CISSP Module 5: Identity and Access Management (IAM) ????? ?????? ???????

Introduction

This module covers the essential principles of Identity and Access Management (IAM), including identification, authentication, authorization, and accountability.

???? ??? ?????? ??????? ???????? ?????? ?????? ??????? ???? ?? ??? ??????? ????????? ???????? ?????????

It focuses on designing and implementing IAM frameworks, understanding the various technologies and protocols used in IAM, and exploring best practices for managing user identities and access controls.

????? ??? ????? ?????? ??? ???? ???????? ????????????? ???????? ????????? ???, ???????? ???? ????????? ?????? ????? ?????????? ?????? ??????

The goal is to provide a comprehensive understanding of how to protect systems and data by effectively managing who can access what resources and under what conditions.

????? ?? ????? ??? ???? ?????? ????? ??????? ????????? ?? ???? ????? ?? ????? ?????? ??? ??????? ??? ?? ?? ???? ???? ????

Module Brief

1. Control Physical and Logical Access to Assets

This section covers controlling access to information, systems, devices, facilities, applications, and services.

?????? ??? ????? ?????? ?? ?????? ??? ????????? ???????? ???????? ???????? ?????????? ????????

2. Design Identification and Authentication Strategy

This section focuses on designing strategies for groups and roles, multi-factor authentication (MFA), session management, federated identity management, and more.

???? ??? ????? ??? ????? ??????????? ????????? ????????? ????????? ?????? ???????? ?????? ???????? ?????? ?????? ??????????? ???????

3. Federated Identity with a Third-Party Service

This section explores federated identity management with on-premise, cloud, and hybrid environments.

?????? ??? ????? ????? ?????? ?????????? ?? ??????? ??????? ????????? ????????

4. Implement and Manage Authorization Mechanisms

This section covers various access control models and techniques such as RBAC, MAC, DAC, ABAC, and risk-based access control.

???? ??? ????? ????? ??????? ?????? ?? ?????? ???????? ? ??????? ?? ?????? ??????? ??? ???????

5. Manage the Identity and Access Provisioning Lifecycle

This section outlines the lifecycle management of identities and access, including account access review, provisioning, deprovisioning, and privilege escalation.

???? ??? ????? ????? ???? ???? ??????? ???????? ??? ?? ??? ?????? ?????? ??? ??????? ????????? ?????? ???????? ?????? ??????????

6. Implement Authentication Systems

This section details the implementation of various authentication systems.

???? ??? ????? ????? ????? ???????? ????????

7. Identity and Access Management Technologies

This section explores various IAM technologies and their applications.

?????? ??? ????? ?????? ????? ?????? ??????? ???????? ??????????

8. IAM Best Practices and Challenges

This section provides best practices for implementing IAM and addresses common challenges with mitigation controls.

???? ??? ????? ???? ????????? ?????? ????? ?????? ??????? ??????? ???????? ??????? ?? ????? ???????

1. Control Physical and Logical Access to Assets

1.1 Access Control Methods

Definition: Methods used to control access to information, systems, devices, facilities, applications, and services to protect against unauthorized use or abuse.

??? ?????? ?????? ?? ?????? ??? ????????? ???????? ???????? ???????? ?????????? ???????? ???????? ?? ????????? ?? ??????? ??? ?????? ??

List of Access Control Methods:

• Information
• Systems
• Devices
• Facilities
• Applications
• Services

1.1.1 Information

Definition: Controlling access to information resources to protect confidentiality, integrity, and availability.

?????? ?? ?????? ??? ????? ????????? ?????? ?????? ???????? ????????

Examples:

• Data Classification: Classifying data to determine appropriate security measures. ????? ???????? ?????? ???????? ??????? ????????
• Access Controls: Implementing access controls based on data classification. ????? ????? ?????? ????? ??? ????? ????????

Use Case: An organization classifies its data and implements access controls to ensure that sensitive information is only accessible to authorized personnel. ???? ????? ?????? ???????? ?????? ????? ?????? ????? ?? ????????? ??????? ????? ??? ??????? ?????? ???

________________________________________

1.1.2 Systems

Definition: Controlling access to system resources to prevent unauthorized use or abuse.

?????? ?? ?????? ??? ????? ?????? ???? ????????? ?? ??????? ??? ?????? ??

Examples:

• System Access Controls: Using authentication and authorization mechanisms to control access to systems. ??????? ????? ???????? ???????? ?????? ?? ?????? ??? ???????
• Monitoring: Monitoring system access to detect and respond to unauthorized access attempts. ?????? ?????? ??? ?????? ??????? ?????????? ???????? ?????? ??? ?????? ??

Use Case: A company uses system access controls and monitoring to prevent and detect unauthorized access to its servers. ?????? ???? ????? ?????? ??? ?????? ????????? ???? ??????? ?????? ??? ?????? ?? ??? ???????

________________________________________

1.1.3 Devices

Definition: Securing devices to ensure that only authorized individuals can access and use them.

????? ??????? ????? ?? ??????? ?????? ??? ??? ?????? ?????? ????? ??????????

Examples:

• Device Authentication: Using authentication mechanisms to verify the identity of device users. ??????? ????? ???????? ?????? ?? ???? ??????? ???????
• Device Encryption: Encrypting data on devices to protect against unauthorized access. ????? ???????? ??? ??????? ???????? ?? ?????? ??? ?????? ??

Use Case: A healthcare organization uses device authentication and encryption to protect patient data on mobile devices. ?????? ????? ??????? ?????? ???????? ??? ??????? ???????? ?????? ?????? ?????? ??? ??????? ????????

________________________________________

1.1.4 Facilities

Definition: Implementing physical security controls to protect facilities and the assets within them.

????? ????? ????? ????????? ?????? ??????? ??????? ???????? ???

Examples:

• Access Controls: Using card readers and biometric systems to control access to facilities. ??????? ?????? ???????? ?????? ???????? ??????? ?????? ?? ?????? ??? ???????
• Surveillance: Using video surveillance to monitor facility access points. ??????? ???????? ???????? ??????? ???? ?????? ??? ???????

Use Case: A financial institution uses access controls and surveillance to secure its data centers. ?????? ????? ????? ????? ?????? ????????? ?????? ????? ???????? ?????? ???

________________________________________

1.1.5 Applications

Definition: Controlling access to applications to ensure that only authorized users can access and use them.

?????? ?? ?????? ??? ????????? ????? ?? ?????????? ?????? ??? ??? ?????? ?????? ????? ??????????

Examples:

• Application Security Controls: Implementing authentication and authorization mechanisms within applications. ????? ????? ???????? ???????? ???? ?????????
• Logging and Monitoring: Logging application access and monitoring for suspicious activity. ????? ?????? ??? ????????? ??????? ?????? ???????

Use Case: A software company implements application security controls and monitoring to protect its proprietary software from unauthorized access and use. ???? ???? ??????? ?????? ????? ?????? ????????? ????????? ?????? ??????? ??????? ?? ?????? ?????????? ??? ?????? ??

________________________________________

1.1.6 Services

Definition: Securing access to services to protect against unauthorized use and abuse.

????? ?????? ??? ??????? ???????? ?? ????????? ???????? ??? ?????? ??

Examples:

• Service Authentication: Implementing authentication mechanisms to verify the identity of service users. ????? ????? ???????? ?????? ?? ???? ??????? ??????
• Service Authorization: Implementing authorization mechanisms to control access to services. ????? ????? ??????? ?????? ?? ?????? ??? ???????

Use Case: A cloud service provider uses service authentication and authorization to ensure that only authorized users can access its services. ?????? ???? ???? ??????? ???????? ??? ?????? ???????? ????? ?? ?????????? ?????? ??? ??? ?????? ?????? ??? ??????

________________________________________________________________________________

1.2 Access Control Principles

Definition: Principles that guide the implementation of access controls to ensure they are effective and secure.

??????? ???? ???? ????? ????? ?????? ????? ???????? ???????

List of Access Control Principles:

• Separation of Duties
• Need to Know
• Least Privilege

1.2.1 Separation of Duties

Definition: Ensuring that no single individual has complete control over all aspects of a critical process, reducing the risk of fraud or error.

???? ???? ??? ???????? ?? ?? ????? ??? ???? ???????? ??????? ??? ???? ????? ????? ?????? ??? ???? ?? ????? ???????? ?? ?????

Examples:

• Financial Transactions: Separating the duties of initiating, approving, and recording financial transactions. ??? ?????? ??? ????????? ??????? ????????? ????? ????????
• IT Operations: Separating the roles of system administrators and security administrators. ??? ????? ?????? ?????? ??????? ??????

Use Case: A company separates the roles of requesting and approving purchases to reduce the risk of fraudulent transactions. ???? ???? ??? ????? ??? ????????? ??? ????????? ?????? ????? ????????? ??????????

________________________________________

1.2.2 Need to Know

Definition: Restricting access to information only to those who require it to perform their job duties.

???? ???? ?????? ??? ??????? ?????? ??? ????????? ??? ?????? ????? ??????? ????? ????? ???? ?????

Examples:

• Data Access: Limiting access to sensitive data to employees who need it for their work. ????? ?????? ??? ???????? ??????? ???????? ????? ??????? ????? ??????
• Project Information: Granting access to project details only to team members working on the project. ??? ?????? ??? ?????? ??????? ??? ?????? ?????? ???????? ?? ???????

Use Case: An organization restricts access to customer data to customer service representatives who need it to assist customers. ????? ????? ?????? ??? ?????? ??????? ?????? ???? ??????? ????? ??????? ????? ??????? ???????

________________________________________

1.2.3 Least Privilege

Definition: Providing users with the minimum level of access necessary to perform their job functions.

???? ???? ??? ?????????? ?????????? ???? ?????? ?? ?????? ?????? ????? ???????

Examples:

• Access Rights: Granting employees only the access rights they need to perform their duties. ??? ???????? ??? ???? ?????? ???? ????????? ????? ????????
• System Permissions: Limiting administrative privileges to IT staff who require them for system maintenance. ????? ?????????? ???????? ?????? ????????? ????????? ????? ??????? ????? ?????? ??????

Use Case: A company implements least privilege by restricting administrative access to systems to only a few IT administrators. ???? ???? ?????? ???? ??? ?????????? ?? ???? ????? ?????? ??????? ??? ??????? ???? ???? ?? ?????? ????????? ?????????

________________________________________________________________________________

1.3 Administration Approaches

Definition: Methods of organizing and managing access controls within an organization.

??? ????? ?????? ????? ?????? ???? ???????

List of Administration Approaches:

• Centralized
• Decentralized
• Hybrid

1.3.1 Centralized

Definition: Consolidating access control management in a single location or system.

