Domaine 5 · 13% Exam weight

Identity and Access Management

Domain 5 (13%) governs the identity life cycle and access control: who are you, are you really you, what may you do, and who answers for your actions. It covers IAAA, multi-factor authentication and biometrics, the DAC/MAC/RBAC/RuBAC/ABAC models, SSO and federation (Kerberos, SAML, OAuth/OIDC), AAA protocols (RADIUS, TACACS+), directories (LDAP, AD), and the NIST assurance levels (IAL/AAL/FAL).

(ISC)² CBK Objectives

The 6 official learning areas of Domain 5. Click an objective for detail.

Objective A

Control physical and logical access to assets

Diagramme — Control physical and logical access to assets

Two planes: physical (badges, door biometric, CCTV, mantraps) and logical (accounts, groups, ACL, tokens, MFA). Both must be consistent: revoke badge when revoking account.

Key points

  • Logical separation via ACL, physical via zones
  • Ideally single identity source (HRMS → AD → badge)
  • Periodic access review (access recertification)
Objective B

Manage identification and authentication

Diagramme — Manage identification and authentication

3 authentication factors: Knowledge (password), Possession (token, smartcard), Inherence (biometric). MFA = combine ≥ 2 different factors. Biometrics: measure FAR/FRR/CER (lower = better).

Key points

  • MFA ≠ 2× same factor (2 passwords = no)
  • FAR (Type II) = false accept, worse than FRR (Type I)
  • Passwordless: FIDO2/WebAuthn progressively replacing passwords
Objective C

Federated identity with a third-party service

Diagramme — Federated identity with a third-party service

Federation = one trusted IdP proves identity for several SPs. Protocols: SAML 2.0 (XML, enterprise web SSO), OAuth 2.0 (API authorization), OpenID Connect (identity on OAuth). Benefits: one user account, centralized decommissioning.

Key points

  • SAML = auth (who?); OAuth = authz (which permission?)
  • OIDC = identity on OAuth 2.0 = best for modern web apps
  • IdP down = all SPs blocked (critical SPoF)
Objective E

Implement and manage authorization mechanisms

Diagramme — Implement and manage authorization mechanisms

Models: DAC (owner decides, ACL), MAC (labels, central, military), RBAC (roles), ABAC (attributes - modern), Rule-BAC (conditional rules). RBAC is the enterprise standard; ABAC adds fineness for cloud and Zero Trust.

Key points

  • RBAC: user → role → permission. Readable, auditable.
  • ABAC: evaluate(user, resource, action, environment)
  • Least privilege + SoD as safeguards
Objective F

Identity and access provisioning lifecycle

Diagramme — Identity and access provisioning lifecycle

Cycle: Request → Approve → Provision → Review → Revoke. Critical: automate. An orphan account (former employee) = incubating breach. Quarterly access review + HR trigger on movement (hire, role change, leave).

Key points

  • JML: Joiner, Mover, Leaver - key process
  • Offboarding = top priority within 24 h max
  • Privileged Access Management (PAM) for admin accounts
Objective G

Implement authentication systems

Diagramme — Implement authentication systems

Kerberos (KDC tickets), RADIUS/TACACS+ (AAA), SAML, OAuth 2.0, OpenID Connect, FIDO2/WebAuthn. Consider: protocol security, performance, integration, UX. Centralized vs decentralized architecture.

Key points

  • Kerberos: AS + TGS, encrypted tickets, replay protection
  • TACACS+ (Cisco) encrypts everything; RADIUS only the password
  • FIDO2 phishing-resistant (origin binding)

Key concepts

Subjects and objects

A subject is the active entity requesting access (user, process, service). An object is the passive resource sought (file, database, device). The system decides whether the subject may perform a CRUD operation (Create, Read, Update, Delete) on the object.

IAAA - access control lifecycle

Identification (assert an identity), Authentication (prove the identity), Authorization (grant permissions), Accountability/Auditing (track and attribute actions). Often extended to IAAAA to split accountability and auditing.

Authentication factors

Knowledge (know - password, PIN), Possession (have - token, smartcard, OTP), Inherence (are - biometrics). Two further factors: location (where you are - geolocation) and behaviour (what you do - keystroke, gait). MFA = at least two DIFFERENT factors.

Least privilege and need to know

Least privilege = grant only the rights strictly needed for the role. Need to know = restrict access to just the data required for a specific task. Need to know refines least privilege down to the data level.

Separation of duties

Separation of Duties (SoD) splits a sensitive task across several people so no one can act alone (one requests, one approves). Paired with need to know, it neutralises fraud and conflicts of interest.

