(ISC)² CBK Objectives
The 6 official learning areas of Domain 5. Click an objective for detail.
Control physical and logical access to assets
Two planes: physical (badges, door biometric, CCTV, mantraps) and logical (accounts, groups, ACL, tokens, MFA). Both must be consistent: revoke badge when revoking account.
Key points
- Logical separation via ACL, physical via zones
- Ideally single identity source (HRMS → AD → badge)
- Periodic access review (access recertification)
Manage identification and authentication
3 authentication factors: Knowledge (password), Possession (token, smartcard), Inherence (biometric). MFA = combine ≥ 2 different factors. Biometrics: measure FAR/FRR/CER (lower = better).
Key points
- MFA ≠ 2× same factor (2 passwords = no)
- FAR (Type II) = false accept, worse than FRR (Type I)
- Passwordless: FIDO2/WebAuthn progressively replacing passwords
Federated identity with a third-party service
Federation = one trusted IdP proves identity for several SPs. Protocols: SAML 2.0 (XML, enterprise web SSO), OAuth 2.0 (API authorization), OpenID Connect (identity on OAuth). Benefits: one user account, centralized decommissioning.
Key points
- SAML = auth (who?); OAuth = authz (which permission?)
- OIDC = identity on OAuth 2.0 = best for modern web apps
- IdP down = all SPs blocked (critical SPoF)
Implement and manage authorization mechanisms
Models: DAC (owner decides, ACL), MAC (labels, central, military), RBAC (roles), ABAC (attributes - modern), Rule-BAC (conditional rules). RBAC is the enterprise standard; ABAC adds fineness for cloud and Zero Trust.
Key points
- RBAC: user → role → permission. Readable, auditable.
- ABAC: evaluate(user, resource, action, environment)
- Least privilege + SoD as safeguards
Identity and access provisioning lifecycle
Cycle: Request → Approve → Provision → Review → Revoke. Critical: automate. An orphan account (former employee) = incubating breach. Quarterly access review + HR trigger on movement (hire, role change, leave).
Key points
- JML: Joiner, Mover, Leaver - key process
- Offboarding = top priority within 24 h max
- Privileged Access Management (PAM) for admin accounts
Implement authentication systems
Kerberos (KDC tickets), RADIUS/TACACS+ (AAA), SAML, OAuth 2.0, OpenID Connect, FIDO2/WebAuthn. Consider: protocol security, performance, integration, UX. Centralized vs decentralized architecture.
Key points
- Kerberos: AS + TGS, encrypted tickets, replay protection
- TACACS+ (Cisco) encrypts everything; RADIUS only the password
- FIDO2 phishing-resistant (origin binding)
Key concepts
Subjects and objects
A subject is the active entity requesting access (user, process, service). An object is the passive resource sought (file, database, device). The system decides whether the subject may perform a CRUD operation (Create, Read, Update, Delete) on the object.
IAAA - access control lifecycle
Identification (assert an identity), Authentication (prove the identity), Authorization (grant permissions), Accountability/Auditing (track and attribute actions). Often extended to IAAAA to split accountability and auditing.
Authentication factors
Knowledge (know - password, PIN), Possession (have - token, smartcard, OTP), Inherence (are - biometrics). Two further factors: location (where you are - geolocation) and behaviour (what you do - keystroke, gait). MFA = at least two DIFFERENT factors.
Least privilege and need to know
Least privilege = grant only the rights strictly needed for the role. Need to know = restrict access to just the data required for a specific task. Need to know refines least privilege down to the data level.
Separation of duties
Separation of Duties (SoD) splits a sensitive task across several people so no one can act alone (one requests, one approves). Paired with need to know, it neutralises fraud and conflicts of interest.
Defense in depth
Stack layers of controls (physical, logical, administrative) so a single failure does not compromise all access. Physical access control (PACS) stays a layer distinct from logical control.
Zero Trust
A "never trust, always verify" model: no implicit trusted perimeter, every request is authenticated, authorized and contextualised (identity, posture, attributes). Builds naturally on ABAC and JIT.
Identity store
Central repository of identities and their attributes (LDAP directory, Active Directory). It is the source SSO and federation query to authenticate and authorize, rather than duplicating accounts everywhere.
Credential and CMS
A credential is the binding between an identity and an authenticator (password, certificate, smartcard). A Credential Management System (CMS) issues, renews and revokes credentials, often backed by a PKI for 2FA identities.
