CISSP Domain 5 Identity and Access Management Detailed Notes

🌐 Objective

Identity and Access Management (IAM) is the foundation of cybersecurity. It governs who can access what, when, where, and how—ensuring that only authorized individuals or systems have the right level of access to resources.

This domain is critical because identity compromise is at the root of most data breaches. If an attacker can impersonate a valid user (or exploit excessive privileges), they can bypass many other controls.

🎯 Why is IAM Important?

• Prevents unauthorized access to sensitive systems, data, and physical assets
• Enables auditable accountability by linking actions to identities
• Supports least privilege and need-to-know policies
• Plays a key role in Zero Trust and cloud security architectures
• Helps enforce compliance requirements (e.g., HIPAA, GDPR, SOX)

🧱 IAM Covers Three Core Areas

1. Identification – How an entity (user/device/service) claims an identity
2. Authentication – How that identity is proven (passwords, biometrics, certificates, etc.)
3. Authorization – What that entity is allowed to do once authenticated (based on policies, roles, and attributes)

🧩 What You’ll Learn in Domain 5

This domain teaches you how to:

• Control physical and logical access to systems and facilities
• Understand and implement authentication mechanisms
• Manage digital identities and their lifecycle (provisioning, movement, deprovisioning)
• Apply and maintain access control models like RBAC, ABAC, DAC, and MAC
• Implement federated identity systems and third-party integrations
• Secure access in hybrid and cloud environments

🛠️ Real-World Relevance

In practice, IAM includes tools like:

• Active Directory, LDAP, or Azure AD for directory services
• SSO platforms like Okta, OneLogin, or ADFS
• MFA solutions like Google Authenticator, Duo, or FIDO2
• IAM policies in AWS, Azure, and GCP cloud platforms
• Privileged Access Management (PAM) solutions like CyberArk or BeyondTrust

🔐 Common IAM Threats

• Phishing leading to credential theft
• Password reuse and weak credentials
• Privilege escalation via misconfigured roles
• Unattended accounts after employee offboarding
• Insider threats due to over-permissioned users

🧠 CISSP Focus

CISSP emphasizes:

• Designing and managing secure IAM architectures
• Understanding access control policies and enforcement methods
• Applying risk-based access decisions (e.g., context-aware or time-based)
• Integrating IAM with physical security and cloud-based identity models

5.1 – Control Physical and Logical Access to Assets

This section focuses on ensuring that access to both physical and logical assets is tightly controlled, audited, and aligned with the principle of least privilege. This applies to information, systems, devices, facilities, applications, and services.

🔐 1. Information

Goal: Protect the confidentiality, integrity, and availability (CIA) of data.

• Classification schemes (e.g., public, internal, confidential, restricted) determine access levels.
• Use access control lists (ACLs) and data labeling to enforce policies.
• Apply role-based access for data handling (e.g., only HR can access employee files).
• Enforce encryption at rest and in transit.
• Implement DLP (Data Loss Prevention) solutions to prevent leaks.

Real-World Example: A financial organization restricts access to trading algorithms to only authorized quantitative analysts and encrypts backups offsite.

💻 2. Systems

Goal: Ensure only authorized users can access computing platforms.

• Use MFA for administrative logins.
• Implement host-based firewalls, HIDS/HIPS, and OS hardening.
• Disable unused accounts and enforce session timeouts.
• Audit system access logs and set up alerts for unusual login times or patterns.

Real-World Example: A SOC alerts when an admin account logs into a production server at 3 AM from a foreign IP.

📱 3. Devices

Goal: Control endpoint and peripheral access.

• Require device enrollment via MDM for corporate access.
• Use full-disk encryption (e.g., BitLocker, FileVault).
• Enforce port control (e.g., USB device blocking).
• Monitor devices using endpoint detection and response (EDR).
• Apply Zero Trust policies to ensure device trustworthiness before granting access.

Real-World Example: A company blocks unregistered smartphones from connecting to internal Wi-Fi using NAC policies.

🏢 4. Facilities

Goal: Prevent unauthorized physical access to sensitive areas.

• Implement badge access, biometric scanners, CCTV, and security guards.
• Use mantraps, turnstiles, and alarmed cages in data centers.
• Apply visitor logging and escort policies.
• Segment secure zones (e.g., HR records room, server room).

Real-World Example: Access to a financial vault is granted only when two authorized employees present their smart cards simultaneously (dual control).

🖥️ 5. Applications

Goal: Restrict application use and enforce appropriate permissions.

• Enforce authentication (OAuth, SAML, OpenID) and authorization (RBAC, ABAC).
• Prevent session hijacking via token expiration and HTTPS enforcement.
• Apply least privilege roles (e.g., read-only vs. admin access).
• Use Web Application Firewalls (WAFs) and secure coding practices.

