2 cissp ® Official Study Guide Eighth Edition

614
Chapter 13 
■
Managing Identity and Authentication
Whenever possible, HR personnel should have the ability to perform this task because they 
are aware when employees are leaving for any reason. As an example, HR personnel know 
when an employee is about to be terminated, and they can disable the account during the 
employee exit interview.
If a terminated employee retains access to a user account after the exit interview, the risk 
for sabotage is very high. Even if the employee doesn’t take malicious action, other employ-
ees may be able to use the account if they discover the password. Logs will record the activ-
ity in the name of the terminated employee instead of the person actually taking the action.
It’s possible the account will be needed, such as to access encrypted data, so it should not 
be deleted right away. When it’s determined that the account is no longer needed, it should 
be deleted. Accounts are often deleted within 30 days after an account is disabled, but it 
can vary depending on the needs of the organization.
Many systems have the ability to set specific expiration dates for any account. These are 
useful for temporary or short-term employees and automatically disable the account on the 
expiration date, such as after 30 days for a temporary employee hired on a 30-day contract. 
This maintains a degree of control without requiring ongoing administrative oversight.
Summary
Domain 5 of the CISSP Common Body of Knowledge is Identity and Access Management 
(IAM). It covers the management, administration, and implementation aspects of granting 
or restricting access to assets. Assets include information, systems, devices, facilities, and per-
sonnel. Access controls restrict access based on relationships between subjects and objects. 
Subjects are active entities (such as users), and objects are passive entities (such as files).
Three primary types of access controls are preventive, detective, and corrective. 
Preventive access controls attempt to prevent incidents before they occur. Detective access 
controls attempt to detect incidents after they’ve occurred. Corrective access controls 
attempt to correct problems caused by incidents once they’ve been detected.
Controls are implemented as administrative, logical, and physical. Administrative con-
trols are also known as management controls and include policies and procedures. Logical 
controls are also known as technical controls and are implemented through technology. 
Physical controls use physical means to protect objects.
The four primary access control elements are identification, authentication, authoriza-
tion, and accountability. Subjects (users) claim an identity, such as a username, and prove 
the identity with an authentication mechanism such as a password. After authenticating 
subjects, authorization mechanisms control their access and audit trails log their activities 
so that they can be held accountable for their actions.
The three primary factors of authentication are something you know (such as passwords 
or PINs), something you have (such as smartcards or tokens), and something you are (iden-
tified with biometrics). Multifactor authentication uses more than one authentication fac-
tor, and it is stronger than using any single authentication factor.

Exam Essentials 
615
Single sign-on allows users to authenticate once and access any resources in a network 
without authenticating again. Kerberos is a popular single sign-on authentication protocol 
using tickets for authentication. Kerberos uses a database of subjects, symmetric cryptogra-
phy, and time synchronization of systems to issue tickets.
Federated identity management is a single sign-on solution that can extend beyond a sin-
gle organization. Multiple organizations create or join a federation and agree on a method 
to share identities between the organizations. Users can authenticate within their organiza-
tion and access resources in other organizations without authenticating again. SAML is a 
common protocol used for SSO on the internet.
AAA protocols provide authentication, authorization, and accounting. Popular AAA 
protocols are RADIUS, TACACS+, and Diameter.
The identity and access provisioning lifecycle includes the processes to create, manage, 
and delete accounts used by subjects. Provisioning includes the initial steps of creating the 
accounts and ensuring that they are granted appropriate access to objects. As users’ jobs 
change, they often require changes to the initial access. Account review processes ensure 
that account modifications follow the principle of least privilege. When employees leave the 
organization, accounts should be disabled as soon as possible and then deleted when they 
are no longer needed.
Exam Essentials

Download 19,3 Mb.

Do'stlaringiz bilan baham: