Domain 5. Identity and Access Management (IAM) Flashcards
(30 cards)
Is the collection of mechanisms that work together to protect the assets of an organization and, at the same time, allow controlled access to authorized subjects.
Access Control
Restricting a user’s KNOWLEDGE (access to data) to only the data required for them to perform their role.
Restricting access to only required personnel who require access.
Need to Know
Restricting a user’s ACTIONS/PRIVILEGES to only those required for them to perform their role.
Granting only the minimum permissions required by the user or system.
Least Privilege
A collection of users that has been named. The users are generally not associated with a specific job in the organization. Instead, they could be part of a specific internal leadership team or focus area.
Groups
A set of permissions that is usually associated with a specific job within an organization, such as a call center agent.
Roles
The assertion of a user’s identity or a process to a system.
Identification
The verification of an identity through knowledge, ownership, or characteristic.
Authentication
The level of access defined for the identified and authenticated user or process.
Authorization
Refers to proper identification, authentication, authorization that is logged and monitored. Also known as the Principle of Access Control.
Accountability
This is when a valid user is falsely rejected by the system. The false rejection rate (FRR) is the probability that a valid user will be rejected by the system. It is expressed as a percentage.
Type 1 (False Rejection)
This is when an invalid user is given access to a system. It is a much more serious and potentially dangerous situation. The false acceptance rate (FAR) is the probability that an invalid user will be accepted by the system. It is expressed as a percentage.
Type 2 (False Acceptance)
The intersection of the two error plots (FAR and FRR)
Crossover Error Rate (CER)
Refers to management of sessions created through a successful user identification, authentication, and authorization process.
Session management
Best way to prevent or mitigate session hijacking
Session termination and re-authentication
Refer to the strength of authentication processes and systems.
Authenticator Assurance Levels (AAL)
FIM trust relationships include three components:
Principal/user, identity provider, relying party
The person who wants to log in or access the system.
Principal/User
The entity that owns the identity and performs the authentication
Identity Provider
Also known as the service provider
Relying party
Frequently used in Federated Identity Management (FIM) solutions and provides authentication and authorization.
SAML
Are written in a language called XML, or Extensible Markup Language. XML is a way of communicating in a manner that is machine and human-readable.
SAML assertions
(like SAML) offers authentication and authorization functionality. Like most federated access standards, the primary goal is enabling identity federation authentication and authorization. It was created by a consortium of companies, including IBM, Microsoft, and Verisign, and it was codified as a standard by OASIS.
WS-Federation
Provides the AUTHENTICATION component.
allows a user to use an existing account to identify and authenticate to multiple disparate resources—websites, systems, and so on—without the need to create new passwords for each resource. With __ a user password is given only to the user’s identity provider—Microsoft, for example—and the identity provider confirms the user’s identity to sites the user visits.
OpenID
Provides the AUTHORIZATION component to a federated access solution.
Is the protocol or standard that allows users to gain access—to be authorized—to resources.
OAuth
