Lesson 4: Implement Identity and Access Management

Question 1

What is the purpose of authentication?

Answer 1

Verifies that only the account holder can use an account.

Question 2

List the key considerations in authentication design.

Answer 2

• Confidentiality
• Integrity
• Availability

Question 3

What does confidentiality in authentication aim to achieve?

Answer 3

Prevent credential theft.
(You are who you say you are)

Question 4

What does integrity in authentication ensure?

Answer 4

Reliability and resistance to bypassing.
(The data is unchanged, what I sent is what is received)

Question 5

What is meant by availability in authentication?

Answer 5

The system must be user-friendly and efficient.
(The system is available to use)

Question 6

What are the authentication factors?

Answer 6

• Something You Know
• Something You Have
• Something You Are
• Somewhere You Are

Question 7

Give an example of ‘Something You Know’ in authentication.

Answer 7

Passwords, passphrases, PINs.

Question 8

What falls under ‘Something You Have’ in authentication?

Answer 8

Smart cards, OTP tokens, security keys.

Question 9

What is an example of ‘Something You Are’ in authentication?

Answer 9

Biometric data like fingerprints or facial recognition.

Question 10

What does ‘Somewhere You Are’ refer to in authentication?

Answer 10

Location-based factors using IP addresses or geolocation.

Question 11

What are strong password management policies?

Answer 11

Policies for password length, complexity, age, and reuse.

Question 12

What are the risks associated with password managers?

Answer 12

• Weak master password
• Vendor being compromised
• Impersonation attacks

Question 13

What is multifactor authentication (MFA)?

Answer 13

Combines multiple factors (e.g., password + smartphone) for stronger security.

Question 14

What is the enrollment process in biometric authentication?

Answer 14

Creates a unique template for each user.

Question 15

Define False Rejection Rate (FRR).

Answer 15

Legitimate users denied access.

Question 16

Define False Acceptance Rate (FAR).

Answer 16

Unauthorized users accepted.

Question 17

What is the Crossover Error Rate (CER)?

Answer 17

Intersection of FRR and FAR; lower is better.

Question 18

Differentiate between hard tokens and soft tokens.

Answer 18

• Hard Tokens: Hardware-based (smart cards, U2F security keys, OTP devices)
• Soft Tokens: Software-based (e.g., authenticator apps, SMS/email OTPs)

Question 19

What is passwordless authentication?

Answer 19

Uses FIDO2/WebAuthn for local gesture or biometric unlocks for authentication.

Question 20

What is Discretionary Access Control (DAC)?

Answer 20

Resource owner controls access and can modify the Access Control List (ACL).

Question 21

Define Mandatory Access Control (MAC).

Answer 21

Access control based on security clearance levels.

Question 22

What is Role-Based Access Control (RBAC)?

Answer 22

Permissions assigned based on roles.

Question 23

What does Attribute-Based Access Control (ABAC) use for decisions?

Answer 23

Combination of attributes and context.

Question 24

What is Rule-Based Access Control?

Answer 24

Permissions assigned by system-enforced rules, not by system users.

Question 25

What does the principle of Least Privilege entail?

Answer 25

Users and accounts are granted only the permissions needed for their tasks.

Question 26

What is the purpose of user account provisioning?

Answer 26

Setting up a service according to a standard procedure or best practice checklist.

Question 27

List the steps involved in provisioning.

Answer 27

* Identity Proofing * Issuing Credentials * Issuing Hardware and Software Assets * Teaching Policy Awareness * Creating Permissions Assignment

Question 28

In regards to Provisioning, what is Identity Proofing?

Answer 28

The process of setting up a service according to a standard procedure or best practice checklist.

Question 29

In regards to Provisioning, explain Issuing Credentials?

Answer 29

Lets the user select a password known only to them and/or enrolls them with biometric or token-based authenticators.

Question 30

In regards to Provisioning, explain Issuing Hardware and Software Assets.

Answer 30

Providing a computer or phone to the user.

Question 31

In regards to Provisioning, explain Teaching Policy Awareness.

Answer 31

Scheduling training and providing learning material so the employee is aware of security policies and risk.

Question 32

In regards to Provisioning, explain Creating Permissions Assignment.

Answer 32

Identifying the work roles that the account must support and configuring role-based or attribute-based control models.

Question 33

What is deprovisioning?

Answer 33

Removing access rights and permissions from an employee.

Question 34

What is an example of location-based account restrictions?

Answer 34

Restricting logins by IP address, VLAN, or geolocation.

Question 35

What are time-based restrictions in account access?

Answer 35

Set login hours, maximum durations, impossible travel time, or temporary permissions.

Question 36

What does Privileged Access Management (PAM) refer to?

Answer 36

Policies, Procedures, and Technical Controls to prevent privileged accounts from being compromised.

Question 37

What is Zero Standing Privilege (ZSP)?

Answer 37

Temporary elevation of admin rights for a limited time.

Question 38

What is the purpose of password vaulting/brokering?

Answer 38

Privileged accounts must be 'checked out' from a repository for a limited time.

Question 39

Define ephemeral credentials.

Answer 39

Credentials generated or enabled for a task and destroyed or disabled afterward.

Question 40

What is Directory Services?

Answer 40

Centralized repository for managing accounts and attributes. Ex. Active Directory (AD), or Lightweight Directory Access Protocol (LDAP)

Question 41

What is a Distinguished Name (DN)?

Answer 41

A collection of attributes that define a unique identifier for any given resource. The DN is made up of attribute-value pairs, separated by commas.

Question 42

What is Single Sign-On (SSO)?

Answer 42

Authenticate once and access multiple services.

Question 43

What does Kerberos use for secure authentication?

Answer 43

Ticket Granting Ticket (TGT) and service tickets. This encrypts the date and time on the local computer with the users password hash as the key. Kerberos is implemented by Microsoft Active Directory.

Question 44

What is federation in identity management?

Answer 44

Allows trust relationships between different networks. A user just needs to log in once with an identity provider (IdP) and is able to access multiple service providers (SPs)

Question 45

What are claims-based identities?

Answer 45

Identity provider issues signed claims (tokens) for authentication.

Question 46

What is Security Assertion Markup Language (SAML)?

Answer 46

Uses XML for identity assertions. Is common in cloud services like AWS.

Question 47

What is Simple Object Access Protocol (SOAP) used for?

Answer 47

Used to establish communications along with HTTP/HTTPS. Tightly specified, not used in many public cloud Application Programming Interfaces (API).

Question 48

What is Representational State Transfer (REST) used for?

Answer 48

Is used in many public cloud Application Programming Interfaces (API). Rest has looser framework, allowing the service provider more choice over the implementation.

Question 49

What is the purpose of Open Authorization (OAuth)?

Answer 49

Facilitates sharing of user resources between sites. Used to Authenticate and Authorize a RESTful API.

Question 50

What is JSON Web Tokens (JWT) used for?

Answer 50

Used for lightweight claims data.