Identity and access management controls play an important role in any organization's information security program. These controls are so important that they constitute an entire domain of the CISSP body of knowledge. In this video, you learn how identity and access management programs ensure consistent user identity and manage physical and logical access to information, systems, devices, and facilities.
- [Instructor] Identity and Access Management controls, play an important role in any organization's information security program. These controls are so important that they constitute an entire domain of the Sys-P body of knowledge. Identity and Access Management is the practice of ensuring that computer systems have a clear picture of the identity of each individual or resource authorized to access the system and that the system can control access in a way that prevents unauthorized individuals from accessing resources while permitting authorized individuals to perform legitimate actions.
The concept of Identity can be a little confusing when discussed in a theoretical language of Identity and Access Management professionals. Let's take a look at some of the terminology commonly used in this field, by using an example from a college campus. First, an Entity is the foundation of the Identity model. In the case of people, an Entity is an actual, physical person. Here we have two person Entities, Alice and Bob. Each Entity may have one or more Identities.
In the case of people, Identities normally correspond to roles that an individual plays within an organization. In our example, Alice has only one Identity at our college, she is a faculty member. Bob on the other hand, has three different Identities. He works full-time in the college IT department, so he has one Identity as a Staff member. He also earned his Bachelor's degree at the college so he's an Alumnus, and he is currently studying for a Master's degree making him a Student.
Bob fills all three Identities, Staff, Alumnus and Student at the same time. So across the system right now we have four different Identity possibilities. Faculty, Staff, Alumnus and Student. Each of these Identities is a collection of attributes that describe the Entity. For example, let's look at Bob's Alumnus Identity. There would be many attributes associated with that Identity. For example, Bob studied Computer Science, so he has the Academic Major attribute with the value Computer Science.
He graduated in 2015, so he has the Graduation Year attribute of 2015. And he donates to the college so he has an attribute of Donor set to Yes. There would likely be many more attributes associated with this Identity and other Identities may have over lapping attributes. For example, a Student Identity will also have a Major and Graduation Year but may contain information not found in an alumni record, such as whether the student is on a meal plan.
It's important to note that Entities are not always people. Entities can be physical or virtual objects and groups. Some other example of Non-Person Entities include business units, servers, network segments and access groups. Identity and Access Management programs use these Identities to control physical and logical access to information, systems, devices and facilities. The rest of this course will dive in to those details.
- Identity and access management overview
- Identification mechanisms: user names, access cards, biometrics, and registration
- Authentication factors
- Password authentication protocols
- Identity as a service (IDaaS)
- Enforcing accountability
- Managing credentials with policies
- Using access control lists
- Defending against access control attacks