CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
Securing information systems and having a tight handle on your organization's identity and access management go hand in hand. Imagine how hard complying with the requirements of Confidentiality, Integrity, and Availability would be if you had no control over who was accessing your information system and resources! It would figuratively bring information security back to the stone age.
Domain 5 of the CISSP certification exam focuses on Identity and Access Management, or IAM. IAM is made up of business process, technology, and information that help organizations use and manage digital identities. It includes the processes, people, and technology necessary to ensure that access to information systems and applications is secure and auditable. The end result is the improvement of the end user experience, efficiency and cost control as well as improved risk mitigation.
Earn your CISSP, guaranteed!
CISSP domain 5: Identity and access management objectives
Below are the subdomains and objectives covered by the 5th of 8 domains of the CISSP certification exam. This domain covers 13% of the weight of exam information that you will encounter on the CISSP.
Control physical and logical access to assets
- Information
- Systems
- Devices
- Facilities
- Applications
Manage identification and authentication of people, devices, and services
- Identity Management (IdM) implementation
- Single/Multi-Factor Authentication (MFA)
- Accountability
- Session management
- Registration, proofing, and establishment of identity
- Federated Identity Management (FIM)
- Credential management systems
- Single Sign On (SSO)
- Just-In-Time (JIT)
Federated identity with a third-party service
- On-premises
- Cloud
- Hybrid
Implement and manage authorization mechanisms
- Role Based Access Control (RBAC)
- Rule based access control
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Attribute Based Access Control (ABAC)
- Risk based access control
Manage the identity access provisioning lifecycle
- Account access review (e.g., user, system, service)
- Provisioning and deprovisioning (E.g., on/off boarding and transfers)
- Role definition (e.g., people assigned to new roles)
- Privilege escalation (e.g., manage service accounts, use of sudo, minimizing its use)
Implement authentication systems
- OPENid Connect (OIDC)/Open Authorization (Oauth)
- Security Assertion Markup Language (SAML)
- Kerberos
- Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
Below is additional information regarding identity and access management that will assist you as you get ready for the CISSP certification exam. Further information, such as a full listing of the domains and CISSPexamination weights, can be found in the CISSP exam outline.
Controlling access to assets
There are two common methods for controlling access to assets. Authentication systems traditionally use a combination of username and password to authentication users. More recently, enhancements such as single sign-on (SSO) and biometrics have buttressed traditional authentication systems. Authorization systems such as an LDAP directory checks to see if a user belongs to a particular department, such as engineering or sales, before the user can gain access to the resources of that department.
Earn your CISSP, guaranteed!
Identity management (IdM)
When implementing an IdM solution, it is necessary to ensure the services and apps are highly available, secure, and site resilient. Since the IdM system is spread across the organization, minimizing latency important to consider and to maximize performance, authentication and authorization should take place as close to the user as possible. Commonly used components in an IdM solution may include Microsoft Active Directory (AD), SSO, a self-service password reset tool and a scanning and reporting tool for auditing and compliance.
Using a third-party service
Some organizations opt to use a third-party service and integrate them with their pre-existing IAM systems. On premises is a third-party service that will physically integrate with the IAM system you are currently using on premises at your organization’s site. An example of such is when you integrate your AD system with a third-party provider that allows certain users to use SSO for authentication. Cloud-based third-party services are being used by organizations that use cloud-based applications and software as a service (SaaS) and need to manage their users’ identities in the cloud. Microsoft Azure Active Directory, Okta, and Pin Identity are examples of cloud-based federated identity solutions. A third option is called Hybrid and organizations that need to use a combination of both on premises and cloud-based federated identity services to best serve the needs of their organization.
Types of access control
There are several types of access control you will be responsible to know for the CISSP certification exam. You will need to be able to explain Role-based access control (RBAC), Rule-based access control, Mandatory access control (MAC), Discretionary access control (DAC), and Attribute-based access control. A new type of access control for the 2021 CISSP update is Risk-based access control which evaluates risk factors based off of metadata such as location and IP address (known malicious IP) and is combined with other access control methods when implemented.
Authentication system implementation
This is a new section for the 2021 CISSP update and is a high-level view of authentication system implementation as it focuses on the authentication systems themselves rather than the process and details of the implementation. The authentication systems you will need to explain on the CISSP exam are:
- OpenID Connect (OIDC)/Open Authorization (OAuth)
- Security Assertion Markup Language (SAML)
- Kerberos
- RADIUS/TACACS+
Earn your CISSP, guaranteed!
Other considerations
The information above is not the only angle you need to be thinking about this material from – you also need to consider the design and implementation of your IAM system. Design considerations you need to keep in mind (which I touched briefly on above) is high availability, site resilience, performance, and security. These are the same considerations for the implementation side of things with the addition of figuring out how you can achieve the intended design and validating the implementation outcome.
Conclusion
Identity and access management is a crucial aspect of overall information security that the 5th domain of the CISSP covers. Controlling access to your resources and assets is one of the most fundamental aspects of securing your information systems. You’ll need a solid understanding of this material both on the job and when sitting for the CISSP certification exam.
For more on the CISSP certification, view our CISSP hub.