???? ??????? ???????? ????? ?????? ?? ?????? ?? ???? ?? ???? ????

Examples:

• Centralized Directory: Using a centralized directory service like Active Directory to manage user accounts and permissions. ??????? ???? ???? ????? ?????? ?????? ?????????? ?????????
• Unified Access Management: Implementing a unified access management system to control access to all resources. ????? ???? ????? ???? ???? ?????? ?? ?????? ??? ???? ???????

Use Case: An organization uses a centralized directory service to manage user accounts and access permissions across its entire network. ?????? ????? ???? ???? ????? ?????? ?????? ?????????? ??????? ?????? ??? ?????? ???????

________________________________________

1.3.2 Decentralized

Definition: Distributing access control management across multiple locations or systems.

???? ??????? ?????????? ????? ?????? ?? ?????? ??? ????? ?? ????? ??????

Examples:

• Local Administration: Allowing local administrators to manage access controls for their specific departments. ?????? ????????? ???????? ?????? ????? ?????? ???????? ???????
• Departmental Control: Granting departments the autonomy to manage their own access permissions. ??? ??????? ??????????? ?????? ?????? ?????? ?????? ???

Use Case: A multinational corporation allows each regional office to manage its own user accounts and access permissions. ???? ???? ?????? ???????? ??? ???? ?????? ?????? ?????? ?????????? ??????? ?????? ?????? ??

________________________________________

1.3.3 Hybrid

Definition: Combining elements of both centralized and decentralized approaches.

???? ??????? ??????? ??? ????? ??????? ??????? ??????????

Examples:

• Centralized Policies, Local Control: Implementing centralized access control policies with local control over specific permissions. ????? ?????? ?????? ?? ?????? ???????? ?? ??????? ??????? ??? ???????? ???????
• Federated Access Management: Using a federated model to manage access controls across different regions or departments. ??????? ????? ?????? ?????? ????? ?????? ??? ??????? ?? ??????? ????????

Use Case: An enterprise adopts a hybrid approach by setting global access policies while allowing local IT teams to manage day-to-day access permissions. ????? ????? ????? ?????? ?? ???? ??? ?????? ???? ?????? ????? ???? ???? ????????? ????????? ??????? ?????? ?????? ?????? ???????

Multiple Choice Questions

1. What is the primary purpose of the separation of duties principle?

a. To increase data availability

b. To reduce the risk of fraud or error

c. To improve data encryption

d. To monitor data access

2. Which access control principle restricts access to information only to those who require it for their job duties?

a. Least Privilege

b. Need to Know

c. Separation of Duties

d. Centralized Administration

3. What is the key feature of least privilege?

a. Providing maximum access at all times

b. Providing minimum access necessary to perform job functions

c. Using multi-factor authentication

d. Implementing single sign-on

4. What is the benefit of centralized administration?

a. Distributing access control management

b. Consolidating access control management in a single location or system

c. Granting departments the autonomy to manage their own access permissions

d. Combining elements of both centralized and decentralized approaches

5. How does a hybrid administration approach manage access control?

a. By centralizing all access control management

b. By decentralizing all access control management

c. By combining centralized policies with local control over specific permissions

d. By using a single access management system for all resources

Answers and Explanations

1. b. To reduce the risk of fraud or error

Separation of duties ensures that no single individual has complete control over all aspects of a critical process, reducing the risk of fraud or error.

???? ???? ??? ???????? ?? ?? ????? ??? ???? ???????? ??????? ??? ???? ????? ????? ?????? ??? ???? ?? ????? ???????? ?? ?????

2. b. Need to Know

Need to Know restricts access to information only to those who require it to perform their job duties.

???? ???? ?????? ??? ??????? ?????? ??? ????????? ??? ?????? ????? ??????? ????? ????? ???? ?????

3. b. Providing minimum access necessary to perform job functions

Least privilege provides users with the minimum level of access necessary to perform their job functions.

???? ???? ??? ?????????? ?????????? ???? ?????? ?? ?????? ?????? ????? ???????

4. b. Consolidating access control management in a single location or system

Centralized administration consolidates access control management in a single location or system.

???? ??????? ???????? ????? ?????? ?? ?????? ?? ???? ?? ???? ????

5. c. By combining centralized policies with local control over specific permissions

A hybrid administration approach combines centralized policies with local control over specific permissions.

???? ??????? ??????? ??? ?????? ?????? ???????? ???????? ??????? ??? ???????? ???????

2. Design Identification and Authentication Strategy

2.1 Groups and Roles

Definition: Using groups and roles to simplify the management of access controls.

??????? ????????? ???????? ?????? ????? ????? ??????

Examples:

• Group Policies: Applying policies to groups of users to manage access rights. ????? ???????? ??? ??????? ?????????? ?????? ???? ??????
• Role-Based Access Control (RBAC): Assigning access rights based on user roles. ????? ???? ?????? ????? ??? ????? ??????????

Use Case: An organization uses RBAC to assign access rights to employees based on their job functions. ?????? ????? ?????? ???? ?????? ???????? ????? ??? ???????

________________________________________________________________________________

2.2 Identification, Authentication, Authorization and Accounting (AAA)

Definition: A framework for intelligently controlling access to computer resources, enforcing policies, and auditing usage.

???? ??? ?????? ????? ?? ?????? ??? ????? ?????????? ???? ????????? ?????? ?????????

2.2.1 Identification

Definition: The process of recognizing an individual as a valid user.

????? ?????? ??? ????? ??????? ????

Examples:

• User IDs: Assigning unique user IDs to individuals. ????? ?????? ?????? ????? ???????
• Biometric Identifiers: Using biometric data such as fingerprints or facial recognition. ??????? ???????? ?????????? ??? ????? ??????? ?? ?????? ??? ?????
• Email Addresses: Using email addresses as unique identifiers. ??????? ?????? ?????? ?????????? ??????? ?????
• Phone Numbers: Using phone numbers for identity verification. ??????? ????? ?????? ?????? ?? ??????

• Use Case: A company uses biometric identifiers, email addresses, and phone numbers to recognize employees and grant them access to secure areas. ?????? ???? ?????? ????????? ??????? ?????? ??????????? ?????? ?????? ?????? ??? ???????? ?????? ?????? ??? ??????? ??????

________________________________________

2.2.2 Authentication

Definition: Verifying the identity of a user through various methods.

?????? ?? ???? ???????? ?? ???? ??? ??????

List of Authentication Approaches:

• Knowledge (Something the user knows)
• Ownership ( Something the user has)
• Characteristic (Something the user is)
• Single/Multifactor (Using one or more methods of authentication)
• Authenticator Assurance Levels
• Levels of confidence in the authentication process
• Just-in-time Access

2.2.2.1 Knowledge

Definition: Something the user knows.

??? ????? ????????

Examples:

• Password: A secret word or phrase used to authenticate a user. ???? ??: ???? ?? ????? ???? ?????? ??????? ????????
• Passphrase: A longer phrase used to authenticate a user. ????? ????: ????? ???? ?????? ??????? ????????
• Questions: Security questions used to verify identity. ?????: ????? ???? ?????? ?????? ?? ??????

• Use Case: An organization requires users to enter a password and answer a security question to access sensitive data. ???? ????? ?? ?????????? ????? ???? ???? ???????? ??? ???? ???? ?????? ??? ???????? ???????

__________________

2.2.2.2 Ownership

Definition: Something the user has.

??? ?????? ????????

Examples:

• One-time Passwords: Passwords that are valid for only one login session. ????? ???? ???? ?????: ????? ???? ????? ????? ????? ???? ????? ??? Hard Tokens: Physical devices that generate one-time passwords. ???? ????: ????? ????? ???? ????? ???? ???? ????? Soft Tokens: Software applications that generate one-time passwords. ???? ?????: ??????? ?????? ???? ????? ???? ???? ????? Synchronous: Tokens synchronized with a server to generate one-time passwords. ???????: ???? ??????? ?? ???? ?????? ????? ???? ???? ????? Asynchronous: Tokens that generate one-time passwords independently. ??? ???????: ???? ???? ????? ???? ???? ????? ???? ?????
• Smart/Memory Cards: Cards that store authentication data. ?????? ???? / ?????: ?????? ???? ?????? ????????

• Use Case: A financial institution uses smart cards to authenticate employees accessing secure systems. ?????? ????? ????? ?????? ???? ??????? ???????? ????? ????? ??? ??????? ??????

__________________

2.2.2.3 Characteristic

Definition: Something the user is.

??? ????? ????????

Examples:

• Physiological: Using physical characteristics to verify identity. ?????????: ??????? ??????? ?????????? ?????? ?? ?????? Fingerprint: Using fingerprint recognition for authentication. ????: ??????? ?????? ??? ????? ??????? ???????? Hand Geometry: Using the shape of the hand for authentication. ????? ????: ??????? ??? ???? ???????? Vascular Pattern: Using the pattern of veins for authentication. ??? ??????? ???????: ??????? ??? ??????? ???????? Facial: Using facial recognition for authentication. ?????: ??????? ?????? ??? ????? ???????? Retina: Using retinal scans for authentication. ????? ?????: ??????? ??? ??????? ???????? Iris: Using iris scans for authentication. ?????: ??????? ??? ??????? ????????

?

• Behavioral: Using behavior patterns to verify identity. ??????: ??????? ????? ?????? ?????? ?? ?????? Voice: Using voice recognition for authentication. ?????: ??????? ?????? ??? ????? ???????? Signature: Using signature analysis for authentication. ???????: ??????? ????? ??????? ???????? Keystroke: Using typing patterns for authentication. ????? ????????: ??????? ????? ??????? ???????? Gait: Using walking patterns for authentication. ????: ??????? ????? ????? ????????

?

• Templates: Stored data used to compare against captured biometric data. ???????: ?????? ????? ?????? ???????? ?? ???????? ?????????? ????????
• Type 1: False Reject: Incorrectly rejecting an authorized user. ????? 1: ??? ????: ??? ??? ???? ??????? ????
• Type 2: False Accept: Incorrectly accepting an unauthorized user. ????? 2: ???? ????: ???? ??? ???? ??????? ??? ????
• Crossover Error Rate: The rate at which false accept and false reject rates are equal. ???? ????? ????????: ?????? ???? ?????? ??? ?????? ?????? ?????? ?????? ??????

• Use Case: An airport uses iris scans to authenticate passengers at security checkpoints. ?????? ???? ??? ??????? ??????? ?????? ??? ???? ??????? ???????

__________________

2.2.2.4 Single/Multifactor

Definition: Using one or more methods of authentication.

??????? ????? ????? ?? ???? ????????