Identity proofing
The one-time initial decision, made at enrollment, to verify that a person is who they claim to be (ID documents, address checks). Not to be confused with authentication, which repeats at every access. Framed by NIST SP 800-63A.
Digital identity model (roles)
Applicant → CSP (Credential Service Provider: enrollment + proofing) → Claimant → Verifier → Subscriber → Relying Party (RP). Trust is passed from the CSP down to the relying party that grants access.
Biometrics and error rates
Physiological or behavioural traits are measured. Two errors: FRR (Type I, legitimate user rejected, operational cost) and FAR (Type II, impostor accepted, security risk). The CER (FAR = FRR) is used to compare systems.
SSO (Single Sign-On)
A single authentication grants access to every authorized resource within one trust domain. Improves experience and cuts password fatigue, but creates a single point of failure: compromise the SSO and you compromise everything.
FIM (federated identity)
Federation extends SSO ACROSS separate organisations via mutual trust: the IdP (Identity Provider) authenticates the user and the SP (Service Provider) trusts it. Avoids re-duplicating accounts at every partner (SAML, OIDC).
JIT (Just-in-Time)
On-demand provisioning of identity or privilege, granted for a specific event and valid for it only, then automatically deprovisioned. Major use case: JIT PAM, which removes standing privileges from high-power accounts.
Session management
After authentication a session ID (a long, random, single-use value: nonce) is issued and stored in a cookie to track requests. The session ends on inactivity timeout or anomaly (IP change, double login). Stealing/replaying the cookie is a replay attack.
DAC / MAC / NDAC / RBAC / RuBAC / ABAC
DAC: the owner decides (ACL). MAC: central authority and labels, system-enforced. NDAC: non-discretionary, central. RBAC: rights carried by roles. RuBAC: conditional rules (time, amount). ABAC: decision on attributes (who, when, where, resource, threat).
PDP and PEP (ABAC)
In ABAC (NIST SP 800-162), the Policy Decision Point (PDP) evaluates policy and renders the decision; the Policy Enforcement Point (PEP) enforces it. Splitting decision from enforcement enables centralised, fine-grained authorization.
Kerberos
Network authentication via the KDC, made of the AS (Authentication Server) and TGS (Ticket Granting Server). The AS issues a TGT, the TGS issues Service Tickets (ST). Symmetric crypto, time-stamped tickets (NTP critical), replay protection.
Privilege escalation
Vertical: a normal user gains higher rights (root/admin). Horizontal (lateral movement): access to another same-level account, server to server. Mitigations: MFA, least privilege, patching, IDS/SIEM, renaming privileged accounts.
Frameworks & standards
| Framework | Role |
|---|---|
| NIST SP 800-63 (IAL / AAL / FAL) | Digital identity guidelines: assurance levels for identity (IAL), authentication (AAL) and federation assertion (FAL). |
| FICAM / ICAM | US federal (2009) Identity, Credential and Access Management architecture for building a sound credential architecture. |
| NIST SP 800-192 | Describes access control models (DAC, RBAC, RuBAC, ABAC) and the means of implementing them. |
| NIST SP 800-162 | ABAC guide: PDP (decision) and PEP (enforcement) at the heart of the mechanism. |
| ISO/IEC 27000 | Defines access control as the means of ensuring access to assets based on business and security requirements. |
| ISO/IEC 24760 | Framework for identity management. |
| Kerberos | Symmetric-ticket network authentication protocol via KDC (AS + TGS). |
| SAML 2.0 | XML auth/authz exchange between domains (federated web SSO). |
| OAuth 2.0 / OIDC | OAuth 2.0 = authorization delegation (access tokens); OpenID Connect = an authentication layer on top, with an ID token. |
| RADIUS / TACACS+ | AAA network-access protocols. RADIUS (UDP, combines authN/authZ, encrypts only the password); TACACS+ (TCP, separates AAA, encrypts the whole payload). |
| LDAP / X.500 | Directory of identities and attributes (Distinguished Names). Foundation of Active Directory and the identity store. |
Acronyms
| Acronym | Meaning |
|---|---|
