with the biometric system ▪ Selected individual characteristics are stored and compared with the presented template

Authorization Mechanisms

DISCRITIONARY ACCESS CONTROL (DAC)

NON-DISCRITIONARY ACCESS CONTROL (NDAC)

ROLE BASED ACCESS CONTROL (RDAC)

RULE BASED ACCESS CONTROL (RuDAC)

It’s a DAC Model • Access is based on a list of predefined rules that determine what access should be granted. • The rules, created or authorized by system owners, specify the privileges granted to users when a specific condition of a rule is met • E.g. — Firewall rules, User 9 am to 5 pm allow access, or reject. • Access based on situational if-then statements Rules

MANDATORY ACCESS CONTROL (DAC)

ATTRIBUTE BASED ACCESS CONTROL (ABAC)

ACCESS CONTROL LIFECYCLE

Identity and Access Management ( IAM ) • Obtain visibility/control over usr access privileges, who has access to what • Detective controls • Corrective controls ( Periodic Recertification ) • Access policy with implementing rules. • Automated account reconciliation to detect unauthorized changes

JUST IN TIME ACCESS

FEDERATIONS

FEDEREATED IDENTITY

1)Federated Identity Systems allow trust access and verification across multiple organizations. 2) A Federated identity is a portable identity that can be used across business entitlements, It allows a user to be authenticated across multiple IT systems and enterprises. 3) OAuth, Open-ID 4) Federated Identity Management: Each organization in the federation subscribes to a common: ▪ Set of policies, standards, and procedures for provisioning and managing user identification, authentication, and authorization information. ▪ Trust access & verification across multiple organizations. ▪ Federated identities link user profile information at multiple locations without synchronization or directory consolidation (E.g. TCS UK od TCS India has same Desktop profiles)

SAML (Security Assertion Markup Language)

SAML’s primary goal is authentication 2) The XML Standard, which permits the transfer of authentication and permission information between security domains. 3) The identity of the subjects and authorization decisions regarding their level of access are conveyed in the form of assertions through a secure HTTP connection. 4) It enables web-based authentication and authorization situations, including SSO, and provides the authentication components to the Federated Identity Management System. 5) A claim, statement, or declaration of fact made by a SAML authority is known as an assertion.

There are 3 roles in SAML

1)IDP (Identity Provider) — makes an assertion about another identity, based on information 2) SP ( Service Provider ) — This entity is the relying party that is being asked to provide its service or resource. 3) Subject — This entity is the subject of the assertion, usually a person,

The four primary components of SAML are

1)Assertion 2) Binding 3) Protocol 4) Profile

XACML (Extensible Access Control Markup Language)

• Designed for Authorization and Describe the access control. • It commonly implements policies as an attribute-based access control system but can use role-based access control. • It helps assure all members in a federation that they are granting the same level of access to different roles. • XACML and SAML are together used to create a federated IAM system. • SAML share authentication ( XML Token) and authorization ( details) , The authorization details are XACML. • SAML isused to share auth data between multiple services and application

Any questions in exam talking about ONLY AUTHORIZATION managed RBAC then Answer = XAMCL

Used is SDN (Software Defined Network)

  1. OAUTH 2.0 (AUTHORIZATION)

OAuth is different from OpenID & SAML is being exclusively for Authorization purposes and not for Authentication purposes.

The OAuth specification defines the following roles:

1) The End User or The Entity that owns the resources in Question 2) The Resource Server ( OAuth Provider ), which is the entity hosting the resource 3) The Client ( OAuth Consumer ) is the entity that is looking to consume the resource after getting authorization from the client

2. OPEN ID CONNECT (AUTHENTICATION)

1)OpenID is a free standard allowing other parties to authenticate users. 2) Single sign-on scenarios are made possible by OpenID Connect, 3) Uses OpenID but a JavaScript Object Notation (JSON) Web Token (JWT), also known as an ID token. 4) The token contains a field signed with the shared secret, providing the relying party with assurance that the user is authenticated. 5) OpenID Connect also makes use of simple REST/JSON message flows with the design goal of making complicated things possible.

Three roles are specified by the OpenID specification.

1) An entity or end-user seeking to confirm its identity 2) RP, or Relying Party The relying party is the organization tasked with confirming the user’s identification. 3) OP, or Open ID Provider It is OP who registers the Open ID URL and has the authority to confirm the end user’s identification.

SUMMARY

IDaaS (IDENTITY AS A SERVICE)

• Identity as a service (IDAAS) in the cloud, also known as CASB (Cloud Access Security Broker), is a component of cloud-based IDM solutions. • As a digital identity, IDaaS provides administration of identity or information. • You can use this identity for online transactions. • When something has an identity, it has a number of characteristics that help people recognize it. • A combination of administration and account provisioning, authentication, authorization, and reporting functions. • A cloud-based service that mediates identity and access management functions to the target system/application on the premises of the client and/or in the cloud. • IDaaS offers cloud-based services that connect target systems on the customer’s premises with IAM capabilities. • SaaS and IDaaS are frequently combined, and • Availability is the main issue.

CLOUD SECURITY

Cloud identity and access management Problems

1)APIs — Although some interfaces may be provided by providers, it’s unlikely that they will provide all of them. Authorization mapping — As identity is maintained by the cloud provider, how users are given privileges may need to alter. 2) Audit: It may be challenging to get providers to produce logs since they must be careful not to reveal data from other clients who share virtual machine tenancy. 3) Privacy: Private user data is transmitted over the Internet and kept on servers that are not under your direct control. This poses a significant risk to the company. 4) Latency: Pushing configurations to the cloud may take some time. Risk may arise if user rights are changed slowly. 5) App identity: If you want to ensure that the identities of your cloud-based users aren’t being used by illegal apps, apps may not always validate a client’s identity. 6) Mobile: Cloud service providers frequently provide mobile applications, adding another system and attack surface that you must protect against.

Review below brief explanation of Domain 5 for last minute overview — by Destination Certification

For Domain 4 click here

For Domain 6 click here

Cissp
Cissp Training
Cissp Certification Cost
Cissp Exam
Cissp Course
Recommended from ReadMedium
avatarUmar Farouk
ISO 27001 Lab Series: Establishing the Context of a Software Development Company.

So far in the ISO 27001 series, we have been familiarizing ourselves with the various clauses found in the main section of the standard. As…

9 min read
avatarTaimur Ijlal
20+Years in Cybersecurity: Top 6 Advice For Newcomers

6 Essential Lessons from Two Decades of Cybersecurity

5 min read
avatarNiklas Tinner
Microsoft Entra Internet Access — hands-on

I have got my hands on Microsoft Entra Internet Access which is part of the Global Secure Access and Security Service Edge suite. This…

5 min read
avatarRohit Singh
All About Broken Access Control

Complete Guide

11 min read
avatarIBM PTC Security
Unbelievable Success in the New eWPT Exam

My journey began in October 2023, when I enrolled and purchased the exam voucher. The experience felt nothing short of miraculous as I…

4 min read
avatarLixin Zhang
Try Hack Me | CompTIA Pentest+ Path | Pentesting Fundamentals | Write up

Recently, I became interested in pentesting and discovered a dedicated path for CompTIA Pentest+ on THM. I decided to embark on this…

5 min read