Examples:

• Single-Factor Authentication: Using one method, such as a password. ?????? ?????? ??????: ??????? ????? ?????? ??? ???? ??????
• Multi-Factor Authentication (MFA): Using multiple methods, such as a password and a fingerprint. ???????? ?????? ???????: ??????? ??? ??????? ??? ???? ?????? ????? ??????

• Use Case: A company uses MFA to secure remote access by requiring both a password and a fingerprint. ?????? ???? ???????? ?????? ??????? ?????? ?????? ?? ??? ?? ???? ??? ???? ???? ????? ????

__________________

2.2.2.5 Authenticator Assurance Levels (AAL)

Definition: Levels of confidence in the authentication process.

??????? ????? ?? ????? ????????

Examples:

• AAL1: Low confidence, single-factor authentication. ????? ????? 1: ??? ??????? ?????? ?????? ??????
• AAL2: Moderate confidence, two-factor authentication. ????? ????? 2: ??? ??????? ?????? ????????
• AAL3: High confidence, multi-factor authentication with strong cryptographic mechanisms. ????? ????? 3: ??? ?????? ?????? ?????? ??????? ?? ????? ????? ????

• Use Case: A government agency uses AAL3 to secure access to classified information. ?????? ????? ?????? ????? ????? 3 ?????? ?????? ??? ????????? ???????

__________________

2.2.2.6 Just-in-time Access

Definition: Providing users with the minimum level of access they need, only when they need it.

????? ?????????? ????? ?????? ?? ?????? ???? ???????? ??? ????? ????????

• Use Case: A company implements just-in-time access to ensure employees only have access to sensitive data when it is required for their tasks. ???? ???? ?????? ?????? ?? ????? ??????? ????? ?? ???????? ????? ???? ??? ???????? ??????? ??? ????? ???? ??? ??????? ???????

________________________________________

2.2.3 Authorization

Definition: Determining what an authenticated user is allowed to do.

????? ?? ????? ???????? ??????? ???? ??????? ??

2.2.3.1 Discretionary

Definition: Access control based on the discretion of the resource owner.

?????? ?? ?????? ????? ??? ????? ???? ??????

Examples:

• Rule-Based: Access control based on predefined rules. ??????? ??? ???????: ?????? ?? ?????? ????? ??? ????? ????? ??????
• Role-Based: Access control based on user roles. ??????? ??? ?????: ?????? ?? ?????? ????? ??? ????? ??????????
• Attribute/Content-Based: Access control based on user attributes or content of the resource. ??????? ??? ????? / ???????: ?????? ?? ?????? ????? ??? ???? ???????? ?? ????? ??????

• Use Case: A department manager grants access to project files based on the roles and responsibilities of team members. ???? ???? ????? ?????? ??? ????? ??????? ????? ??? ????? ????????? ????? ??????

__________________

2.2.3.2 Non-discretionary

Definition: Access control based on predefined policies that cannot be altered by resource owners.

?????? ?? ?????? ????? ??? ?????? ????? ?????? ?? ???? ??????? ?????? ????? ???????

Examples:

• Mandatory Access Control (MAC): Access control enforced by a central authority based on security labels. ?????? ???????? ?? ??????: ?????? ?? ?????? ??????? ?? ??? ???? ?????? ????? ??? ??????? ??????

Use Case: A government agency uses MAC to enforce strict access controls based on security classifications. ?????? ????? ?????? MAC ???? ????? ???? ????? ????? ??? ????????? ???????

________________________________________

2.2.4 Accountability

Definition: Ensuring that user actions can be traced back to the individual.

???? ?? ???? ????? ???????? ????? ?????? ??? ?????

Examples:

• Audit Logs: Recording user activities to trace actions back to individuals. ????? ???????: ????? ????? ???????? ????? ??????? ??? ???????
• Monitoring: Continuously monitoring user actions for compliance and security. ????????: ?????? ????? ???????? ???????? ???????? ???????

Use Case: An organization maintains audit logs to trace any unauthorized access attempts back to specific users. ????? ????? ??? ????? ??????? ????? ?? ??????? ???? ??? ???? ??? ??? ???????? ??????

________________________________________________________________________________

2.3 Session Management

Definition: Managing user sessions to ensure secure access and usage of resources.

????? ????? ?????????? ????? ?????? ????? ???????? ???????

Examples:

• Session Timeouts: Automatically ending user sessions after a period of inactivity. ????? ????? ?????????? ???????? ??? ???? ?? ??? ??????
• Session Monitoring: Monitoring active sessions for suspicious activity. ?????? ??????? ?????? ?????? ???????
• Single Sign-On (SSO): Providing users with one login session to access multiple resources. ????? ?????? ???????: ????? ???? ????? ???? ????? ?????????? ?????? ??? ????? ??????
• Session Encryption: Encrypting session data to protect it from eavesdropping. ????? ??????: ????? ?????? ?????? ???????? ?? ??????

Use Case: An organization implements session timeouts, monitoring, and encryption to reduce the risk of unauthorized access to inactive sessions. ???? ????? ?????? ?????? ???????? ?????????? ???????? ?????? ????? ?????? ??? ?????? ?? ??? ??????? ??? ??????

________________________________________________________________________________

2.4 Registration, Proofing, and Establishment of Identity

Definition: Processes for verifying and establishing user identities.

?????? ?????? ?? ????? ?????????? ????????

Examples:

• Identity Proofing: Verifying the identity of a user before granting access. ?????? ?? ???? ???????? ??? ??? ??????
• Credential Issuance: Issuing credentials to verified users. ????? ?????? ???????? ?????????? ????? ?? ?????? ????
• Background Checks: Conducting background checks to verify identity information. ????? ?????? ??????? ?????? ?? ??????? ??????
• Document Verification: Verifying identity documents provided by the user. ?????? ?? ???????: ?????? ?? ????? ?????? ???? ?????? ????????

Use Case: A university uses identity proofing, background checks, and document verification to verify the identities of students before issuing them campus access cards. ?????? ????? ?????? ?? ??????? ??????? ???????? ??????? ?? ??????? ?????? ?? ????? ?????? ??? ????? ?????? ?????? ??? ????? ??????? ???

________________________________________________________________________________

2.5 Federated Identity Management (FIM)

Definition: An arrangement that allows users to use the same identification data to obtain access to the networks of all enterprises in the group.

????? ???? ?????????? ???????? ??? ?????? ??????? ?????? ??? ?????? ??? ????? ???? ???????? ?? ????????

2.5.1 Trust Relationship

Definition: The relationship between different entities involved in federated identity management.

??????? ??? ???????? ???????? ???????? ?? ????? ?????? ??????????

Examples:

• Principal/User: The entity that needs to be authenticated. ????????: ?????? ???? ????? ??? ????????
• Identity Provider: The entity that provides the identity information. ???? ??????: ?????? ???? ???? ??????? ??????
• Relying Party/Service Provider: The entity that relies on the identity information to provide services. ???? ??????: ?????? ???? ????? ??? ??????? ?????? ?????? ???????

Use Case: A company uses federated identity management to allow employees to access external services using their corporate credentials. ?????? ???? ????? ?????? ?????????? ?????? ???????? ??????? ??? ??????? ???????? ???????? ?????? ?????? ?????? ?????? ???

________________________________________

2.5.2 SAML

Definition: An open standard for exchanging authentication and authorization data between parties.

????? ????? ?????? ?????? ???????? ???????? ??? ???????

Examples:

• Tokens: Digital representations of user credentials. ????: ??????? ????? ??????? ?????? ????????
• Assertions written in XML: Statements that provide information about the user. ??????? ?????? ???? XML: ?????? ???? ??????? ?? ????????
• Single Sign-On (SSO): Using SAML for single sign-on across multiple applications. ????? ?????? ???????: ??????? SAML ?????? ?????? ??????? ??? ??????? ??????

Use Case: An enterprise uses SAML to enable single sign-on for its employees across various web applications. ?????? ????? SAML ?????? ????? ?????? ??????? ???????? ??? ??????? ????? ????????

________________________________________

2.5.3 Components

Definition: The elements that make up the SAML framework.

??????? ???? ???? ???? ??? SAML

Examples:

• Profiles: Define the use cases for SAML. ????? ?????: ???? ????? ????????? ?? SAML
• Bindings: Define how SAML messages are transported. ?????: ???? ????? ??? ????? SAML
• Protocol: Defines the communication between entities. ????????: ???? ??????? ??? ????????
• Assertion: The statement that provides information about the user. ?????: ?????? ???? ???? ??????? ?? ????????

Use Case: An organization uses SAML profiles and bindings to ensure secure communication between its identity provider and service providers. ?????? ????? ????? ????? SAML ???????? ????? ??????? ????? ??? ???? ?????? ?????? ???????

________________________________________

2.5.4 WS-Federation

Definition: A standard for federated identity management that extends the capabilities of SAML.

????? ?????? ?????? ?????????? ???? ???? ????? SAML

Examples:

• Web Services Security: Providing secure communication between web services. ???? ????? ?????: ????? ??????? ????? ??? ????? ?????
• Token Translation: Converting tokens between different formats for interoperability. ????? ??????: ????? ?????? ??? ??????? ?????? ??????? ??????

Use Case: A company uses WS-Federation to enable secure communication between its internal web services and external partners. ?????? ???? WS-Federation ?????? ??????? ????? ??? ????? ????? ???????? ???????? ?????????

________________________________________

2.5.5 OpenID

Definition: An open standard for decentralized authentication.

????? ????? ???????? ??????????

Examples:

• OpenID Connect: An authentication layer built on top of OAuth 2.0. OpenID Connect: ???? ?????? ????? ??? OAuth 2.0
• OAuth 2.0 Integration: Using OpenID for authentication and OAuth 2.0 for authorization. ????? OAuth 2.0: ??????? OpenID ???????? ?OAuth 2.0 ???????

Use Case: A user logs into multiple websites using their OpenID account, simplifying the authentication process. ???? ???????? ?????? ?????? ??? ????? ??? ?????? ???????? ???? OpenID ????? ??? ??? ???? ????? ????????

________________________________________

2.5.6 OAuth

Definition: An open standard for access delegation.

????? ????? ?????? ??????

Examples:

• Authorization Tokens: Tokens used to grant access to resources without sharing user credentials. ???? ???????: ???? ??????? ???? ?????? ??? ??????? ??? ?????? ?????? ?????? ????????
• Scopes: Defining the level of access granted by an authorization token. ????????: ????? ????? ?????? ??????? ?????? ??? ???????
• Authorization Grants: Different methods for obtaining authorization tokens (e.g., authorization code, client credentials). ??? ???????: ??? ?????? ?????? ??? ???? ??????? (??? ??? ???????? ?????? ?????? ??????)

