Identity and access management controls play an important role in any organization and information security program. These controls are so important that they constitute an entire domain of the CISSP body of knowledge. In this video, learn how to identity and access management programs, ensure consistent user identity, and manage physical and logical access to information, systems, devices, and facilities.
- [Instructor] Identity and access management controls play an important role in any organization's information security program. These controls are so important that they constitute an entire domain of the CISSP body of knowledge. Identity and access management is the practice of ensuring that computer systems have a clear picture of the identity of each individual or resource authorized to access the system, and that the system can control access in a way that prevents unauthorized individuals from accessing resources, while permitting authorized individuals to perform legitimate actions.
The concept of identity can be a little confusing when discussed in the theoretical language of identity and access management professionals. Let's take a look at some of the terminology commonly used in this field by using an example from a college campus. First, an entity is the foundation of the identity model. In the case of people, an entity is an actual physical person. Here, we have two person entities, Alice and Bob. Each entity may have one or more identities.
In the case of people, identities normally correspond to roles that an individual plays within an organization. In our example, Alice has only one identity at our college. She is a faculty member. Bob, on the other hand, has three different identities. He works full-time in the college IT department, so he has one identity as a staff member. He also earned his Bachelor's degree at the college, so he's an alumnus. And he is currently studying for a Master's degree, making him a student.
Bob fills all three identities, staff, alumnus, and student, at the same time. So across the system right now, we have four different identity possibilities, faculty, staff, alumnus, and student. Each of these identities is a collection of attributes that describe the entity. For example, let's look at Bob's alumnus identity. There would be many attributes associated with that identity. For example, Bob studied computer science, so he has the academic major attribute with the value computer science.
He graduated in 2015, so he has the graduation year attribute of 2015. And he donates to the college, so he has an attribute of donor set to yes. There would likely be many more attributes associated with this identity and other identities may have overlapping attributes. For example, a student identity would also have a major and graduation year, but may contain information not found in an alumni record, such as whether the student is on a meal plan.
It's important to note that entities are not always people. Entities can be physical or virtual objects and groups. Some other example of non-person entities include business units, servers, network segments, and access groups. Identity and access management programs use these identities to control physical and logical access to information, systems, devices, and facilities. The rest of this course will dive into those details.
You can sign up for Mike's free study group at certmike.com, and find his study guides at the Sybex test prep site. To review the complete CISSP Body of Knowledge, visit https://www.isc2.org/cissp-domains/default.aspx.
- Identity and access management overview
- Identification mechanisms: user names, access cards, biometrics, and registration
- Authentication factors
- Password authentication protocols
- Identity as a service (IDaaS)
- Enforcing accountability
- Managing credentials with policies
- Using access control lists
- Defending against access control attacks