Here are some key concepts of IAM:

Identity – the unique person or device that acts within a system.

Identification – presenting the unique identifier (username) to the system, which in turn looks up the identifier to validate it exists within the system.

Factor – an element used to prove identification in a system.

Authentication is the act of a user claiming an identity by presenting proof that they own the ID (e.g. password).

Authorization is the system’s process of deciding whether a person has access to resources.

The identity store – a directory that contains information about users. It includes application IDs, names, group memberships, credentials and identification attributes. It allows applications to authenticate against it.  AD is an example. Certificate authorities are another example, they maintain certificate identity stores.

Single Sign-on – typically there is a single repository of user credentials.  There can be multiple credentials for multiple applications, or one set of credentials and multiple access tokens, it just depends on the security needs and requirements. Each attempt by a user to access another server requires a back-end authentication exchange between the SSO repository and the resource servers.

Centralized Access Control/Administration:

  • Controlled by process/procedure
  • Access is administered by a central authority
  • Centrally monitored
  • Easy to disable access

Decentralized or Distributed:

  • Controlled by the asset/data owners
  • Inconsistent procedures
  • Systemwide access view is not possible
  • Harder to disable access to all systems
  • Faster than centralized

Hybrid:

  • Combination of central/decentralized
  • Central grants basic access (system level)
  • Decentral grants access beyond the basics (file/table level)

Access control systems

Logical access control – the implication here is a form of authentication or login that grants access to resources based on labels and classifications of data.  

Physical access control – automation of the passage of people through gates, turnstiles, or physical barriers.

  • Physical/proximity access cards – cards with data that is detected by a reader to allow access to whoever possesses the card.  
  • Physical Access Token – portable security device that shows a number that is synchronized or not synchronized with the authenticating system.  Physical tokens are devices that generate one-time codes and are activated through a second action, whether it’s the push of a button on the device, or through swiping or inserting the token into a reader.  A one-time pad generates a new code on both the server and the user’s device.  Software installed on a mobile device that generates the code would be included in ISC2’s definition of a physical token. 
  • Logical access tokens – data packages sent from access control systems to applications and servers after the user has authenticated.  The data packages indicate what the user is authorized for in order to establish sessions.  The tokens typically have an expiration time and date that are based on security needs.
    • The key difference between logical and physical access tokens for the CISSP exam is that physical tokens are used for the actual authentication of a user whereas logical tokens are not. 

Reviewing access

User access review – whether physical, logical, centralized or decentralized, must be reviewed to ensure that people and devices still require valid access within the application (this can be thought of as application or localized level).

  • Access aggregation – when a user has accumulated too many permissions for an application or environment.

System access review – this can refer to looking at the nomenclature to make sure account naming conventions don’t give away details about administrator account types.

Access control as a system refers to approaching access control as an entire system of physical access controls, such as locking mechanisms, that interface with logical access controls, that are both controlled by a server or access control system that makes decisions and keeps logs.   The common body of knowledge illustrates this with a model of an employee scanning his badge on a door reader, which sends data to the access control server, which then reads the data and logs the attempt, sending a reply to the locking mechanism controller, which then decides to unlock the door or deny the request. 

Hybrid Identity as a Service simply means that the service is partially hosted on premises and partially hosted in the cloud.

Provisioning is updated for the May 2021 CBK. It typically has four steps.

  1. Identity proofing refers to a process of reviewing and authenticating official government-issued documents like a driver’s license or student ID, to make sure that someone is who they claim to be.  
  2. Approval/Denial.  The the data owner would be the one approving or rejecting this request.  The data owner would also be the one to provide guidance or clarification on types of access, such as production or testing environments.
  3. Account creation, which would be done by the data custodian.  
  4. Notification. Both user and data owner are notified that the account has been created.

Single Factor and Multifactor Authentication

There are only three categories or factors for authentication in the CBK.  These are as follows:

  • Something you know – simply stated, this refers to knowledge of something (username/password).
  • Something you have – a physical device in your possession (like your phone).
  • Something you are – also known as a biometric, this is a physical attribute (like a photo, fingerprint, signature.

Biometrics

The concepts to know relating to biometrics are the types of errors that can occur and their crossover rate.

  • Type 1 error: False Rejection Rate (FRR) – the system doesn’t recognize the right person.  Notice the bolded “R” and repeat the phrase “Right person Rejected”. Try to memorize this as the type one error.  
  • Type 2 error: False Acceptance Rate (FAR) – the system accepts the wrong person.  Since the number 2 is FARther from zero than the number 1, you can remember this easily.
  • When considering biometrics, the Crossover Error Rate is the desired error level, where both types of error rates are equal, because as one goes up, the other goes down.

A few additional tips:

  • Iris scans are quicker than retina scans.  If you’ve seen the T.V. show “The Flash” you’ll remember that the girl named IRIS becomes the Flash at one point, so remember that Iris is fast!
  • Vein patterns are considered one of the best biometrics because vein patterns rarely change.  

OpenID Connect can be used to authenticate users to either a website or mobile application.  Note that OAuth itself doesn’t provide authentication. OIDC selects an IdP.  The relying party can then request and receive information about users from the IdP.

The boiled down version of how OpenID Connect works goes like this:

  • Client requests access to a resource.
  • Request goes to an authorization server.
  • Authorization server authenticates resource owner, validates request, gets authorization from owner, and then relays a token to the resource server.

ID tokens contain the following elements:

  • data (“claims”) about both the user (called the subject, or sub, and known by a locally unique identifier)
  • timing (both the “issued at” time, or “iat,” and the expiration time, “exp”) of the authentication event. issuer identifier (iss) of the OP
  • client identifier (audience, or aud) registered for the RP at the issuer. 
  • Also, claims can contain information about the user, such as first_name, last_name