Real-World Example: A healthcare system enforces access control to ensure that doctors can only view records of patients under their care.

☁️ 6. Services

Goal: Protect cloud, network, and third-party services.

• Use API authentication and token-based access (e.g., JWT).
• Segment internal services from public internet via firewalls, gateways, and proxies.
• Audit SaaS logins and restrict data access via CASB.
• Enforce SLAs with security controls for third-party providers.

Real-World Example: A company uses identity federation (SAML) to control employee access to Salesforce and applies DLP to restrict file exports.

Controlling access to information and technology assets requires a holistic approach—combining physical security, logical controls, user identity management, and continuous monitoring. By applying least privilege, multi-factor authentication, and proper segmentation, organizations reduce their attack surface and ensure that only the right people have access to the right resources at the right time.

5.2 – Design Identification and Authentication Strategy

This section focuses on creating robust strategies for identifying and authenticating people, devices, and services to ensure that access to systems is trustworthy, secure, and auditable.

👤 1. Groups and Roles

Purpose:

Use logical groupings (e.g., departments, roles) to simplify identity management and enforce least privilege.

• Role-Based Access Control (RBAC): Assign access permissions based on job functions.
• Group memberships: Centralize permissions (e.g., “Finance” group grants access to payroll system).
• Use dynamic roles where access changes based on user context (location, time, device).

Example: New hires in the HR department automatically join an “HR Analyst” group, which provides read-only access to employee records.

🔐 2. Authentication, Authorization, and Accounting (AAA)

Authentication:

Verifying identity using one or more of:

• Something you know (password, PIN)
• Something you have (token, smart card)
• Something you are (fingerprint, facial scan)

Multi-Factor Authentication (MFA): Combines two or more categories (e.g., OTP + fingerprint).

• Password-less authentication: Biometrics or hardware tokens (e.g., FIDO2) reduce phishing risk.

Authorization:

• Enforcing access permissions once identity is verified.
• Uses access control models like RBAC, ABAC, and policies.

Accounting:

• Logging user activities (who accessed what, when, and from where).
• Crucial for audit trails, incident response, and compliance.

Example: An engineer authenticates with MFA to a Git repository, is authorized to commit code, and the action is logged.

🔄 3. Session Management

Effective session management helps prevent hijacking and ensures proper termination.

• Session timeout and idle logout
• Token expiration and renewal (JWT, OAuth)
• Secure cookies and session IDs (with HTTPS, HttpOnly, and secure flags)

Example: Banking applications auto-logout after 5 minutes of inactivity and require re-authentication.

🧾 4. Registration, Proofing, and Establishment of Identity

Establishing identity at onboarding is foundational for trust.

• Identity proofing: Validate identity via government ID, in-person verification, or knowledge-based questions.
• Digital identity creation: Assign credentials after successful verification.
• Ongoing assurance: Use risk scoring and anomaly detection to verify continued legitimacy.

Example: A bank requires in-branch identity verification before issuing digital credentials to a new customer.

🌐 5. Federated Identity Management (FIM)

Federation allows users to access multiple systems with a single identity across trusted domains.

• SAML, OAuth, and OpenID Connect enable secure token-based authentication.
• IdP (Identity Provider): Authenticates users (e.g., Google, Microsoft).
• SP (Service Provider): Grants access based on IdP’s assertion.

Example: An employee logs into Salesforce using their company’s Azure AD credentials via SAML.

🔐 6. Credential Management Systems (CMS)

Centralized platforms for storing, issuing, and rotating credentials.

• Password vaults (e.g., CyberArk, LastPass Enterprise)
• Key rotation and revocation mechanisms
• Integration with IAM platforms for policy enforcement

Example: Admin passwords are rotated weekly and stored in a vaulted system accessible only with MFA.

🔓 7. Single Sign-On (SSO)

SSO allows users to authenticate once and gain access to multiple systems.

• Enhances user convenience and reduces password fatigue.
• Must be paired with strong authentication and session monitoring.
• Example technologies: SAML, Kerberos, OAuth tokens

Risk Mitigation: If SSO is compromised, all linked systems are at risk—hence, pair with MFA and session logging.

⏱️ 8. Just-In-Time (JIT) Access

Provides temporary, time-bound elevated access to systems.

• Reduces standing privileges and insider threat risk.
• Typically paired with Privileged Access Management (PAM).
• Ensures access is requested, approved, audited, and revoked after the task.

Example: A database admin receives 2-hour elevated access to update records, logged via PAM with full session recording.

A strong identification and authentication strategy secures the front door to all digital assets. It emphasizes building systems that verify users, minimize over-privilege, maintain identity assurance, and streamline access through federation, JIT, and secure credential management.

5.3 – Federated Identity with a Third-Party Service

Federated identity allows users to access systems across multiple domains or organizations using a single digital identity, securely shared through trust relationships. This reduces friction, improves user experience, and enforces centralized identity management.