| IAM | Identity & Access Management |
| IdM | Identity Management |
| IAAA | Identification, Authentication, Authorization, Accountability |
| AAA | Authentication, Authorization, Accounting |
| IAL | Identity Assurance Level (proofing strength) |
| AAL | Authenticator Assurance Level (authentication strength) |
| FAL | Federation Assurance Level (federated assertion strength) |
| FICAM | Federal Identity, Credential and Access Management |
| ICAM | Identity, Credential and Access Management |
| CSP | Credential Service Provider |
| RP | Relying Party |
| IdP | Identity Provider |
| SP | Service Provider |
| SFA | Single-Factor Authentication |
| MFA | Multi-Factor Authentication |
| OTP | One-Time Password |
| TOTP | Time-based One-Time Password |
| HOTP | HMAC-based One-Time Password |
| FAR | False Acceptance Rate (Type II) |
| FRR | False Rejection Rate (Type I) |
| CER | Crossover Error Rate |
| EER | Equal Error Rate (synonym of CER) |
| DAC | Discretionary Access Control |
| MAC | Mandatory Access Control |
| NDAC | Non-Discretionary Access Control |
| RBAC | Role-Based Access Control |
| RuBAC | Rule-Based Access Control |
| ABAC | Attribute-Based Access Control |
| PDP | Policy Decision Point |
| PEP | Policy Enforcement Point |
| ACL | Access Control List |
| PAM | Privileged Access Management |
| JIT | Just-in-Time (on-demand provisioning) |
| SSO | Single Sign-On |
| FIM | Federated Identity Management |
| IDaaS | Identity as a Service |
| IGA | Identity Governance and Administration |
| KDC | Key Distribution Center (Kerberos) |
| TGT | Ticket Granting Ticket |
| TGS | Ticket Granting Server |
| ST | Service Ticket |
| AS | Authentication Server (Kerberos) |
| SAML | Security Assertion Markup Language |
| OAuth | Open Authorization (access delegation) |
| OIDC | OpenID Connect |
| OP | OpenID Provider |
| RADIUS | Remote Authentication Dial-In User Service |
| TACACS+ | Terminal Access Controller Access-Control System Plus |
| LDAP | Lightweight Directory Access Protocol |
| DN | Distinguished Name (LDAP) |
| AD | Active Directory |
| AD DS | Active Directory Domain Services |
| AD FS | Active Directory Federation Services |
| FIDO | Fast IDentity Online |
| U2F | Universal 2nd Factor (FIDO) |
| UAF | Universal Authentication Framework (FIDO) |
| WebAuthn | Web Authentication (FIDO2 API) |
| PKI | Public Key Infrastructure |
| CMS | Credential Management System |
| PACS | Physical Access Control System |
| SID | Security Identifier (Windows) |
| NTP | Network Time Protocol (vital for Kerberos) |
| EAP | Extensible Authentication Protocol |
Mnemonics
IAAA in order: Identification (who?) → Authentication (prove it) → Authorization (what may you do?) → Accountability/Auditing (who answers, and what did they do?).
5 factors: KNOW · HAVE · ARE (biometrics) · WHERE (where you are) · DO (what you do). MFA = at least 2 DIFFERENT factors (password + PIN = still just 1 factor).
FAR (Type II) = intruder GETS IN (worst, risk). FRR (Type I) = legit user REJECTED (cost). CER = FAR = FRR: lower = better.
DAC = Owner decides (ACL) · MAC = Central + labels · RBAC = Role · RuBAC = Rule (condition) · ABAC = Attribute. Hint: the letter before BAC names who or what decides.
The TGT is the PASSPORT (proves who you are, issued by the AS). The Service Ticket is the VISA (grants access to ONE service, issued by the TGS). Time-stamped tickets: NTP critical.
OAuth 2.0 = authoriZation (which delegated permission?). OpenID Connect = authenticatioN (who are you?), a layer on top of OAuth with an ID token.
SSO = 1 login WITHIN a domain. FIM = SSO ACROSS domains/organisations via mutual trust (IdP authenticates, SP trusts).
RADIUS: UDP, combines authN+authZ, encrypts ONLY the password. TACACS+: TCP, SEPARATES the 3 As, encrypts the WHOLE payload.
Formulas
FAR = faux accept / tentatives imposteurs
False Acceptance Rate (Type II): rate at which impostors are accepted. On the exam this is the MOST dangerous error (an attacker gets in). A low FAR favours security.
FRR = faux rejets / tentatives légitimes
False Rejection Rate (Type I): rate at which legitimate users are rejected. A convenience/cost error (work blocked), less severe than FAR but harms availability.