Use Case: A mobile app uses OAuth to access user data from social media platforms without requiring the user's password. ?????? ????? ?????? OAuth ?????? ??? ?????? ???????? ?? ????? ??????? ????????? ??? ?????? ??? ???? ???? ????????

________________________________________________________________________________

2.6 Credential Management Systems

Definition: Systems that manage the issuance, storage, and use of credentials.

????? ???? ????? ?????? ???????? ?????? ????????

Examples:

• Password Vaults: Securely storing and managing passwords. ????? ?????? ????? ?????? ?????
• Public Key Infrastructure (PKI): Managing digital certificates and public keys. ????? ???????? ??????? ????????? ??????
• Smart Card Management: Managing the issuance and use of smart cards. ????? ???????? ??????: ????? ????? ???????? ???????? ??????
• Credential Rotation: Regularly updating credentials to enhance security. ????? ?????? ????????: ????? ?????? ???????? ??????? ?????? ??????

Use Case: An organization uses a password vault, PKI, and smart card management to securely store and manage employee credentials. ?????? ????? ???? ????? ??????? ????? ???????? ??????? ?????? ???????? ?????? ?????? ?????? ?????? ?????? ???????? ?????

________________________________________________________________________________

2.7 Single Sign-On (SSO)

Definition: A user authentication process that allows a user to access multiple applications with one set of login credentials.

????? ?????? ???????? ???? ???? ???????? ??????? ??? ??????? ?????? ???????? ?????? ????? ?? ?????? ????? ??????

2.7.1 Kerberos

Definition: A network authentication protocol designed to provide strong authentication for client-server applications.

???????? ?????? ???? ???? ?????? ?????? ???? ???????? ??????-??????

Components:

• User/Client: The entity requesting access. ????????: ?????? ???? ???? ??????
• Key Distribution Center (KDC): The central authority that manages keys. ???? ????? ????????: ?????? ???????? ???? ???? ????????
• Authentication Service (AS): Verifies the identity of the user. ???? ????????: ????? ?? ???? ????????
• Ticket Granting Ticket (TGT): A ticket issued by the AS that allows the user to request service tickets. ????? ??? ???????: ????? ????? ?? ???? ???????? ???? ???????? ???? ????? ??????
• Ticket Granting Service (TGS): Issues service tickets based on the TGT. ???? ??? ???????: ???? ????? ?????? ????? ??? ????? ??? ???????
• Service Tickets: Tickets that grant access to specific services. ????? ??????: ????? ???? ?????? ??? ????? ?????
• Service: The entity providing the requested service. ??????: ?????? ???? ???? ?????? ????????

Encryption: Uses symmetric encryption for secure communication. ???????: ?????? ??????? ???????? ??????? ?????

Use Case: An enterprise uses Kerberos to provide secure authentication for its internal network services. ?????? ????? Kerberos ?????? ???????? ?????? ?????? ?????? ????????

________________________________________

2.7.2 Sesame

Definition: A network authentication protocol similar to Kerberos, but with additional support for asymmetric encryption.

???????? ?????? ???? ????? ?? Kerberos? ???? ???? ??????? ??? ????????

Components:

• Symmetric and Asymmetric Encryption: Uses both types of encryption for secure communication. ??????? ???????? ???? ????????: ?????? ??? ??????? ?? ??????? ??????? ?????

Use Case: A company uses Sesame to provide secure authentication for its external partner network. ?????? ???? Sesame ?????? ???????? ?????? ????? ??????? ????????

________________________________________________________________________________

2.8 Just-In-Time

Definition: Providing users with the minimum level of access they need, only when they need it.

????? ?????????? ????? ?????? ?? ?????? ???? ???????? ??? ????? ????????

Examples:

• Temporary Access: Granting temporary access to users for specific tasks. ??? ?????? ?????? ?????????? ?????? ???????
• Automated Provisioning: Automatically provisioning access based on predefined criteria. ??????? ?????: ????? ?????? ???????? ????? ??? ?????? ????? ??????
• Access Review: Regularly reviewing access permissions to ensure they are still necessary. ?????? ??????: ?????? ?????? ?????? ??????? ????? ???? ?? ???? ??????
• Dynamic Access Control: Adjusting access permissions in real-time based on user activity and behavior. ?????? ?? ?????? ??????????: ????? ?????? ?????? ?? ????? ?????? ????? ??? ???? ????? ????????

Use Case: A company implements just-in-time access to ensure employees only have access to sensitive data when it is required for their tasks. ???? ???? ?????? ?????? ?? ????? ??????? ????? ?? ???????? ????? ???? ??? ???????? ??????? ??? ????? ???? ??? ??????? ???????

Multiple Choice Questions

1. What is the primary purpose of federated identity management?

a. Managing identities within a single organization

b. Allowing users to use the same identification data to access multiple networks

c. Using multiple authentication methods

d. Managing access rights based on roles

2. Which standard is used for exchanging authentication and authorization data between parties?

a. OAuth

b. SAML

c. Kerberos

d. LDAP

3. What is an example of biometric identification?

a. Password

b. Smart Card

c. Fingerprint

d. One-time Password

4. What does just-in-time access provide?

a. Maximum access at all times

b. Access only when needed

c. Multi-factor authentication

d. Permanent access to all resources

5. What is the key benefit of single sign-on (SSO)?

a. Improved data encryption

b. Simplified user authentication

c. Enhanced network security

d. Increased data availability

Answers and Explanations

1. b. Allowing users to use the same identification data to access multiple networks

Federated identity management allows users to use the same identification data to access multiple networks.

???? ????? ?????? ?????????? ?????????? ???????? ??? ?????? ??????? ?????? ??? ????? ??????

2. b. SAML

SAML is a standard for exchanging authentication and authorization data between parties.

?? ????? ?????? ?????? ???????? ???????? ??? ???????

3. c. Fingerprint

Biometric identification can include methods such as fingerprint recognition.

???? ?? ????? ???????? ?????????? ????? ??? ?????? ??? ????? ???????

4. b. Access only when needed

Just-in-time access provides users with the minimum level of access they need, only when they need it.

???? ?????? ?? ????? ??????? ?????????? ???? ?????? ?? ?????? ???? ???????? ??? ????? ????????

5. b. Simplified user authentication

Single sign-on (SSO) simplifies user authentication by allowing users to access multiple applications with one set of login credentials.

???? ????? ?????? ??????? ?????? ???????? ?? ???? ?????? ?????????? ??????? ??? ??????? ?????? ???????? ?????? ????? ?? ?????? ????? ??????

3. Federated Identity with a Third-Party Service

3.1 On-Premise

Definition: Federated identity management within an organization's own infrastructure.

????? ?????? ?????????? ???? ?????? ??????? ?????? ????????

Examples:

• Internal SSO: Implementing SSO within the organization’s internal systems. ????? SSO ???? ????? ??????? ????????
• Active Directory Federation Services (ADFS): Using ADFS to manage federated identities. ??????? ????? ????? ?????? ????? (ADFS) ?????? ??????? ??????????
• Kerberos: Utilizing Kerberos for secure authentication in on-premise systems. ??????? Kerberos ???????? ?????? ?? ??????? ???????
• LDAP: Leveraging LDAP for directory services and authentication. ??????? LDAP ?????? ?????? ?????????
• RADIUS: Implementing RADIUS for centralized authentication, authorization, and accounting. ??????? RADIUS ???????? ???????? ????????? ????????

Use Case: An organization uses on-premise federated identity management to allow employees to access internal applications with a single login. ?????? ????? ????? ?????? ?????????? ??????? ?????? ???????? ??????? ??? ????????? ???????? ???????? ????? ???? ????

________________________________________________________________________________

3.2 Cloud

Definition: Federated identity management using cloud-based identity providers.

????? ?????? ?????????? ???????? ????? ?????? ???????? ??? ???????

Examples:

• Azure AD: Using Azure Active Directory for federated identity management. ??????? Azure Active Directory ?????? ?????? ??????????
• Okta: Leveraging Okta for cloud-based identity management and SSO. ??????? Okta ?????? ?????? ???????? ??? ??????? ?????? ?????? ???????
• AWS Cognito: Utilizing AWS Cognito for secure user authentication and data synchronization. ??????? AWS Cognito ???????? ?????? ?????????? ??????? ????????
• Google Cloud Identity: Implementing Google Cloud Identity for unified identity, access, and device management. ??????? Google Cloud Identity ?????? ?????? ??????? ???????? ???????
• Ping Identity: Using Ping Identity for identity security and intelligent access. ??????? Ping Identity ????? ?????? ??????? ?????

Use Case: A company uses a cloud-based federated identity provider to enable single sign-on for various cloud applications. ?????? ???? ???? ???? ???????? ?????? ??? ??????? ?????? ????? ?????? ??????? ???????? ??????? ????????

________________________________________________________________________________

3.3 Hybrid

Definition: Federated identity management that integrates both on-premise and cloud-based systems.

????? ?????? ?????????? ???? ???? ??? ??????? ??????? ????????? ??? ???????

Examples:

• Hybrid Federated Identity: Combining on-premise SSO with cloud-based identity providers. ??? SSO ?????? ?? ????? ?????? ???????? ??? ???????
• Azure AD Connect: Using Azure AD Connect to synchronize on-premise and cloud directories. ??????? Azure AD Connect ??????? ?????? ??????? ?????????
• PingFederate: Leveraging PingFederate for seamless integration of on-premise and cloud identity systems. ??????? PingFederate ??????? ????? ??? ??????? ?????? ??????? ?????????
• ADFS with Azure AD: Implementing ADFS in conjunction with Azure AD for hybrid identity management. ??????? ADFS ?? Azure AD ?????? ?????? ???????
• VMware Workspace ONE: Utilizing VMware Workspace ONE for unified endpoint management and identity management across hybrid environments. ??????? VMware Workspace ONE ?????? ???? ??????? ??????? ?????? ?????? ??? ??????? ???????

Use Case: An enterprise uses a hybrid federated identity solution to provide seamless access to both internal and cloud-based applications. ?????? ????? ?? ?????? ?????????? ??????? ?????? ?????? ????? ??? ????????? ???????? ????????? ??? ???????

Multiple Choice Questions

1. What is federated identity management?

a. Managing identities within a single organization

b. Allowing users to use the same identification data to access multiple networks

c. Using multiple authentication methods

d. Managing access rights based on roles

2. Which federated identity solution combines on-premise and cloud-based systems?

a. On-Premise

b. Cloud

c. Hybrid

d. Single Sign-On (SSO)

3. What is an example of a cloud-based federated identity provider?

a. Internal SSO

b. Azure AD

c. Role-Based Access Control (RBAC)

d. Multi-Factor Authentication (MFA)

4. What type of federated identity management is implemented within an organization's own infrastructure?

a. On-Premise

b. Cloud

c. Hybrid

d. Single Sign-On (SSO)

5. What is the benefit of using federated identity management in a hybrid environment?

a. Increased security

b. Simplified management

c. Seamless access to both internal and cloud-based applications

d. Improved encryption

Answers and Explanations

1. b. Allowing users to use the same identification data to access multiple networks

Federated identity management allows users to use the same identification data to access multiple networks.

