Page 1002 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1002

Summary


               Domain 5 of the CISSP Common Body of Knowledge is Identity and
               Access Management (IAM). It covers the management,
               administration, and implementation aspects of granting or restricting

               access to assets. Assets include information, systems, devices,
               facilities, and personnel. Access controls restrict access based on
               relationships between subjects and objects. Subjects are active entities
               (such as users), and objects are passive entities (such as files).

               Three primary types of access controls are preventive, detective, and
               corrective. Preventive access controls attempt to prevent incidents
               before they occur. Detective access controls attempt to detect incidents

               after they’ve occurred. Corrective access controls attempt to correct
               problems caused by incidents once they’ve been detected.

               Controls are implemented as administrative, logical, and physical.
               Administrative controls are also known as management controls and
               include policies and procedures. Logical controls are also known as
               technical controls and are implemented through technology. Physical

               controls use physical means to protect objects.

               The four primary access control elements are identification,
               authentication, authorization, and accountability. Subjects (users)
               claim an identity, such as a username, and prove the identity with an
               authentication mechanism such as a password. After authenticating
               subjects, authorization mechanisms control their access and audit
               trails log their activities so that they can be held accountable for their

               actions.

               The three primary factors of authentication are something you know
               (such as passwords or PINs), something you have (such as smartcards
               or tokens), and something you are (identified with biometrics).
               Multifactor authentication uses more than one authentication factor,
               and it is stronger than using any single authentication factor.

               Single sign-on allows users to authenticate once and access any

               resources in a network without authenticating again. Kerberos is a
               popular single sign-on authentication protocol using tickets for
   997   998   999   1000   1001   1002   1003   1004   1005   1006   1007