CISSP Identity and Access Management (IAM) – Bk2D5/T1

Overview

Identity and access management (IAM) are core to maintaining confidentiality, integrity, and availability of assets and resources that are critical to business survival and function. Central to maintaining protection of business-critical assets is the ability to name, associate, and apply suitable identity and access control methodologies and technologies that meet specific business needs.

Domain Objectives

After completing this domain, the participant will be able to:
  1. Identify standard terms for applying physical and logical access controls to environments related to their security practice.
  2. Apply physical and logical access controls to environments with relation to the (environment’s or access controls’) security practice.
  3. Define the process of user and systems access review.
  4. Apply the appropriate control types/categories for provisioning and deprovisioning of indentities.
  5. Classify various identification, authentication, and authorization technologies for use in managing people, devices, and services.
  6. Differentiate the languages and protocols that are related to roles and systems that support federation.
  7. Select the appropriate technologies and protocols for establishing a federated environment that satisfies business requirements.
  8. Appraise various access control models to meet business security requirements.
  9. Name the significance of accountability in relationship to identification, authentication, and auditing.

Related Product : Certified Information Systems Auditor | CISA

Control Physical and Logical Access to Assets

Module Objectives
  1. Identify standard terms for applying physical and logical access controls to environments related to their security practice.
  2. Apply physical and logical access controls to environments with relation to the (environment’s or access controls’) security practice.

Information

Information and the administration of information is key to the management of individual and systemic access control systems. Information can be associated with both logical and physical access control systems. Whether it is a logical or physical access system, the control of that system is maintained somewhere as discrete data and/ or information. The management of information related to physical  and logical access is accomplished in three primary ways, namely: centralized, decentralized, and hybrid.

Centralized–Centralized administration means that one element is responsible for configuring access controls so that users can access data and perform the activities they need to. As users’ information processing needs change, their access can be modified only through central administration, usually after requests have been approved through an established procedure and by the appropriate authority. The main advantage of centralized administration is that very strict control over information can be maintained because the ability to make changes resides with very few persons. Each user’s account can be centrally monitored, and closing all access for any user can be easily accomplished if that individual leaves the organization.

Consistent and uniform procedures and criteria are usually not difficult to enforce, since relatively few individuals oversee the process.

Decentralized–In contrast to centralized administration, decentralized administration means that access to information is controlled by the owners or creators of the files, whoever or wherever those individuals may be. An advantage of decentralized administration is that control is in the hands of the individuals most accountable for the information, most familiar with it, and best able to judge who should be able to do what in relation to it. One disadvantage, however, is that there may not be consistency among creators/owners as to procedures and criteria for granting user access and capabilities. Another disadvantage is that when requests are not processed centrally, it may be more difficult to form a system-wide view of all user access on the system at any given time. Different data owners may inadvertently implement combinations of access that introduce conflicts of interest or that are in some way not in the organization’s best interest. It may also be difficult to ensure that access is properly terminated when an employee transfers within, or leaves an organization.

Hybrid–In a hybrid approach, centralized control is exercised for some information and decentralized is allowed for other information. One typical arrangement is that central administration is responsible for the broadest and most basic access, and the creators/owners of files control the types of access or users’ abilities for the files under their control. For example, when a new employee is hired into a department, a central administrator might provide the employee with a set of access perhaps based on the functional element they are assigned to, job classification, and the specific task the employee was hired to work on.

The employee might have read-only access to an organization-wide SharePoint document library and to project status report files, but read and write privileges to his department’s weekly activities report. Also, if the employee left a project, the project manager can easily close that employee’s access to that file.

Systems

Access controls can be classified by either logical or physical systems. The simplest example of a physical access control system is a door that can be locked, limiting people to one side of the door or the other. A logical access control system is normally operational in an office network where users are allowed or not allowed to login to a system to access data labeled with a classification by users granted a clearance.