???? ????? ?????? ?????????? ?????????? ???????? ??? ?????? ??????? ?????? ??? ????? ??????

2. c. Hybrid

Hybrid federated identity management integrates both on-premise and cloud-based systems.

???? ????? ?????? ?????????? ??????? ??? ??????? ??????? ????????? ??? ???????

3. b. Azure AD

Azure AD is an example of a cloud-based federated identity provider.

?? ???? ??? ???? ???? ???????? ?????? ??? ???????

4. a. On-Premise

On-premise federated identity management is implemented within an organization's own infrastructure.

??? ????? ????? ?????? ?????????? ??????? ???? ?????? ??????? ?????? ????????

5. c. Seamless access to both internal and cloud-based applications

Hybrid federated identity management provides seamless access to both internal and cloud-based applications.

???? ????? ?????? ?????????? ??????? ?????? ????? ??? ????????? ???????? ????????? ??? ???????

4. Implement and Manage Authorization Mechanisms

4.1 Access Control Models

• Role-based access control (RBAC)
• Rule based access control
• Mandatory access control (MAC)
• Discretionary access control (DAC)
• Attribute-based access control (ABAC)
• Risk based access control

4.1.1 Role-Based Access Control (RBAC)

Definition: Access control based on user roles within an organization.

?????? ?? ?????? ????? ??? ????? ?????????? ???? ???????

Examples:

• Job Functions: Assigning access rights based on job functions. ????? ???? ?????? ????? ??? ????? ?????
• Role Hierarchies: Defining hierarchies of roles to manage access. ????? ??????? ?????? ??????? ?????? ??????

Use Case: An organization uses RBAC to ensure that employees have access only to the resources necessary for their job functions. ?????? ????? RBAC ????? ?? ???????? ????? ?????? ??? ??? ??????? ??????? ????????

___________________

4.1.2 Rule-Based Access Control

Definition: Access control based on a set of rules defined by the organization.

?????? ?? ?????? ????? ??? ?????? ?? ??????? ???? ?????? ???????

Examples:

• Access Rules: Defining rules for access based on conditions such as time of day or location. ????? ????? ?????? ????? ??? ???? ??? ??? ????? ?? ??????
• Policy Enforcement: Enforcing access control policies through rules. ??? ?????? ?????? ?? ?????? ?? ???? ???????

Use Case: A company uses rule-based access control to restrict access to its systems outside of business hours. ?????? ???? ?????? ?? ?????? ??????? ??? ??????? ?????? ?????? ??? ??????? ???? ????? ?????

___________________

4.1.3 Mandatory Access Control (MAC)

Definition: Access control based on a set of predefined policies and rules.

?????? ?? ?????? ????? ??? ?????? ?? ???????? ???????? ??????? ??????

Examples:

• Security Labels: Using labels to classify information and enforce access controls. ??????? ???????? ?????? ????????? ???? ????? ??????
• Clearance Levels: Granting access based on security clearance levels. ??? ?????? ????? ??? ??????? ??????? ??????

Use Case: A government agency uses MAC to enforce strict access controls based on security classifications. ?????? ????? ?????? MAC ???? ????? ???? ????? ????? ??? ????????? ???????

___________________

4.1.4 Discretionary Access Control (DAC)

Definition: Access control based on the discretion of the resource owner.

?????? ?? ?????? ????? ??? ????? ???? ??????

Examples:

• File Permissions: Allowing file owners to set permissions for their files. ?????? ?????? ??????? ?????? ?????? ????????
• Resource Sharing: Allowing resource owners to share access with others. ?????? ?????? ??????? ??????? ?????? ?? ???????

Use Case: A project manager sets file permissions to allow team members to access project documents. ???? ???? ??????? ?????? ?????? ??????? ?????? ?????? ?????? ??????? ??? ??????? ???????

___________________

4.1.5 Attribute-Based Access Control (ABAC)

Definition: Access control based on user attributes and environmental conditions.

?????? ?? ?????? ????? ??? ???? ???????? ??????? ???????

Examples:

• User Attributes: Granting access based on attributes such as department, job role, or security clearance. ??? ?????? ????? ??? ???? ??? ????? ?? ????? ??????? ?? ??????? ??????
• Environmental Conditions: Granting access based on conditions such as time of day, location, or device type. ??? ?????? ????? ??? ???? ??? ??? ????? ?? ?????? ?? ??? ??????

Use Case: An organization uses ABAC to grant access to sensitive data only during business hours and only from secure devices. ?????? ????? ABAC ???? ?????? ??? ???????? ??????? ??? ???? ????? ????? ??? ??????? ?????? ???

___________________

4.1.6 Risk-Based Access Control

Definition: Access control based on the assessment of risk levels.

?????? ?? ?????? ????? ??? ????? ??????? ???????

Examples:

• Risk Assessment: Evaluating the risk associated with granting access to a resource. ????? ??????? ???????? ???? ?????? ??? ????
• Dynamic Access Control: Adjusting access control decisions based on real-time risk assessments. ????? ?????? ?????? ?? ?????? ????? ??? ??????? ??????? ?? ????? ??????

Use Case: A financial institution uses risk-based access control to restrict access to high-risk transactions unless additional authentication is provided. ?????? ????? ????? ?????? ?? ?????? ??????? ??? ??????? ?????? ?????? ??? ????????? ????? ??????? ??? ??? ?? ????? ?????? ??????

________________________________________________________________________________

4.2 Access Control Techniques

• Access Control Lists (ACLs)
• Risk based access control
• Access policy enforcement

4.2.1 Access Control Lists (ACLs)

Definition: Lists that specify which users or system processes are granted access to objects.

????? ???? ?????????? ?? ?????? ?????? ???????? ?????? ??? ????????

Examples:

• File ACLs: Lists that specify which users can read, write, or execute a file. ????? ACL ???????: ????? ???? ?????????? ????? ?????? ????? ?? ????? ?? ????? ???
• Network ACLs: Lists that control which network traffic is allowed or denied. ????? ACL ??????: ????? ????? ?? ???? ?????? ???? ????? ??? ?? ???????
• Database ACLs: Lists that specify access permissions for database users. ????? ACL ?????? ????????: ????? ???? ?????? ?????? ???????? ????? ????????
• API ACLs: Lists that control access to APIs. ????? ACL ??????? ???????: ????? ????? ?? ?????? ??? ?????? ????? ?????????
• Directory ACLs: Lists that specify access permissions for directory services. ????? ACL ????? ???????: ????? ???? ?????? ?????? ?????? ??????

Use Case: A network administrator configures network ACLs to allow only authorized devices to connect to the company network. ???? ????? ?????? ?????? ????? ACL ?????? ?????? ??? ??????? ?????? ??? ???????? ????? ??????

___________________

4.2.2 Access Policy Enforcement

Definition: Enforcing access control policies through designated points in the network or system.

??? ?????? ?????? ?? ?????? ?? ???? ???? ????? ?? ?????? ?? ??????

Examples:

• Policy Decision Point (PDP): The component that makes access control decisions. ???? ???? ???????: ?????? ???? ???? ?????? ?????? ?? ??????
• Policy Enforcement Point (PEP): The component that enforces access control decisions. ???? ????? ???????: ?????? ???? ???? ?????? ?????? ?? ??????
• Access Gateways: Devices or systems that enforce access control policies at network entry points. ?????? ??????: ????? ?? ????? ???? ?????? ?????? ?? ?????? ??? ???? ???? ??????
• Firewall Rules: Configuring firewall rules to enforce access control policies. ????? ?????? ??????: ????? ????? ?????? ?????? ???? ?????? ?????? ?? ??????
• Endpoint Security Solutions: Using endpoint security software to enforce access control policies. ???? ???? ?????? ????????: ??????? ????? ???? ?????? ???????? ???? ?????? ?????? ?? ??????

Use Case: An organization uses PDPs, PEPs, and access gateways to enforce access control policies for its cloud services. ?????? ????? ???? ???? ??????? ????? ????? ??????? ??????? ?????? ???? ?????? ?????? ?? ?????? ???????? ????????

Multiple Choice Questions

1. What is the primary purpose of Role-Based Access Control (RBAC)?

a. Increased security

b. Simplified management of access rights

c. Improved encryption

d. Enhanced user interfaces

2. What is the key feature of Mandatory Access Control (MAC)?

a. Access control based on user discretion

b. Access control enforced by a central authority based on security labels

c. Access control based on user roles

d. Access control based on user attributes

3. Which access control model adjusts access control decisions based on real-time risk assessments?

a. Role-Based Access Control (RBAC)

b. Discretionary Access Control (DAC)

c. Attribute-Based Access Control (ABAC)

d. Risk-Based Access Control (RBAC)

4. What is an Access Control List (ACL)?

a. A list that specifies which users or system processes are granted access to objects

b. A component that makes access control decisions

c. A component that enforces access control decisions

d. A list that defines security labels

5. How does rule-based access control manage access?

a. By assigning access rights based on job functions

b. By defining rules for access based on conditions such as time of day or location

c. By granting access based on user attributes and environmental conditions

d. By evaluating the risk associated with granting access to a resource

Answers and Explanations

1. b. Simplified management of access rights

Role-Based Access Control (RBAC) simplifies the management of access rights by assigning permissions based on user roles.

???? ?????? ?? ?????? ??????? ??? ????? ????? ???? ?????? ?? ???? ????? ???????? ????? ??? ????? ??????????

2. b. Access control enforced by a central authority based on security labels

Mandatory Access Control (MAC) is enforced by a central authority based on security labels.

??? ??? ?????? ???????? ?? ?????? ?????? ???? ?????? ????? ??? ??????? ??????

3. d. Risk-Based Access Control (RBAC)

Risk-Based Access Control adjusts access control decisions based on real-time risk assessments.

????? ?????? ??????? ??? ??????? ?? ?????? ?????? ?? ?????? ????? ??? ??????? ??????? ?? ????? ??????

4. a. A list that specifies which users or system processes are granted access to objects

An Access Control List (ACL) specifies which users or system processes are granted access to objects.

???? ????? ?????? ?? ?????? ?????????? ?? ?????? ?????? ???????? ?????? ??? ????????

