Page 983 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 983
Implementing Identity Management
Identity management techniques generally fall into one of two
categories: centralized and decentralized/distributed.
Centralized access control implies that all authorization
verification is performed by a single entity within a system.
Decentralized access control (also known as distributed access
control) implies that various entities located throughout a system
perform authorization verification.
Centralized and decentralized access control methodologies offer the
same benefits and drawbacks found in any centralized or decentralized
system. A small team or individual can manage centralized access
control. Administrative overhead is lower because all changes are
made in a single location and a single change affects the entire system.
Decentralized access control often requires several teams or multiple
individuals. Administrative overhead is higher because changes must
be implemented across numerous locations. Maintaining consistency
across a system becomes more difficult as the number of access
control points increases. Changes made to any individual access
control point need to be repeated at every access point.
Single Sign-On
Single sign-on (SSO) is a centralized access control technique that
allows a subject to be authenticated once on a system and to access
multiple resources without authenticating again. For example, users
can authenticate once on a network and then access resources
throughout the network without being prompted to authenticate
again.
SSO is very convenient for users, but it also increases security. When
users have to remember multiple usernames and passwords, they
often resort to writing them down, ultimately weakening security.
Users are less likely to write down a single password. SSO also eases
administration by reducing the number of accounts required for a
