Identity and Access Management: CISSP, #5
()
About this ebook
Identity and Access Management is the 5th domain of the CISSP common body of knowledge. Some of the main topics we will cover in this course include: theory and concepts of identity in access management, discretionary and mandatory access control, types of controls and related risk and access control attacks.
Selwyn Classen
A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.
Read more from Selwyn Classen
Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Incident Management Rating: 0 out of 5 stars0 ratings
Related to Identity and Access Management
Titles in the series (8)
Security and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsIdentity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratings
Related ebooks
Security Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5Security and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5CISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsAn Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratingsInformation Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsIT Security Concepts Rating: 5 out of 5 stars5/5Cybersecurity Jobs & Career Paths: Find Cybersecurity Jobs, #2 Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5Security Controls Evaluation, Testing, and Assessment Handbook Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsOperationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5A Practitioner's Guide to Adapting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Certified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Cybersecurity Design Principles: Building Secure Resilient Architecture Rating: 0 out of 5 stars0 ratingsSecure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsManaging Modern Security Operations Center & Building Perfect Career as SOC Analyst Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5Security Operations Center - Analyst Guide: SIEM Technology, Use Cases and Practices Rating: 4 out of 5 stars4/5Software Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Communication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsDestination CISSP Rating: 3 out of 5 stars3/5
Security For You
CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5Destination CISSP Rating: 3 out of 5 stars3/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Cybersecurity All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Ethical Hacking 101 - How to conduct professional pentestings in 21 days or less!: How to hack, #1 Rating: 5 out of 5 stars5/5Handbook of Digital Forensics and Investigation Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5
Reviews for Identity and Access Management
0 ratings0 reviews
Book preview
Identity and Access Management - Selwyn Classen
While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
IDENTITY AND ACCESS MANAGEMENT
First edition. April 2, 2020.
Copyright © 2020 Selwyn Classen.
Written by Selwyn Classen.
Table of Contents
Identity and Access Management
Course Outline
Control Physical and Logical Access to Assets
Layered Defense
Controls
Key Points
Manage Identification & Authentication of People and Devices
What You Have
Authorization
Single Sign-On
Kerberos
Credential Management Systems
Summary
Integrate Identity as a Service
Integrate Third-party Identity Services
Implement and Manage Authorization Mechanisms
Rule-Based Access Control
Context-Dependent Access Control
Summary
Prevent or Mitigate Access Control Attacks
Summary
Manage the Identity and Access Provisioning Lifecycle
Summary
Identity and Access Management
This course is an outline of the Identity and Access Management goal for the CISSP, which includes the theories, threats and concepts that are part of managing access to a diverse set of technologies and systems.
Course Outline
Identity and Access Management is one of the 8 domains that make up the CISSP examination. This course is an overview of identity and access management, including the theories, threats and concepts that are part of the managing access to a diverse set of technologies and systems. This course will help you prepare for the Certified Information System Security Professional (CISSP) examination. Some of the main topics we will cover include: theory and concepts of identity in access management, discretionary and mandatory access control, types of controls and related risk, and access control attacks. By the end of this course, you will have an understanding of identity and access management.
Control Physical and Logical Access to Assets
Welcome, to the CISSP - Identity and Access Management domain. This domain - Identity and Access Management - is critically important as you prepare for the CISSP. So in this first area, we're going to look at how do we control physical and logical access to our assets. This starts with controlling access and managing identity, and in this course, we're going to help you prepare for this identity and access management domain of the CISSP examination. We're going to understand the concepts of managing both external and internal access and identities, something that's made our life an awful lot more difficult, and we're going to take a look at some of the threats to access control systems and technologies we use today.
This domain makes up about 13% of the CISSP examination or about 30 questions. The area of access controls includes both physical access and logical or sometimes called technical access. We need to manage access, and that is that we grant access to those who should have it but deny access to those who should not. When we grant access, we grant the correct level of access to the person as well. So thereby, we protect our assets. For example, those assets include information, that which is sensitive, critical, which is protected by regulation. Protecting the information systems that provide access to our various job functions, critical infrastructure, as well as access to information itself. We need to protect devices from contamination or corruption, and of course, protect our buildings, that only authorized personnel can get into our buildings, and only to the areas of our buildings they should be allowed into.
In all of these ways, when we manage access to assets, the primary people we're going to manage are our internal employees. Our customers and so on are external, but the internal employees are the ones that have the highest level of access, and they include everyone from users to some of our administrators who then manage and operate our systems on our behalf. When we take a look at external parties, this is one of the things that has changed the world of access control in the past few decades. As we have moved from an access control where primarily the only people on our systems were internal, and now the majority of people who are accessing our systems and data are external, they are customers, they are web application clients, and we have to carefully manage those external entities so they don't have a level of access that would allow them to compromise our systems. We manage access granted to people but also processes because in some cases, today we have links with other organizations that can pass this information through a defined, but then, carefully regulated process. The area of identity and access management is an important area of responsibility for a security manager. This is one of the areas that are of greatest risk to the organization if it is not properly managed. And the management of identity and access controls includes both the provisioning of access and managing of the access while the persons an employee, but also removing that access when it should no longer be granted.
We also need to check and see how well our access control system is working. We review the logs, we monitor and ensure that no one is trying to access things they shouldn't, or maybe we can detect through our logs some types of attack precursors. Attack precursors can be the indications where somebody's probing and trying to get into our system. There is a lot of risks associated with access control: compromise of the confidentiality of our systems and information, compromise of the integrity of the data we have, but also the loss of availability of our systems or data that is so essential for business processes. All of these are important, and when we consider risk, we should consider the risk to the protection of our assets, which includes both considering the risk of improper access to data, but also of improper access to systems.
An asset is defined as an item or property that's of value to its owner. Many assets are tangible, such as money or a