5. b. By defining rules for access based on conditions such as time of day or location

Rule-based access control manages access by defining rules based on conditions such as time of day or location.

????? ?????? ??????? ??? ??????? ?? ?????? ?? ???? ????? ??????? ????? ??? ???? ??? ??? ????? ?? ??????

5. Manage the Identity and Access Provisioning Lifecycle

5.1 Account Access Review

Definition: Periodically reviewing user accounts to ensure that access rights are appropriate.

?????? ?????? ?????????? ???? ???? ????? ?? ???? ?????? ??????

Examples:

• User Accounts: Reviewing access rights of user accounts to ensure they match job functions. ?????? ??????????: ?????? ???? ?????? ??????? ?????????? ????? ??????? ?? ????? ?????
• System Accounts: Reviewing access rights of system accounts to ensure they are not excessive. ?????? ??????: ?????? ???? ?????? ??????? ?????? ????? ??? ?????? ???? ????
• Privileged Accounts: Reviewing access rights of privileged accounts to ensure they are still necessary. ?????? ??????: ?????? ???? ?????? ??????? ?????? ????? ???? ?? ???? ??????
• Service Accounts: Reviewing access rights of service accounts to ensure they are not over-privileged. ?????? ??????: ?????? ???? ?????? ??????? ?????? ????? ??? ???? ???????? ?????

Use Case: An organization conducts quarterly reviews of user accounts to ensure that access rights are updated based on role changes. ???? ????? ?????? ??????? ??? ????? ??????? ?????????? ????? ????? ???? ?????? ????? ??? ??????? ?????

________________________________________________________________________________

5.2 Provisioning and Deprovisioning

Definition: The process of creating and deleting user accounts and access rights.

????? ????? ???? ?????? ?????????? ????? ??????

Examples:

• Onboarding: Creating user accounts and granting access rights for new employees. ???????: ????? ?????? ?????????? ???? ???? ?????? ???????? ?????
• Offboarding: Deleting user accounts and revoking access rights for departing employees. ????? ??????: ??? ?????? ?????????? ?????? ???? ?????? ???????? ?????????
• Automated Provisioning: Using automated tools to create and manage user accounts. ??????? ?????: ??????? ????? ???? ?????? ?????? ?????? ??????????
• Manual Provisioning: Manually creating and managing user accounts. ??????? ??????: ????? ?????? ?????? ?????????? ??????
• Just-In-Time Provisioning: Providing user accounts and access rights only when needed. ??????? ?? ????? ???????: ????? ?????? ?????????? ????? ?????? ??? ????? ???? ??????

Use Case: A company automates the provisioning and deprovisioning process to ensure that access rights are promptly updated when employees join or leave the organization. ???? ???? ?????? ????? ??????? ???????? ????? ????? ???? ?????? ????? ????? ???? ???????? ?? ??????? ???????

________________________________________________________________________________

5.3 Role Definition and Transition

Definition: Defining roles and managing transitions between roles.

????? ??????? ?????? ???????? ??? ???????

Examples:

• Role Assignment: Assigning roles to employees based on job functions. ????? ???????: ????? ??????? ???????? ????? ??? ????? ?????
• Role Transition: Managing transitions between roles when employees change positions. ???? ???????: ????? ???????? ??? ??????? ????? ???? ???????? ???????
• Role Hierarchies: Defining hierarchies of roles to manage access. ????? ??????? ?????? ??????? ?????? ??????
• Role Mapping: Mapping roles to access rights to ensure consistency. ????? ???????: ????? ??????? ????? ?????? ????? ???????
• Role-Based Access Control (RBAC): Using RBAC to manage role definitions and transitions. ?????? ?? ?????? ??????? ??? ?????: ??????? RBAC ?????? ????? ??????? ?????????

Use Case: An organization defines clear roles and manages transitions to ensure that employees have the appropriate access rights when they change positions. ???? ????? ?????? ??????? ????? ?????? ???????? ????? ?? ???? ??? ???????? ???? ?????? ???????? ????? ?????? ???????

________________________________________________________________________________

5.4 Privilege Escalation

Definition: The process of granting higher levels of access privileges, often temporarily.

????? ??? ??????? ???? ?? ???? ??????? ?????? ???? ????

Examples:

• Sudo: A command that allows users to execute commands with elevated privileges. Sudo: ??? ???? ?????????? ?????? ??????? ????????? ??????
• Auditing: Monitoring and auditing the use of elevated privileges. ???????: ?????? ???????? ?????????? ????????
• Temporary Access: Granting temporary administrative access for specific tasks. ??? ?????? ?????? ??????? ?????? ???????
• Privilege Management: Managing and monitoring elevated privileges to ensure they are used appropriately. ????? ??????????: ????? ??????? ?????????? ???????? ????? ????????? ???? ?????
• Emergency Access: Granting emergency access to resolve critical issues. ??? ?????? ?????? ??? ??????? ??????

Use Case: A system administrator uses sudo to perform administrative tasks and audits the use of elevated privileges to ensure compliance. ?????? ????? ?????? Sudo ?????? ?????? ???????? ????? ?????? ??????? ?????????? ???????? ????? ????????

________________________________________________________________________________

5.5 Service Accounts Management

Definition: Managing accounts used by applications or services rather than individual users.

????? ???????? ????????? ?? ??? ????????? ?? ??????? ????? ?? ?????????? ???????

Examples:

• Service Accounts: Creating and managing accounts used by services or applications. ?????? ??????: ????? ?????? ???????? ????????? ?? ??? ??????? ?? ?????????
• Account Security: Implementing security measures to protect service accounts. ???? ??????: ????? ?????? ????? ?????? ?????? ??????
• Service Account Rotation: Regularly rotating service account credentials to enhance security. ????? ???? ??????: ????? ?????? ?????? ???? ?????? ??????? ?????? ??????
• Service Account Auditing: Monitoring and auditing the use of service accounts. ????? ???? ??????: ?????? ???????? ?????? ??????
• Service Account Access Controls: Implementing access controls to restrict the use of service accounts. ????? ?????? ????? ??????: ????? ????? ?????? ?????? ??????? ?????? ??????

Use Case: An organization manages service accounts to ensure that they are used securely and do not pose a security risk. ???? ????? ?????? ?????? ????? ????????? ???? ??? ???? ??????? ????? ??????

Multiple Choice Questions

1. What is the primary purpose of account access review?

a. To increase data availability

b. To ensure that access rights are appropriate

c. To improve data encryption

d. To monitor data access

2. What does provisioning refer to in the context of IAM?

a. Reviewing user accounts

b. Creating and deleting user accounts and access rights

c. Defining roles and managing transitions

d. Granting higher levels of access privileges

3. Which process involves granting higher levels of access privileges, often temporarily?

a. Account Access Review

b. Provisioning

c. Role Transition

d. Privilege Escalation

4. What is the role of auditing in privilege escalation?

a. To create user accounts

b. To monitor and audit the use of elevated privileges

c. To delete user accounts

d. To manage transitions between roles

5. How are service accounts different from individual user accounts?

a. They are used by applications or services rather than individual users

b. They are reviewed periodically

c. They are created during onboarding

d. They are deleted during offboarding

Answers and Explanations

1. b. To ensure that access rights are appropriate

The primary purpose of account access review is to ensure that access rights are appropriate.

????? ??????? ?? ?????? ?????? ?????????? ?? ???? ?? ???? ???? ?????? ??????

2. b. Creating and deleting user accounts and access rights

Provisioning refers to the process of creating and deleting user accounts and access rights.

???? ??????? ??? ????? ????? ???? ?????? ?????????? ????? ??????

3. d. Privilege Escalation

Privilege escalation involves granting higher levels of access privileges, often temporarily.

????? ????? ?????????? ??? ??????? ???? ?? ???? ??????? ?????? ???? ????

4. b. To monitor and audit the use of elevated privileges

Auditing in privilege escalation is used to monitor and audit the use of elevated privileges.

??????? ??????? ?? ????? ?????????? ??????? ?????? ??????? ?????????? ????????

5. a. They are used by applications or services rather than individual users

Service accounts are used by applications or services rather than individual users.

??????? ?????? ?????? ?? ??? ????????? ?? ??????? ????? ?? ?????????? ???????

6. Implement Authentication Systems

?6.1 Password Authentication

Definition: The process of verifying a user's identity based on a secret password.

????? ?????? ?? ???? ???????? ????? ??? ???? ???? ????

Examples:

• Password Policies: Enforcing policies such as password complexity and expiration. ?????? ???? ??????: ??? ?????? ??? ????? ???? ?????? ?????????
• Password Management Tools: Tools to help users manage and store passwords securely. ????? ????? ???? ??????: ????? ??????? ?????????? ?? ????? ????? ?????? ???????? ?????

Use Case: An organization enforces password policies and uses password management tools to ensure secure password practices. ???? ????? ?????? ???? ?????? ??????? ????? ????? ???? ?????? ????? ??????? ???? ???? ????

________________________________________________________________________________

6.2 Multi-Factor Authentication (MFA)

Definition: The process of verifying a user's identity using multiple methods.

????? ?????? ?? ???? ???????? ???????? ??? ??????

Examples:

• MFA Methods: Using a combination of passwords, biometrics, and tokens. ??? MFA: ??????? ???? ?? ????? ?????? ??????????? ???????
• MFA Devices: Devices such as smartphones or hardware tokens used for authentication. ????? MFA: ????? ??? ??????? ?????? ?? ?????? ?????? ????????? ????????
• Companies: Okta, Duo Security, Microsoft Authenticator, Google Authenticator, RSA SecurID.

Use Case: A company uses MFA to secure remote access by requiring both a password and a fingerprint. ?????? ???? ???????? ?????? ??????? ?????? ?????? ?? ??? ?? ???? ??? ???? ???? ????? ????

________________________________________________________________________________

6.3 Biometric Authentication

Definition: The process of verifying a user's identity based on physical or behavioral characteristics.

????? ?????? ?? ???? ???????? ????? ??? ??????? ?????????? ?? ????????

Examples:

• Fingerprint Scanners: Devices that read and verify fingerprints. ?????? ????? ???????: ????? ???? ?????? ?? ????? ???????
• Facial Recognition: Technology that verifies identity based on facial features. ?????? ??? ?????: ????? ????? ?? ?????? ????? ??? ????? ?????

Use Case: An airport uses biometric authentication to verify the identity of passengers at security checkpoints. ?????? ???? ???????? ?????????? ?????? ?? ???? ?????? ??? ???? ??????? ???????

________________________________________________________________________________

6.4 Token-Based Authentication

Definition: The process of verifying a user's identity using a physical or virtual token.

????? ?????? ?? ???? ???????? ???????? ??? ???? ?? ???????

