IAM

Question 1

Cybersecurity Framework

Answer 1

Cybersecurity Framework
Within the goal of ensuring information security, cybersecurity refers specifically to provisioning secure processing hardware and software. Information security and cybersecurity tasks can be classified into five functions, following the framework developed by the National Institute of Standards and Technology (NIST) ( nist.gov/cyberframework/online-learning/five-functions ):

Identify — develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.
Protect — procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operation’s lifecycle.
Detect — perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
Respond — identify, analyze, contain, and eradicate threats to systems and data security.
Recover — implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

Question 2

security controls .

Answer 2

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Question 3

Identification

Answer 3

Identification — creating an account or ID that uniquely represents the user, device, or process on the network.

The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.

Question 4

Authentication

Answer 4

Authentication — proving that a subject is who or what it claims to be when it attempts to access the resource. An authentication factor determines what sort of credential the subject can use. For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate.

A method of validating a particular entity’s or individual’s unique credentials.

Question 5

Authorization

Answer 5

Authorization — determining what rights subjects should have on each resource and enforcing those rights. An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights. In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system.

The process of determining what rights and privileges a particular entity has.

Question 6

Accounting

Answer 6

Accounting — tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

Question 7

Zero Trust

Answer 7

Zero Trust is a security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network’s perimeter. Instead, the Zero Trust model requires all users and devices to be authenticated and authorized before accessing network resources.

Question 8

Adaptive identity

Answer 8

Adaptive identity recognizes that user identities are not static and that identity verification must be continuous and based on a user’s current context and the resources they are attempting to access.

Question 9

Threat scope reduction

Answer 9

Threat scope reduction means that access to network resources is granted on a need-to-know basis, and access is limited to only those resources required to complete a specific task. This concept reduces the network’s attack surface and limits the damage a successful attack can cause.

Question 10

Policy-driven access control

Answer 10

Policy-driven access control describes how access control policies are used to enforce access restrictions based on user identity, device posture, and network context.

Question 11

Device posture

Answer 11

Device posture refers to the security status of a device, including its security configurations, software versions, and patch levels. In a security context, device posture assessment involves evaluating the security status of a device to determine whether it meets certain security requirements or poses a risk to the network.

Question 12

Control Plane

Answer 12

In zero trust architecture, functions that define policy and determine access decisions.
The control plane manages policies that dictate how users and devices are authorized to access network resources. It is implemented through a centralized policy decision point.

Question 13

policy decision point

Answer 13

The policy decision point is responsible for defining policies that limit access to resources on a need-to-know basis, monitoring network activity for suspicious behavior, and updating policies to reflect changing network conditions and security threats. The policy decision point is comprised of two subsystems:

The policy engine is configured with subject and host identities and credentials, access control policies, up-to-date threat intelligence, behavioral analytics, and other results of host and network security scanning and monitoring. This comprehensive state data allows it to define an algorithm and metrics for making dynamic authentication and authorization decisions on a per-request basis.
The policy administrator is responsible for managing the process of issuing access tokens and establishing or tearing down sessions based on the decisions made by the policy engine. The policy administrator implements an interface between the control and the data plane.

Question 14

Policy Engine

Answer 14

The policy engine is configured with subject and host identities and credentials, access control policies, up-to-date threat intelligence, behavioral analytics, and other results of host and network security scanning and monitoring. This comprehensive state data allows it to define an algorithm and metrics for making dynamic authentication and authorization decisions on a per-request basis.

Question 15

Policy Administrator

Answer 15

The policy administrator is responsible for managing the process of issuing access tokens and establishing or tearing down sessions based on the decisions made by the policy engine. The policy administrator implements an interface between the control and the data plane.

Question 16

Data Plane

Answer 16

Where systems in the control plane define policies and make decisions, systems in the data plane establish sessions for secure information transfers. In the data plane, a subject (user or service) uses a system (such as a client host PC, laptop, or smartphone) to make requests for a given resource. A resource is typically an enterprise app running on a server or cloud. Each request is mediated by a policy enforcement point. The enforcement point might be implemented as a software agent running on the client host that communicates with an app gateway. The policy enforcement point interfaces with the policy administrator to set up a secure data pathway if access is approved or tear down a session if access is denied or revoked.

Question 17

Implicit Trust Zone

Answer 17

The data pathway established between the policy enforcement point and the resource is referred to as an implicit trust zone.

Question 18

Provisioning

Answer 18

Provisioning is the process of setting up a service according to a standard procedure or best practice checklist.

The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.

Question 19

Deprovisioning

Answer 19

Deprovisioning is the process of removing the access rights and permissions allocated to an employee when they leave the company or from a contractor when a project finishes.

The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.

