CISSP Module 05 – Identity and Access Management

Defensive Coding

In the previous module of CISSP tutorial (Module 04), we talked about OSI Model, TCP/IP Model, common attacks, firewall, proxies and NAT, WAN, Wireless and Cloud Computing. We hope your CISSP online training goes well so far, and that you can find everything you need in this CISSP course material we’re representing here.

Now, we going to Module 05. This module is a bit different and starts with the Network Devices Skill Certification Test. It’s designed to prove your knowledge on the most critical skill sets in the cyber security industry. The skill level of this test is advanced, it consists 40 questions and has a time limit of one hour. We wish you luck, and believe you will make it!


In this module, we’re going to talk about the ID and the definition of it, and access control objectives. When talking about access control objectives we have to start with IAAA (we talked about it in the earlier modules), which is built of identification and authentication, authorization and accounting.

Defining Identity and Access

First of all, I am pretty sure that all of you know that the purpose of all of this is that we’re sure we are using the safety technology. Identification means that we’re making a claim, as the authentication allows users to support that claim of their identity. We are actually looking here for policies and service to manage our identity.

So, what are the solutions to exploits like MIMT and traffic hijacking (for an example)? The solution lies in the certificates and single sign on.

Core Security Requirements

First of all-authorization. An authenticated entity has the privileges and permissions necessary. To create, read, delete or update. Access control models include DAC, MAC, RBAC, and RuBAC. They are controlling and allowing the right traffic to come, or not to come to a software. We talked earlier about the sensitive information and the high secrets that must be protected and kept safe this way.

Then, there we have accountability. It has to identify the subject, their action, and the timestamp. This is the most important for companies that use the same account. It is not recommended at all. Every account should be authorized.

Access Control Models

Some systems are made to be more friendly, and other are built to make confidentiality. There we have DAC, which is the security of an object to be its owner’s discretion. That access is granted by Access Control List.

Another one is MAC. They are for very secure environments and rely on labels. In that order, data owners cannot grant access.

Then we have RBAC which you’ve already learned about in the previous modules.

Authentication Types 1-3

Let’s understand the three factors of authentication. The first one is something you know, the second one is something you have, and the third one is something you are. Like in real life, if you may admit. The first factor is the most common factor used and can be for an example a password or PIN. It is hard to guess that it is also easiest to beat. You should learn about using the strong and secure password which will provide you your cyber safety.

The second factor refers to items such as smart cards or for an example-hand held tokens. The user can insert the smart card into its reader to authenticate the individual. The same goes for hand-held tokens. If the user types the same number known by the server at that time-he is authenticated.

Something you are. Those are biometrics methods that provide you your authentication. Fingerprints, or geometry, voice analysis… It is true that they do provide the strongest authentication, but they are susceptible to errors. But the most important thing of all is to understand how do these three factors can be used for a multifactor authentication.


SSO and Kerberos

Let’s talk about the Single Sign On, as we took it for granted today. Peer-to-peer connections are basically recommended only for a few users who want to connect. As the environment got larger, it is really hard to connect many users and still stay safe. That’s why we have today some great SSO systems.

Implementing single sign-on (SSO) with Kerberos (as one of the greatest system), Kerberos handles the authentication while LDAP handles all the authorization and user synchronization. Kerberos, an authentication protocol, meant to be used in conjunction with an LDAP-enabled instance. Once you’re logged in somewhere, there is no redirect required.

Access Control Methods

These methods should be used by all system administrators. Also, individual restrictions need to be applied to all roles and modules on all forms of information used in any kind of business. Access control can be used with objects, subjects, and operation.

The models that prevent the malicious users are MAC, DAC, RBAC, and RuBAC. We talked about them before in the previous modules.

Everyone needs to look at a set of best practices in security for their organization.


RADIUS is implemented by several vendors of network access servers. It carries authentication, authorization and configuration information between a NAS and a RADIUS authentication server. These information are used to authenticate the users by RADIUS server and to establish an authorized service for users.

Now we came to your next exam! It’s called the Authentication Protocols and Technology Skill Certification Test. We know you can achieve the best, so believe in yourself. It has 40 question, intermediate level, and lasts one hour. Good luck!


EMSEC, or Emanation Security, provides you safety against unintentional signals that can disclose the information received, transmitted or handled. EMSEC is designed for the protection of measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emission from crypto-equipment or an information system.

There you go! Now you can take your last test from this Module! Hope we helped you a lot. Your last exam here is called The Access Control and Identity Management Skill Certification test.

Talk to you in Module 06!