Examples:

• Hardware Tokens: Physical devices that generate one-time passwords. ???? ???????: ????? ????? ???? ????? ???? ???? ?????
• Software Tokens: Applications that generate one-time passwords. ???? ?????????: ??????? ???? ????? ???? ???? ?????

Use Case: A financial institution uses hardware tokens to authenticate employees accessing secure systems. ?????? ????? ????? ???? ??????? ??????? ???????? ????? ????? ??? ??????? ??????

________________________________________________________________________________

6.5 Certificate-Based Authentication

Definition: The process of verifying a user's identity using digital certificates.

????? ?????? ?? ???? ???????? ???????? ???????? ???????

Examples:

• Digital Certificates: Electronic documents that use public key infrastructure (PKI) to verify identity. ???????? ???????: ??????? ????????? ?????? ???? ???????? ?????? ?????? ?? ??????
• Certificate Authorities: Entities that issue and manage digital certificates. ????? ????????: ?????? ???? ????? ???????? ???????

Use Case: A company uses digital certificates to authenticate users accessing its secure website. ?????? ???? ???????? ??????? ??????? ?????????? ????? ????? ??? ?????? ?????

Multiple Choice Questions

1. What is the primary purpose of password policies?

a. To increase data availability

b. To enforce secure password practices

c. To improve data encryption

d. To monitor data access

2. What does multi-factor authentication (MFA) involve?

a. Using a single password for authentication

b. Using multiple methods to verify a user's identity

c. Using physical characteristics for authentication

d. Using digital certificates for authentication

3. Which authentication method verifies identity based on physical or behavioral characteristics?

a. Password Authentication

b. Token-Based Authentication

c. Biometric Authentication

d. Certificate-Based Authentication

4. What is a hardware token used for?

a. Storing digital certificates

b. Generating one-time passwords

c. Scanning fingerprints

d. Recognizing facial features

5. How does certificate-based authentication verify identity?

a. Using passwords

b. Using physical tokens

c. Using digital certificates

d. Using behavioral characteristics

Answers and Explanations

1. b. To enforce secure password practices

Password policies enforce secure password practices by requiring complex passwords and regular changes.

???? ?????? ???? ?????? ??????? ???? ???? ???? ?? ???? ??? ????? ???? ????? ???????? ??????

2. b. Using multiple methods to verify a user's identity

Multi-factor authentication (MFA) involves using multiple methods, such as passwords, biometrics, and tokens, to verify a user's identity.

????? ???????? ?????? ??????? ??????? ??? ??????? ??? ????? ?????? ??????????? ???????? ?????? ?? ???? ????????

3. c. Biometric Authentication

Biometric authentication verifies identity based on physical or behavioral characteristics, such as fingerprints or facial recognition.

????? ???????? ?????????? ?? ?????? ????? ??? ??????? ?????????? ?? ????????? ??? ????? ??????? ?? ?????? ??? ?????

4. b. Generating one-time passwords

Hardware tokens are physical devices used to generate one-time passwords for authentication.

???? ??????? ?? ????? ????? ??????? ?????? ????? ???? ???? ????? ????????

5. c. Using digital certificates

Certificate-based authentication verifies identity using digital certificates issued and managed by certificate authorities.

????? ???????? ???????? ??? ???????? ?? ?????? ???????? ???????? ??????? ???? ?????? ??????? ????? ????????

7. Identity and Access Management Technologies

7.1 Directory Services

Definition: Systems that store and manage information about users and resources in a network.

????? ???? ????? ????????? ?? ?????????? ???????? ?? ??????

Examples:

• Active Directory: A directory service developed by Microsoft for Windows domain networks. Active Directory: ???? ???? ?????? Microsoft ?????? ?????? Windows
• LDAP (Lightweight Directory Access Protocol): An open protocol used to access and maintain directory information. ???????? ?????? ??? ?????? ??????: ???????? ????? ?????? ?????? ??? ??????? ?????? ??????? ?????

Use Case: An organization uses Active Directory to manage user accounts and access permissions across its network. ?????? ????? Active Directory ?????? ?????? ?????????? ??????? ?????? ??? ??????

________________________________________________________________________________

7.2 Identity Management (IdM)

Definition: The process of managing the identity lifecycle, including creation, maintenance, and deletion of identities.

????? ????? ???? ???? ??????? ??? ?? ??? ????? ??????? ???????? ??????

Examples:

• User Provisioning: Automating the process of creating and managing user accounts. ????? ??????????: ????? ????? ????? ?????? ?????????? ????????
• Identity Governance: Ensuring that identity policies and practices comply with regulations and standards. ????? ??????: ???? ?? ???????? ?????????? ?????? ?????? ?? ??????? ?????????

Use Case: A company uses an identity management system to automate the provisioning and deprovisioning of user accounts. ?????? ???? ???? ????? ?????? ?????? ????? ?????? ????? ?????? ??????????

________________________________________________________________________________

7.3 Access Management

Definition: The process of managing access to resources based on policies and rules.

????? ????? ?????? ??? ??????? ????? ??? ???????? ????????

Examples:

• Single Sign-On (SSO): Allowing users to access multiple applications with one set of login credentials. ????? ?????? ???????: ?????? ?????????? ??????? ??? ??????? ?????? ???????? ?????? ????? ?? ?????? ????? ??????
• Federated Identity Management: Allowing users to use the same identification data to access multiple networks. ????? ?????? ??????????: ?????? ?????????? ???????? ??? ?????? ??????? ?????? ??? ????? ??????

Use Case: An enterprise uses access management to ensure that employees can seamlessly access both internal and external applications. ?????? ????? ????? ?????? ????? ?? ????? ???????? ?? ?????? ????? ??? ????????? ???????? ?????????

________________________________________________________________________________

7.4 Privileged Access Management (PAM)

Definition: The process of managing and monitoring privileged accounts and access rights.

????? ????? ??????? ???????? ???????? ????? ??????

Examples:

• Privileged Account Management: Managing accounts with elevated privileges to ensure they are used securely. ????? ???????? ????????: ????? ???????? ????????? ?????? ????? ????????? ???? ???
• Session Monitoring: Monitoring and recording sessions initiated by privileged accounts. ?????? ???????: ?????? ?????? ??????? ???? ?????? ???????? ????????

Use Case: A company uses PAM to manage and monitor the use of administrative accounts to prevent unauthorized access. ?????? ???? ????? ??????? ?????? ??????? ?????? ??????? ??????? ???????? ???????? ???? ?????? ??? ?????? ??

?Multiple Choice Questions

1. What is the primary function of directory services in IAM?

a. To manage passwords

b. To store and manage information about users and resources in a network

c. To authenticate users

d. To encrypt data

2. What does identity management (IdM) involve?

a. Managing the identity lifecycle, including creation, maintenance, and deletion of identities

b. Storing and managing information about users and resources in a network

c. Allowing users to access multiple applications with one set of login credentials

d. Monitoring privileged accounts and access rights

3. Which technology allows users to access multiple applications with one set of login credentials?

a. Multi-Factor Authentication (MFA)

b. Single Sign-On (SSO)

c. Directory Services

d. Privileged Access Management (PAM)

4. What is the purpose of privileged access management (PAM)?

a. To manage and monitor privileged accounts and access rights

b. To automate the provisioning and deprovisioning of user accounts

c. To ensure that identity policies comply with regulations

d. To authenticate users

5. How does federated identity management benefit users?

a. By encrypting their data

b. By allowing them to use the same identification data to access multiple networks

c. By managing their passwords

d. By storing their information in a directory service

Answers and Explanations

1. b. To store and manage information about users and resources in a network

Directory services store and manage information about users and resources in a network.

???? ????? ?????? ?????? ?????? ????????? ??? ?????????? ???????? ?? ??????

2. a. Managing the identity lifecycle, including creation, maintenance, and deletion of identities

Identity management (IdM) involves managing the identity lifecycle, including creation, maintenance, and deletion of identities.

???? ????? ?????? ????? ???? ???? ??????? ??? ?? ??? ????? ??????? ???????? ??????

3. b. Single Sign-On (SSO)

Single Sign-On (SSO) allows users to access multiple applications with one set of login credentials.

???? ????? ?????? ??????? ?????????? ??????? ??? ??????? ?????? ???????? ?????? ????? ?? ?????? ????? ??????

4. a. To manage and monitor privileged accounts and access rights

Privileged access management (PAM) manages and monitors privileged accounts and access rights.

???? ????? ?????? ??????? ?????? ??????? ???????? ???????? ????? ??????

5. b. By allowing them to use the same identification data to access multiple networks

Federated identity management allows users to use the same identification data to access multiple networks.

???? ????? ?????? ?????????? ?????????? ???????? ??? ?????? ??????? ?????? ??? ????? ??????

8. IAM Best Practices and Challenges

8.1 Best Practices

8.1.1 Implement Strong Authentication Methods

Definition: Using robust authentication methods to verify user identities.

??????? ??? ?????? ???? ?????? ?? ????? ??????????

Examples:

• Multi-Factor Authentication (MFA): Combining multiple authentication methods to enhance security. ???????? ?????? ???????: ??? ??? ?????? ?????? ?????? ??????
• Biometric Authentication: Using physical or behavioral characteristics to verify identity. ???????? ??????????: ??????? ??????? ?????????? ?? ???????? ?????? ?? ??????

Use Case: An organization implements MFA and biometric authentication to secure access to sensitive systems. ???? ????? ?????? ???????? ?????? ??????? ????????? ?????????? ?????? ?????? ??? ??????? ???????

________________________________________

8.1.2 Regularly Review and Update Access Controls

Definition: Periodically reviewing and updating access controls to ensure they remain effective.

?????? ?????? ????? ?????? ???? ???? ????? ?????? ?????

Examples:

• Access Reviews: Conducting regular reviews of access permissions to ensure they are appropriate. ??????? ??????: ????? ??????? ????? ??????? ?????? ????? ???? ??????
• Policy Updates: Updating access control policies to reflect changes in the organization or threat landscape. ????? ????????: ????? ?????? ?????? ?? ?????? ????? ????????? ?? ??????? ?? ???? ?????????

Use Case: A company conducts quarterly access reviews and updates its access control policies to address new security threats. ???? ???? ?????? ??????? ??? ????? ?????? ?????? ?????? ?????? ?? ?????? ??????? ????????? ??????? ???????

________________________________________

8.1.3 Implement Least Privilege

Definition: Providing users with the minimum level of access necessary to perform their job functions.

????? ?????????? ????? ?????? ?? ?????? ?????? ????? ???????