CER (= EER) = point où FAR = FRR
Crossover/Equal Error Rate: the threshold where both curves cross. Used to compare biometric systems (lower CER = better). TRAP: the CER is the OPTIMAL setting only when the costs of a FAR and an FRR are equivalent; otherwise you shift the threshold.
Throughput = utilisateurs traités / unité de temps
Biometric throughput: number of successful authentications per minute. Too low a throughput creates queues and harms acceptability, even with good accuracy.
Exam pitfalls
Authentication ≠ Authorization
Authentication proves WHO you are; authorization decides WHAT you may do. A question about permissions on objects is authorization, not authentication.
Identity proofing ≠ authentication
Proofing is the INITIAL, ONE-TIME decision (at enrollment) to verify the real identity. Authentication repeats at EVERY access. Don't confuse who is enrolled with the check at login time.
Type I (FRR) vs Type II (FAR)
Type I = FRR = false rejection (legit user blocked). Type II = FAR = false acceptance (impostor admitted). Type II is the WORST for security. The exam often swaps the numbers.
OAuth (authZ) ≠ OIDC (authN)
OAuth 2.0 delegates an AUTHORIZATION (resource access via token); it does not authenticate the user. OpenID Connect adds the AUTHENTICATION layer (ID token). Using OAuth alone to "log in" is an anti-pattern.
RBAC ≠ RuBAC
RBAC = access carried by the ROLE (the user's function). RuBAC = access carried by conditional RULES (time, amount, IP). Same "R" prefix, different logic.
Vertical ≠ horizontal escalation
Vertical = gain HIGHER rights (user → admin). Horizontal = take a SAME-level account (lateral movement). The exam tests the direction of elevation.
SSO ≠ FIM
SSO = one login for several resources in ONE trust domain. FIM = federation ACROSS separate organisations. All federation gives SSO, but not all SSO is federated.
Data owner ≠ custodian
The data owner sets classification and decides on access (accountability). The custodian applies and operates day-to-day protections (backups, rights). Decision vs execution.
RADIUS ≠ TACACS+
RADIUS: UDP, combines authentication and authorization, encrypts only the password. TACACS+: TCP, separates the three As, encrypts the whole payload. TACACS+ is preferred for granular network device admin.
The CER is not always optimal
The CER (FAR = FRR) is for COMPARING systems, but it is the ideal setting only if a false accept and a false reject cost the same. For a highly sensitive area, you deliberately lower the FAR at the price of a higher FRR.
Real-world cases
DHS Physical Access Control System
The Department of Homeland Security runs a PACS split into four independent areas (badges/PII, parking, alarm/IDS monitoring, etc.) managed by the PACS administrator. CISSP lesson: PHYSICAL access control is a distinct problem from logical; an attacker who gains physical access often bypasses logical defences. The PACS collects only strictly necessary PII (least privilege applied to data).
Dropbox 2012 breach
In 2012 attackers used a Dropbox employee's STOLEN password to reach a document holding millions of users' emails. A single factor (a reused password) was enough. Response: rolling out 2FA and re-evaluating the identity provisioning life cycle. Lesson: a single factor on a broad-access account is a critical flaw; MFA and least privilege would have contained it.
Tuning a biometric reader's threshold
Two fingerprint readers: A (CER 1%) and B (CER 3%). For a blind comparison, A wins. But for a classified server room you do NOT operate at the CER: you tighten the threshold to crush the FAR (zero impostors), even if the FRR rises (a few legitimate rejections are acceptable, since an agent can retry). Conversely, a cafeteria turnstile favours a low FRR (throughput/convenience).
10-second recap
10-second recap
- IAAA = Identification, Authentication, Authorization, Accountability (full cycle).
- 5 factors: know / have / are / where / do; MFA = at least 2 DIFFERENT factors.
- FRR = Type I (false reject, cost); FAR = Type II (false accept, risk); CER = FAR = FRR.
- The CER compares systems but is optimal only when FAR and FRR cost the same.
- Models: DAC (owner) · MAC (central+labels) · RBAC (role) · RuBAC (rule) · ABAC (attributes, PDP/PEP).
- Kerberos: KDC = AS (TGT) + TGS (Service Ticket), symmetric, NTP critical.
- SSO = one domain; FIM = across organisations; SAML authN, OAuth authZ, OIDC = identity on OAuth.
- NIST 800-63 levels: IAL (proofing) / AAL (authentication) / FAL (federation).
Domain quiz
Three levels available. Pick one based on the time you have.
🔒 Sign-up required for quizzes
Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.