Defense in depth

Stack layers of controls (physical, logical, administrative) so a single failure does not compromise all access. Physical access control (PACS) stays a layer distinct from logical control.

Zero Trust

A "never trust, always verify" model: no implicit trusted perimeter, every request is authenticated, authorized and contextualised (identity, posture, attributes). Builds naturally on ABAC and JIT.

Identity store

Central repository of identities and their attributes (LDAP directory, Active Directory). It is the source SSO and federation query to authenticate and authorize, rather than duplicating accounts everywhere.

Credential and CMS

A credential is the binding between an identity and an authenticator (password, certificate, smartcard). A Credential Management System (CMS) issues, renews and revokes credentials, often backed by a PKI for 2FA identities.

Identity proofing

The one-time initial decision, made at enrollment, to verify that a person is who they claim to be (ID documents, address checks). Not to be confused with authentication, which repeats at every access. Framed by NIST SP 800-63A.

Digital identity model (roles)

Applicant → CSP (Credential Service Provider: enrollment + proofing) → Claimant → Verifier → Subscriber → Relying Party (RP). Trust is passed from the CSP down to the relying party that grants access.

Biometrics and error rates

Physiological or behavioural traits are measured. Two errors: FRR (Type I, legitimate user rejected, operational cost) and FAR (Type II, impostor accepted, security risk). The CER (FAR = FRR) is used to compare systems.

SSO (Single Sign-On)

A single authentication grants access to every authorized resource within one trust domain. Improves experience and cuts password fatigue, but creates a single point of failure: compromise the SSO and you compromise everything.

FIM (federated identity)

Federation extends SSO ACROSS separate organisations via mutual trust: the IdP (Identity Provider) authenticates the user and the SP (Service Provider) trusts it. Avoids re-duplicating accounts at every partner (SAML, OIDC).

JIT (Just-in-Time)

On-demand provisioning of identity or privilege, granted for a specific event and valid for it only, then automatically deprovisioned. Major use case: JIT PAM, which removes standing privileges from high-power accounts.

Session management

After authentication a session ID (a long, random, single-use value: nonce) is issued and stored in a cookie to track requests. The session ends on inactivity timeout or anomaly (IP change, double login). Stealing/replaying the cookie is a replay attack.

DAC / MAC / NDAC / RBAC / RuBAC / ABAC

DAC: the owner decides (ACL). MAC: central authority and labels, system-enforced. NDAC: non-discretionary, central. RBAC: rights carried by roles. RuBAC: conditional rules (time, amount). ABAC: decision on attributes (who, when, where, resource, threat).

PDP and PEP (ABAC)

In ABAC (NIST SP 800-162), the Policy Decision Point (PDP) evaluates policy and renders the decision; the Policy Enforcement Point (PEP) enforces it. Splitting decision from enforcement enables centralised, fine-grained authorization.

Kerberos

Network authentication via the KDC, made of the AS (Authentication Server) and TGS (Ticket Granting Server). The AS issues a TGT, the TGS issues Service Tickets (ST). Symmetric crypto, time-stamped tickets (NTP critical), replay protection.

Privilege escalation

Vertical: a normal user gains higher rights (root/admin). Horizontal (lateral movement): access to another same-level account, server to server. Mitigations: MFA, least privilege, patching, IDS/SIEM, renaming privileged accounts.

Frameworks & standards

FrameworkRole
NIST SP 800-63 (IAL / AAL / FAL) Digital identity guidelines: assurance levels for identity (IAL), authentication (AAL) and federation assertion (FAL).
FICAM / ICAM US federal (2009) Identity, Credential and Access Management architecture for building a sound credential architecture.
NIST SP 800-192 Describes access control models (DAC, RBAC, RuBAC, ABAC) and the means of implementing them.
NIST SP 800-162 ABAC guide: PDP (decision) and PEP (enforcement) at the heart of the mechanism.
ISO/IEC 27000 Defines access control as the means of ensuring access to assets based on business and security requirements.
ISO/IEC 24760 Framework for identity management.
Kerberos Symmetric-ticket network authentication protocol via KDC (AS + TGS).
SAML 2.0 XML auth/authz exchange between domains (federated web SSO).
OAuth 2.0 / OIDC OAuth 2.0 = authorization delegation (access tokens); OpenID Connect = an authentication layer on top, with an ID token.
RADIUS / TACACS+ AAA network-access protocols. RADIUS (UDP, combines authN/authZ, encrypts only the password); TACACS+ (TCP, separates AAA, encrypts the whole payload).
LDAP / X.500 Directory of identities and attributes (Distinguished Names). Foundation of Active Directory and the identity store.