Examples:

• Access Rights: Granting employees only the access rights they need to perform their duties. ??? ???????? ??? ???? ?????? ???? ????????? ????? ????????
• Role-Based Access Control (RBAC): Assigning access rights based on user roles. ?????? ?? ?????? ??????? ??? ?????: ????? ???? ?????? ????? ??? ????? ??????????

Use Case: An organization implements least privilege by restricting administrative access to systems to only a few IT administrators. ???? ????? ?????? ???? ??? ?????????? ?? ???? ????? ?????? ??????? ??? ??????? ???? ???? ?? ?????? ????????? ?????????

________________________________________

8.1.4 Use Automated Identity Management Tools

Definition: Using tools to automate the management of identities and access rights.

??????? ????? ?????? ????? ??????? ????? ??????

Examples:

• Identity Provisioning: Automating the process of creating and managing user accounts. ????? ??????: ????? ????? ????? ?????? ?????????? ????????
• Access Reviews: Using tools to automate the review and update of access permissions. ??????? ??????: ??????? ????? ?????? ?????? ?????? ?????? ??????

Use Case: A company uses identity management tools to automate the provisioning and deprovisioning process, reducing the risk of human error. ?????? ???? ????? ????? ?????? ?????? ????? ??????? ????????? ??? ???? ?? ????? ????? ??????

________________________________________________________________________________?

8.2 Detailed Comparison Between PAM and IAM

8.2.1 Privileged Access Management (PAM)

Definition: The process of managing and monitoring privileged accounts and access rights.

????? ????? ??????? ???????? ???????? ????? ??????

Examples:

• Session Management: Monitoring and controlling sessions initiated by privileged accounts. ????? ???????: ?????? ???????? ??? ??????? ???? ?????? ???????? ????????
• Credential Vaulting: Storing privileged account credentials in a secure vault. ????? ?????? ????????: ????? ?????? ?????? ???????? ???????? ?? ???? ???

Top 5 PAM Products:

• CyberArk: Offers comprehensive privileged access security solutions.
• BeyondTrust: Provides privilege management and vulnerability management solutions.
• Thycotic: Delivers password and privilege access management solutions.
• ManageEngine PAM360: Integrates IT operations management with PAM.
• Centrify: Focuses on securing privileged access and identity management.

Use Case: A financial institution uses CyberArk to manage and monitor administrative access to critical systems. ?????? ????? ????? CyberArk ?????? ??????? ?????? ??????? ??? ??????? ??????

________________________________________

8.2.2 Identity and Access Management (IAM)

Definition: The process of managing user identities, access rights, and authentication methods.

????? ????? ????? ?????????? ????? ?????? ???? ????????

Examples:

• User Provisioning: Automating the creation and management of user accounts. ????? ??????????: ????? ????? ?????? ?????????? ????????
• Single Sign-On (SSO): Allowing users to access multiple applications with one set of login credentials. ????? ?????? ???????: ?????? ?????????? ??????? ??? ??????? ?????? ???????? ?????? ????? ?? ?????? ????? ??????

Top 5 IAM Products:

• Okta: Provides identity management and SSO solutions.
• Microsoft Azure AD: Offers directory and identity management as part of the Azure platform.
• Ping Identity: Delivers identity and access management solutions.
• IBM Security Identity Governance and Intelligence: Focuses on identity governance and intelligence.
• SailPoint: Provides identity governance solutions.

Use Case: A technology company uses Okta for single sign-on and identity management across its cloud applications. ?????? ???? ????????? Okta ?????? ?????? ??????? ?????? ?????? ??? ????????? ????????

________________________________________

8.2.3 Differences Between PAM and IAM

• Scope: PAM focuses on managing and monitoring privileged accounts, while IAM encompasses all user identities and access rights. ??????: ???? PAM ??? ????? ??????? ???????? ????????? ????? ???? IAM ???? ????? ?????????? ????? ??????
• Use Cases: PAM is used for administrative and high-risk accounts, whereas IAM is used for all user accounts and access rights. ????? ?????????: ?????? PAM ???????? ???????? ?????? ???????? ????? ?????? IAM ????? ?????? ?????????? ????? ??????
• Tools: PAM tools typically include session monitoring and credential vaulting, while IAM tools focus on user provisioning, SSO, and identity governance. ???????: ????? ????? PAM ????? ?????? ??????? ?????? ?????? ????????? ????? ???? ????? IAM ??? ????? ??????????? ?????? ?????? ???????? ?????? ??????

________________________________________________________________________________

8.3 Challenges

8.3.1 Managing Privileged Accounts

Definition: Ensuring that privileged accounts are managed securely to prevent unauthorized access.

???? ????? ???????? ???????? ????? ???? ?????? ??? ?????? ??

Examples:

• Privileged Account Abuse: Preventing misuse of privileged accounts. ????? ??????? ???????? ????????: ??? ????? ??????? ???????? ????????
• Credential Theft: Protecting against the theft of privileged account credentials. ???? ?????? ????????: ??????? ?? ???? ?????? ?????? ???????? ????????

Use Case: An organization implements PAM solutions to prevent the abuse and theft of privileged account credentials. ???? ????? ?????? ???? PAM ???? ????? ??????? ????? ?????? ?????? ???????? ????????

________________________________________

8.3.2 Ensuring Compliance

Definition: Meeting regulatory and compliance requirements for identity and access management.

?????? ?????????? ????????? ????????? ?????? ?????? ???????

Examples:

• Audits: Conducting regular audits to ensure compliance with regulations. ?????? ???????: ????? ?????? ????? ?????? ????? ???????? ??????
• Policy Enforcement: Ensuring that identity and access management policies are enforced. ??? ????????: ???? ????? ?????? ????? ?????? ???????

Use Case: A financial institution conducts regular audits and enforces IAM policies to comply with regulatory requirements. ???? ????? ????? ?????? ?????? ????? ?????? ?????? ?????? IAM ???????? ????????? ?????????

________________________________________

8.3.3 Scalability

Definition: Ensuring that identity and access management solutions can scale with the organization.

???? ?? ???? ????? ?????? ??????? ???? ?? ????? ?? ???????

Examples:

• User Growth: Managing the growth of user identities and access rights. ??? ??????????: ????? ??? ????? ?????????? ????? ??????
• Integration: Integrating IAM solutions with existing systems and applications. ???????: ??? ???? IAM ?? ??????? ?????????? ???????

Use Case: A company selects scalable IAM solutions that can grow with the organization and integrate with its existing infrastructure. ????? ???? ???? IAM ??????? ?????? ???? ???? ?? ???? ?? ??????? ??????? ?? ?????? ??????? ???????

Multiple Choice Questions

1. What is the primary focus of Privileged Access Management (PAM)?

a. Managing all user identities

b. Managing and monitoring privileged accounts and access rights

c. Providing single sign-on

d. Automating user provisioning

2. Which IAM product is known for providing single sign-on and identity management solutions?

a. CyberArk

b. Okta

c. BeyondTrust

d. Thycotic

3. What is a key difference between PAM and IAM?

a. PAM focuses on all user accounts, while IAM focuses on privileged accounts

b. PAM includes session monitoring, while IAM includes user provisioning and SSO

c. PAM is used for low-risk accounts, while IAM is used for high-risk accounts

d. PAM and IAM are used interchangeably without distinction

4. Which of the following is a top PAM product?

a. Okta

b. SailPoint

c. BeyondTrust

d. IBM Security Identity Governance and Intelligence

5. How does PAM contribute to security in an organization?

a. By providing single sign-on for all applications

b. By managing and monitoring the use of elevated privileges

c. By automating the creation and deletion of user accounts

d. By enabling federated identity management

Answers and Explanations

1. b. Managing and monitoring privileged accounts and access rights

The primary focus of Privileged Access Management (PAM) is managing and monitoring privileged accounts and access rights.

???? ????? ?????? ??????? ??? ????? ??????? ???????? ???????? ????? ??????

2. b. Okta

Okta is known for providing single sign-on and identity management solutions.

????? ?????? ???? ????? ?????? ??????? ?????? ??????

3. b. PAM includes session monitoring, while IAM includes user provisioning and SSO

A key difference between PAM and IAM is that PAM includes session monitoring, while IAM includes user provisioning and SSO.

??? ?????? ???????? ???

PAM ? IAM

?? ??

PAM

???? ?????? ???????? ????? ????

IAM

????? ?????????? ?????? ?????? ???????

4. c. BeyondTrust

BeyondTrust is a top PAM product known for privilege management and vulnerability management solutions.

?? ????

PAM

????? ????? ????? ?????????? ?????? ??????? ??????

5. b. By managing and monitoring the use of elevated privileges

PAM contributes to security in an organization by managing and monitoring the use of elevated privileges.

????? ?? ?????? ?? ??????? ?? ???? ????? ??????? ??????? ?????????? ????????

Conclusion

Identity and Access Management (IAM) is a critical component of an organization's security strategy.

????? ?????? ??????? ?? ???? ????? ?? ?????????? ?????? ?????? ????????

By effectively managing identities, implementing robust authentication and authorization mechanisms, and following best practices, organizations can ensure that only authorized users have access to their resources.

?? ???? ????? ??????? ??????? ,?????? ????? ?????? ?????? ????, ?????? ???? ?????????, ????? ???????? ???? ?? ?????????? ?????? ??? ??? ?? ?? ?????? ?????? ??? ???????

This module has covered the fundamental principles of IAM, explored various IAM technologies, and provided best practices to address common challenges.

, ??? ??? ??? ?????? ??????? ???????? ?? ??????? ???????? ???????? ???? ???? ????????? ??????? ???????? ???????

Understanding and implementing IAM effectively helps protect systems and data from unauthorized access and potential security threats.

??? ?????? ????? ??????? ??????? ????? ?? ????? ??????? ????????? ?? ?????? ??? ?????? ?? ?????????? ??????? ????????

CISSP Resources

1- Official (ISC)2 CISSP Study Guide

2- CISSP (ISC)2 Official Practice Tests

3- CISSP All-in-One Exam Guide by Shon Harris

4- Cybrary – CISSP Training by Kelly Handerhan

https://www.cybrary.it/course/cissp

5- Oreilly – CISSP Training by Sari Greene

https://www.oreilly.com/library/view/cissp-4th-edition/9780135328613/?_gl=1*jwhz1z*_ga*MTgyMDY2NDI5LjE3MTczNzAwMDI.*_ga_092EL089CH*MTcxNzM3MDAwMi4xLjEuMTcxNzM3MDEwNi41OC4wLjA .

6- CISSP bundles by Thor Pedersen

https://thorteaches.com/cissp/

7- CISSP MindMaps YouTube Playlist from Destination Certification

https://www.youtube.com/playlist?list=PLZKdGEfEyJhLd-pJhAD7dNbJyUgpqI4pu