Question 20

identification

Answer 20

Identification is the initial process of confirming your identity when you request credentials. It occurs when you enter a user ID to log on. Identity proofing occurs during the identification phase as you prove that you are who you say you are to obtain credentials. Suppose you have been identified previously but cannot provide the assigned authentication credentials (such as a lost password). In that case, identity proofing is called upon again.

Question 21

Authentication

Answer 21

Authentication is the verification of the issued identification credentials. It is usually the second step in the identification process. It establishes your identity, ensuring that you are who you say you are.

Question 22

factors .

Answer 22

In authentication design, different technologies for implementing authentication, such as knowledge, ownership/token, and biometric/inherence. These are characterized as something you know/have/are.

Question 23

Smart cards

Answer 23

Smart cards — implement certificate-based authentication. A certificate is a digital document associated with a user as a one-to-one or many-to-one mapping. In a one-to-one mapping, each certificate maps to an individual user account (each user has a unique certificate). With many-to-one mapping, a certificate maps to many user accounts (a group of users shares the same certificate). The smart card stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. The card must be presented to a reader. There are physical contact and contactless near-field communication (NFC) card types.

Question 24

Passwordless

Answer 24

Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors

Question 25

authentication provider

Answer 25

authentication provider , which is the software architecture and code that underpins the mechanism by which the user is authenticated before starting a shell. part of operating system

Question 26

Windows local sign-in

Answer 26

Windows local sign-in — is the Local Security Authority Subsystem Service (LSASS) that compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon .

Question 27

Windows network sign-in

Answer 27

Windows network sign-in — is LSASS, which can pass the credentials for authentication to an Active Directory (AD) domain controller. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication .

Question 28

Remote sign-in

Answer 28

is used if the user's device is not directly connected to the local network. Authentication can take place over a virtual private network (VPN), enterprise Wi-Fi, or web portal. These use protocols to create a secure connection between the client machine, the remote access device, and the authentication server.

Question 29

Linux Authentication

Answer 29

Linux Authentication In Linux, local user account names are stored in /etc/passwd When a user logs in to a local interactive shell, the password is checked against a hash stored in /etc/shadow . . Interactive login over a network is typically accomplished using Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic keys instead of a password. A pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart-card log-in

Question 30

Directory Service

Answer 30

A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers A directory service stores information about users, computers, security groups/roles, and services. Each object in the directory has a number of attributes. The directory schema describes the types of attributes, what information they contain, and whether they are required or optional. In order for products from different vendors to be interoperable, most directory services are based on the Lightweight Directory Access Protocol (LDAP) , which was developed from a standard called X.500.

Question 31

Distinguished Name

Answer 31

A collection of attributes that define a unique identifier for any given resource within an X.500-like directory. Some of the attributes commonly used include common name (CN), organizational unit (OU), organization (O), country (C), and domain component (DC).

Question 32

Kerberos

Answer 32

Kerberos is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft's Active Directory (AD) service. Kerberos was named after the three-headed guard dog of Hades (Cerberus) because it consists of three parts. Clients request services from application servers, which rely on an intermediary—a key distribution center (KDC) —to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. 📋 Step-by-step: How Kerberos Works 1. Log in – "Hi, I work here!" You log into your computer with your username and password. Your computer says to the Authentication Server (AS): “This is [your name], I’d like to prove who I am.” 2. Authentication Server – "Here’s your ID badge (TGT)" If the password is correct, the AS gives you a Ticket Granting Ticket (TGT). The TGT proves you’re a legit employee — but it doesn’t give access yet. It’s like an ID badge that says “This person works here.” 3. Request Access – "I need to use the printer room!" Your computer now asks the Ticket Granting Server (TGS) for permission to use a specific service (like a printer, file server, etc.). It shows the TGT to prove you already logged in. 4. TGS says – "Access granted. Here’s your department pass." The TGS gives you a Service Ticket — a special pass that says you can access that service. 5. You go to the service – "Let me in, here’s my pass!" You send the Service Ticket to the actual service (like the printer or email server). The service checks the ticket and says: “Yup, this checks out — come on in.”

Question 33

principals

Answer 33

Kerberos can authenticate human users and application services. These are collectively referred to as principals

Question 34

Kerberos Encryption

Answer 34

Ticket Granting Ticket This is encrypted using the KDC's secret key. Ticket Granting Service Encrypted using a hash of the user's password

Question 35

Ticket Granting Ticket

Answer 35

The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.

Question 36

Federation

Answer 36

A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems. Federation is the notion that a network needs to be accessible to more than just a well-defined group of employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers. The company can manage its employee accounts easily enough. Managing accounts for each supplier or customer internally may be more difficult. Federation means the company trusts accounts created and managed by a different network. This is using your Google account to sign on to www.example.com Kerberos functions similarly.