Acronyms

AcronymMeaning
IAM Identity & Access Management
IdM Identity Management
IAAA Identification, Authentication, Authorization, Accountability
AAA Authentication, Authorization, Accounting
IAL Identity Assurance Level (proofing strength)
AAL Authenticator Assurance Level (authentication strength)
FAL Federation Assurance Level (federated assertion strength)
FICAM Federal Identity, Credential and Access Management
ICAM Identity, Credential and Access Management
CSP Credential Service Provider
RP Relying Party
IdP Identity Provider
SP Service Provider
SFA Single-Factor Authentication
MFA Multi-Factor Authentication
OTP One-Time Password
TOTP Time-based One-Time Password
HOTP HMAC-based One-Time Password
FAR False Acceptance Rate (Type II)
FRR False Rejection Rate (Type I)
CER Crossover Error Rate
EER Equal Error Rate (synonym of CER)
DAC Discretionary Access Control
MAC Mandatory Access Control
NDAC Non-Discretionary Access Control
RBAC Role-Based Access Control
RuBAC Rule-Based Access Control
ABAC Attribute-Based Access Control
PDP Policy Decision Point
PEP Policy Enforcement Point
ACL Access Control List
PAM Privileged Access Management
JIT Just-in-Time (on-demand provisioning)
SSO Single Sign-On
FIM Federated Identity Management
IDaaS Identity as a Service
IGA Identity Governance and Administration
KDC Key Distribution Center (Kerberos)
TGT Ticket Granting Ticket
TGS Ticket Granting Server
ST Service Ticket
AS Authentication Server (Kerberos)
SAML Security Assertion Markup Language
OAuth Open Authorization (access delegation)
OIDC OpenID Connect
OP OpenID Provider
RADIUS Remote Authentication Dial-In User Service
TACACS+ Terminal Access Controller Access-Control System Plus
LDAP Lightweight Directory Access Protocol
DN Distinguished Name (LDAP)
AD Active Directory
AD DS Active Directory Domain Services
AD FS Active Directory Federation Services
FIDO Fast IDentity Online
U2F Universal 2nd Factor (FIDO)
UAF Universal Authentication Framework (FIDO)
WebAuthn Web Authentication (FIDO2 API)
PKI Public Key Infrastructure
CMS Credential Management System
PACS Physical Access Control System
SID Security Identifier (Windows)
NTP Network Time Protocol (vital for Kerberos)
EAP Extensible Authentication Protocol

Mnemonics

Memo · IAAA

IAAA in order: Identification (who?) → Authentication (prove it) → Authorization (what may you do?) → Accountability/Auditing (who answers, and what did they do?).

Memo · 5 facteurs

5 factors: KNOW · HAVE · ARE (biometrics) · WHERE (where you are) · DO (what you do). MFA = at least 2 DIFFERENT factors (password + PIN = still just 1 factor).

Memo · FAR vs FRR

FAR (Type II) = intruder GETS IN (worst, risk). FRR (Type I) = legit user REJECTED (cost). CER = FAR = FRR: lower = better.

Memo · Modèles d'accès

DAC = Owner decides (ACL) · MAC = Central + labels · RBAC = Role · RuBAC = Rule (condition) · ABAC = Attribute. Hint: the letter before BAC names who or what decides.

Memo · Kerberos passeport

The TGT is the PASSPORT (proves who you are, issued by the AS). The Service Ticket is the VISA (grants access to ONE service, issued by the TGS). Time-stamped tickets: NTP critical.

Memo · OAuth vs OIDC

OAuth 2.0 = authoriZation (which delegated permission?). OpenID Connect = authenticatioN (who are you?), a layer on top of OAuth with an ID token.

Memo · SSO vs FIM

SSO = 1 login WITHIN a domain. FIM = SSO ACROSS domains/organisations via mutual trust (IdP authenticates, SP trusts).

Memo · RADIUS vs TACACS+

RADIUS: UDP, combines authN+authZ, encrypts ONLY the password. TACACS+: TCP, SEPARATES the 3 As, encrypts the WHOLE payload.

Formulas

Remember

FAR = faux accept / tentatives imposteurs

False Acceptance Rate (Type II): rate at which impostors are accepted. On the exam this is the MOST dangerous error (an attacker gets in). A low FAR favours security.

Remember

FRR = faux rejets / tentatives légitimes

False Rejection Rate (Type I): rate at which legitimate users are rejected. A convenience/cost error (work blocked), less severe than FAR but harms availability.

Remember

CER (= EER) = point où FAR = FRR

Crossover/Equal Error Rate: the threshold where both curves cross. Used to compare biometric systems (lower CER = better). TRAP: the CER is the OPTIMAL setting only when the costs of a FAR and an FRR are equivalent; otherwise you shift the threshold.