Access Controls and Administration

ISO/IEC 27000:2016(E) defines access control as a “means to ensure that access to assets is authorized and restricted based on business and security requirements.” These requirements will be formalized in the organizational policy that is pertinent to individual organizations. Two primary system types that form access controls are physical and logical. Each type requires administration that can have various degrees of involvement from senior management regarding risk-  based decisions concerning the organizational risk appetite and profile, the data owner concerning “need-to-know”  and  “least privilege” and asset value  determination, the custodian concerning tool implementation to provide  appropriate  restriction of  the  assets to disclosure, destruction, or alteration.

Logical Access Control Systems

The Federal Identity, Credential, and Access Management (FICAM) defines logical access control as: “An automated system that controls an individual’s ability to access one or more computer system resources such as a workstation, network, application, or database. A logical access control system requires validation of an individual’s identity through some mechanism such as a Personal Identification Number (PIN), card, biometric, or other token. It has the capability to assign different access privileges to meet different persons depending on their roles and responsibilities in an organization.”

Logical access control requires more complex and nuanced administration than physical. Before selection and implementation of the logical access control type, the data owner has classified and categorized the data. Categorizing the data will reveal the impact that would occur if there is disclosure, alteration, or destruction. Classifying the data will define the value of discreet assets and who should have access and authorization.

Logical access controls are often built into the operating system, or may be part of the “logic” of applications programs or major utilities, such as database management systems (DBMS). They may also be implemented in add-on security packages that are installed into an operating system; such packages are available for a variety of systems, including PCs and mainframes. Additionally, logical access controls may be present in specialized components that regulate communications between computers and networks.

Physical Access Control Systems (PACS)

Special Publications 800-53r4 defines physical access control as “An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.”

Devices

There are a range of devices (systems or components if logical) associated with logical and physical access control. Logical and physical access control devices include but are not limited to access tokens (hardware and software), keys, and cards.

Access Control Tokens

Access control tokens are available in many different technologies and in many different shapes. The information that is stored on the token is presented to a reader that reads the information and sends it to the system for processing. The token may have to be swiped, inserted, or placed on or near a reader. When the reader sends information to the system, it verifies that the token belongs to the system and identifies the token itself. Then, the system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

When biometric readers are used, the token or key is the user’s retina, fingerprint, hand geometry, voice, or whatever biological attribute is enrolled into the system. Most biometric readers also require a PIN to index the stored data on the sample readings of the biological attribute. Biometric systems can also be used to determine whether a person is already in a database, such as for social service or national ID applications.

Facilities

Below is an example of how a physical access control system can be applied to a specific entity or facility.

Case: Department of Homeland Security
  1. What distinct roles can you locate within the physical access control system (PACS) application’s four areas as described below? What are general security roles that can be used as placeholders for the PACS application roles?
  2. Name the logical or physical systems that are described in the PACS application described below?
  3. What assumptions could you make about the nature of the information related to identification in the PACS application cited below?
Physical Access Control Systems (PACS) Applications

PACS applications used are divided into four areas that operate independently at the direction of the PACS administrator:

  • Identification: PACS requires an individual’s personally identifiable information (PII) so it can authorize physical access to the Department of Homeland Security’s (DHS) facilities. PACS sensors read the information on an individual’s personal identity verification (PIV) card to verify if the individual is authorized access.
  • Visitor Management: Visitors and construction and service contractors who have not been issued a PIV card must be identified before being granted access.
  • Parking Permit Management: The Office of the Chief Administrative Officer (OCAO) uses PACS to issue and track parking OCAO personnel access PACS to determine if an individual is eligible to receive a parking permit. Upon issuance of the parking permit, OCAO personnel enter into PACS the name and email address of the permit holder, the permit number and type, issue date, and expiration date.
  • Alarm Monitoring and Intrusion Detection: The PACS alarm monitoring application allows OCAO personnel to monitor the intrusion detection system (IDS). A record is created in PACS of all IDS alarm activations or other issues, such as communication and power The IDS in PACS consists of sensors, lights, and other mechanisms through which Office of the Chief Security Officer (OCSO) can detect the unauthorized intrusion of persons or devices. The only PII collected by the PACS IDS suite is the first and last name of the individual authorized to turn the alarm system on and off and the corresponding PIN number which the individual inputs into the alarm keypad to activate or deactivate the alarm.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/