Chapter 13: Managing Identity and

               Authentication




                1.  Access control types include preventive, detective, corrective,
                    deterrent, recovery, directive, and compensating access controls.

                    They are implemented as administrative controls, logical/technical
                    controls, and/or physical controls.

                2.  Identification occurs when a subject claims an identity, such as
                    with a username. Authentication occurs when the subject provides
                    information to verify the claimed identity is the subject’s identity.
                    For example, a user can provide the correct password matched to
                    the user’s name. Authorization is the process of granting the

                    subject rights and permissions based on the subject’s proven
                    identity. Accountability is accomplished by logging actions of
                    subjects and is reliable only if the identification and authentication
                    processes are strong and secure.

                3.  A Type 1 authentication factor is something you know. A Type 2
                    authentication factor is something you have. A Type 3
                    authentication factor is something you are.


                4.  Federated identity management systems allow single sign-on
                    (SSO) to be extended beyond a single organization. SSO allows
                    users to authenticate once and access multiple resources without
                    authenticating again. SAML is a common language used to
                    exchange federated identity information between organizations.

                5.  The identity and access provisioning lifecycle includes provisioning

                    accounts, periodically reviewing and managing accounts, and
                    disabling or deleting accounts when they are no longer being used.