Skip to content

Chapter 6: Domain 5: Identity and Access Management (IAM)

Abstract

The Identity and Access Management domain focuses on appropriately controlling access to data and systems. Proper identification and authentication must precede granting any access. The domain explores various aspects of single and multifactor authentication (MFA), including deficiencies of password-only authentication, challenges with biometrics, and the use of tokens. The domain demonstrates the need for credential management and Single Sign-On (SSO) on-premises and recognizes organizations’ growing use of cloud identity providers and Federated Identity Management (FIM). The domain explores authentication and authorization protocols such as Kerberos, SAML, OAuth, and OpenID Connect (OIDC). After appropriate identification and authentication, attention turns to authorization and proper application of access control models such as Mandatory (MAC), Discretionary (DAC), Attribute-Based (ABAC), and Role-Based Access Control (RBAC). The domain concludes by exploring the entire identity and access provisioning lifecycle to ensure appropriate controls are applied, emphasizing the importance of privileged access monitoring.

Keywords

Authentication; Multifactor authentication (MFA); Biometrics; Authorization; Access control; Single Sign-On (SSO); Federated Identity Management (FIM); Mandatory Access Control (MAC); Role-Based Access Control (RBAC); Attribute-Based Access Control (ABAC)

EXAM OBJECTIVES IN THIS CHAPTER:

  • Identity and Access Provisioning
  • Authentication Methods
  • Access Control Technologies
  • Access Control Models
  • Federated Identity Management (FIM)

Unique Terms and Definitions

  • Crossover Error Rate (CER)—describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal
  • Discretionary Access Control (DAC)—gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects
  • False Accept Rate (FAR)—occurs when an unauthorized subject is accepted by the biometric system as valid. Also called a Type II error
  • False Reject Rate (FRR)—occurs when an authorized subject is rejected by the biometric system as unauthorized. Also called a Type I error
  • Mandatory Access Control (MAC)—system-enforced access control based on subject’s clearances and object’s labels
  • Role-Based Access Control (RBAC)—subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual
  • Attribute-Based Access Control (ABAC)—a newer approach to access control that can determine access permissions based upon considering various attributes of the subjects and objects at the time of the access request