Geek-Guy.com

Domain 5: Identity and Access Management (IAM)

Exam Weight: 13%

Domain 5 focuses on the “Who” and “How” of access. It covers the systems used to identify, authenticate, and authorize users and devices. In the modern era of Zero Trust and Agentic Identity, this domain has become a cornerstone of cybersecurity strategy.

1. The IAM Lifecycle

Identity management is a process, not just a tool. It follows a specific flow:

  1. Identification: Claiming an identity (e.g., entering a username).
  2. Authentication: Proving that identity (e.g., providing a password or token).
  3. Authorization: Determining what the authenticated user is allowed to do.
  4. Accounting (Auditing): Tracking what the user actually did for accountability.
  5. Provisioning/Deprovisioning: Creating accounts during onboarding and, crucially, removing all access immediately upon offboarding.

2. Identification and Authentication

The exam tests the “Factors of Authentication.” Strong security requires Multi-Factor Authentication (MFA) using at least two different categories:

  • Something You Know: Password, PIN, or security question. (Weakest)
  • Something You Have: Hardware token, smart card, or SMS code.
  • Something You Are: Biometrics (Fingerprint, Retina, Iris).
  • Somewhere You Are: Geolocation/IP filtering.
  • Something You Do: Gestures or typing patterns (Behavioral).

Biometric Errors to Know:

  • Type I (False Rejection Rate – FRR): Rejecting a valid user (Insult).
  • Type II (False Acceptance Rate – FAR): Accepting an impostor (Security failure).
  • CER (Crossover Error Rate): The point where FRR and FAR are equal. Lower CER = More Accurate System.

3. Access Control Models

How does the system decide “who gets what”?

  • DAC (Discretionary Access Control): The Data Owner decides access. Used in standard Windows/Linux file systems. Flexible but less secure.
  • MAC (Mandatory Access Control): The System decides access based on security labels (e.g., Secret, Top Secret). Used in military/high-security environments.
  • RBAC (Role-Based Access Control): Access is based on a person’s job function (e.g., “HR Manager”). Most efficient for large organizations.
  • ABAC (Attribute-Based Access Control): The most granular. Access is based on attributes of the subject (user), object (file), and environment (time/location).

4. Identity Management Technologies

  • Single Sign-On (SSO): Allows a user to authenticate once and access multiple systems.
    • Kerberos: Uses a “Ticket Granting Service” (TGS) and symmetric keys. (Standard for Active Directory).
    • SAML: XML-based, used primarily for web-based SSO between different organizations (Federation).
    • OpenID Connect (OIDC): Built on top of OAuth 2.0 to provide identity on top of authorization.
  • RADIUS & TACACS+: Protocols for Centralized Authentication for network devices. TACACS+ is Cisco-proprietary and encrypts the entire packet; RADIUS only encrypts the password.

5. Access Control Attacks

  • Brute Force: Trying every possible combination.
  • Dictionary Attack: Trying a list of common words and passwords.
  • Rainbow Tables: Using pre-computed hashes to reverse passwords quickly. (Countermeasure: Salting the hash).
  • Credential Stuffing: Using leaked credentials from one site to log into another.