Remember

Throughput = utilisateurs traités / unité de temps

Biometric throughput: number of successful authentications per minute. Too low a throughput creates queues and harms acceptability, even with good accuracy.

Exam pitfalls

Pitfall

Authentication ≠ Authorization

Authentication proves WHO you are; authorization decides WHAT you may do. A question about permissions on objects is authorization, not authentication.

Pitfall

Identity proofing ≠ authentication

Proofing is the INITIAL, ONE-TIME decision (at enrollment) to verify the real identity. Authentication repeats at EVERY access. Don't confuse who is enrolled with the check at login time.

Pitfall

Type I (FRR) vs Type II (FAR)

Type I = FRR = false rejection (legit user blocked). Type II = FAR = false acceptance (impostor admitted). Type II is the WORST for security. The exam often swaps the numbers.

Pitfall

OAuth (authZ) ≠ OIDC (authN)

OAuth 2.0 delegates an AUTHORIZATION (resource access via token); it does not authenticate the user. OpenID Connect adds the AUTHENTICATION layer (ID token). Using OAuth alone to "log in" is an anti-pattern.

Pitfall

RBAC ≠ RuBAC

RBAC = access carried by the ROLE (the user's function). RuBAC = access carried by conditional RULES (time, amount, IP). Same "R" prefix, different logic.

Pitfall

Vertical ≠ horizontal escalation

Vertical = gain HIGHER rights (user → admin). Horizontal = take a SAME-level account (lateral movement). The exam tests the direction of elevation.

Pitfall

SSO ≠ FIM

SSO = one login for several resources in ONE trust domain. FIM = federation ACROSS separate organisations. All federation gives SSO, but not all SSO is federated.

Pitfall

Data owner ≠ custodian

The data owner sets classification and decides on access (accountability). The custodian applies and operates day-to-day protections (backups, rights). Decision vs execution.

Pitfall

RADIUS ≠ TACACS+

RADIUS: UDP, combines authentication and authorization, encrypts only the password. TACACS+: TCP, separates the three As, encrypts the whole payload. TACACS+ is preferred for granular network device admin.

Pitfall

The CER is not always optimal

The CER (FAR = FRR) is for COMPARING systems, but it is the ideal setting only if a false accept and a false reject cost the same. For a highly sensitive area, you deliberately lower the FAR at the price of a higher FRR.

Real-world cases

Case · Real case - DHS PACS

DHS Physical Access Control System

The Department of Homeland Security runs a PACS split into four independent areas (badges/PII, parking, alarm/IDS monitoring, etc.) managed by the PACS administrator. CISSP lesson: PHYSICAL access control is a distinct problem from logical; an attacker who gains physical access often bypasses logical defences. The PACS collects only strictly necessary PII (least privilege applied to data).

Case · Real case - Dropbox 2012

Dropbox 2012 breach

In 2012 attackers used a Dropbox employee's STOLEN password to reach a document holding millions of users' emails. A single factor (a reused password) was enough. Response: rolling out 2FA and re-evaluating the identity provisioning life cycle. Lesson: a single factor on a broad-access account is a critical flaw; MFA and least privilege would have contained it.

Case · Teaching scenario - biometrics/CER

Tuning a biometric reader's threshold

Two fingerprint readers: A (CER 1%) and B (CER 3%). For a blind comparison, A wins. But for a classified server room you do NOT operate at the CER: you tighten the threshold to crush the FAR (zero impostors), even if the FRR rises (a few legitimate rejections are acceptable, since an agent can retry). Conversely, a cafeteria turnstile favours a low FRR (throughput/convenience).

10-second recap

10-second recap

  • IAAA = Identification, Authentication, Authorization, Accountability (full cycle).
  • 5 factors: know / have / are / where / do; MFA = at least 2 DIFFERENT factors.
  • FRR = Type I (false reject, cost); FAR = Type II (false accept, risk); CER = FAR = FRR.
  • The CER compares systems but is optimal only when FAR and FRR cost the same.
  • Models: DAC (owner) · MAC (central+labels) · RBAC (role) · RuBAC (rule) · ABAC (attributes, PDP/PEP).
  • Kerberos: KDC = AS (TGT) + TGS (Service Ticket), symmetric, NTP critical.
  • SSO = one domain; FIM = across organisations; SAML authN, OAuth authZ, OIDC = identity on OAuth.
  • NIST 800-63 levels: IAL (proofing) / AAL (authentication) / FAL (federation).

Domain quiz

Three levels available. Pick one based on the time you have.

🔒 Sign-up required for quizzes

Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.