🌐 What is Federated Identity?

Federation is a trust framework in which one organization (Identity Provider or IdP) authenticates users, and another (Service Provider or SP) trusts the authentication and grants access without re-authentication.

🏢 1. On-Premise Federation

Features:

• All identity services are hosted within the organization’s data center.
• May use Active Directory Federation Services (ADFS) or Shibboleth.
• Supports integration with enterprise applications like SharePoint, SAP, and on-prem HR tools.

Protocols:

• SAML 2.0: Most common for enterprise federation.
• Kerberos tickets are used internally in Microsoft environments.

Pros:

• Full control over identity infrastructure.
• Integration with legacy systems.

Challenges:

• High cost to maintain infrastructure.
• Scalability and availability require extensive planning.

Example: An enterprise uses ADFS to allow its internal users to access a third-party vendor’s portal using their Windows login credentials.

☁️ 2. Cloud-Based Federation

Features:

• Identities or federation services are hosted in the cloud (e.g., Azure AD, Google Workspace).
• Offers Identity as a Service (IDaaS) model.
• Connects to SaaS platforms like Salesforce, Workday, Zoom, etc.

Protocols:

• OAuth 2.0, OpenID Connect (modern web-based applications)
• SAML (widely supported in cloud SaaS environments)

Pros:

• Scalability and high availability.
• Reduces on-prem infrastructure.
• Fast integration with thousands of cloud providers.

Challenges:

• Requires proper configuration to avoid token theft or SSO misconfigurations.
• Dependency on third-party service availability.

Example: An organization uses Azure AD to authenticate users for Microsoft 365, Salesforce, and Zoom using a single sign-on flow.

🔀 3. Hybrid Federation

Features:

• Combines on-prem and cloud identity systems.
• Bridges legacy environments with modern cloud services.
• Users authenticate via on-prem AD, but tokens are extended to cloud apps via federation.

Common Tools:

• Azure AD Connect
• Okta Universal Directory
• PingFederate, OneLogin

Use Case:

• Enterprises migrating to the cloud but maintaining legacy apps.
• Allows gradual transition without breaking access.

Example: A hybrid enterprise allows internal users to log into cloud services (like AWS Console) using credentials from their on-prem AD synced via Azure AD Connect.

Federated identity enables seamless, secure access across organizational and technological boundaries. Whether on-premise, cloud-native, or hybrid, the goal is consistent: reduce identity sprawl, increase trust, and strengthen security posture through centralized authentication and distributed access.

CISSP candidates should focus on the trust relationships, protocols, and security implications of identity federation. Always apply least privilege, token expiration, and secure session management in federated environments.

5.4 – Implement and Manage Authorization Mechanisms

Authorization is the process of defining and enforcing what authenticated users are allowed to do. It determines access rights to systems, data, or services based on roles, rules, attributes, or contextual risk factors. This section explores the major access control models and enforcement architectures.

🎯 Role-Based Access Control (RBAC)

Definition:

Grants access based on a user’s role within an organization.

• Roles are mapped to job functions (e.g., HR, Finance, Engineer).
• Users inherit permissions associated with their role.
• Reduces administration overhead and supports least privilege.

Real-World Example: A Payroll Manager can access salary reports, while a Junior HR analyst cannot.

📜 Rule-Based Access Control

Definition:

Access is determined by predefined rules set by administrators.

• Not tied to user roles, but to rules like time of access, IP address, or system state.
• Often used in firewalls, IDS/IPS, and network access policies.

Example: Only allow remote admin access to a server during business hours.

🔐 Mandatory Access Control (MAC)

Definition:

A central authority defines access controls based on security classifications.

• Users and data are assigned sensitivity labels (e.g., Top Secret, Secret, Confidential).
• Enforced by the operating system; non-discretionary.
• Users cannot override policies.

Example: A military user with a “Secret” clearance cannot access “Top Secret” files, regardless of their role.

🛂 Discretionary Access Control (DAC)

Definition:

The data owner determines who can access their resources.

• Common in operating systems (e.g., NTFS permissions).
• Flexible but prone to misconfiguration.
• Enforces access via Access Control Lists (ACLs).

Example: A user shares a file on a shared drive and manually gives others read/write access.

🧬 Attribute-Based Access Control (ABAC)

Definition:

Access decisions are made based on user, resource, environment, or action attributes.

• Supports fine-grained and context-aware access.
• Often used in cloud and Zero Trust architectures.
• Policies use Boolean logic: e.g., “allow if user.department == ‘Finance’ and time < 6 PM.”

Example: Grant access to a financial dashboard only if the user is in the Finance department and accessing from a corporate IP.

⚖️ Risk-Based Access Control

Definition:

Grants or denies access based on real-time risk assessment.

• Factors include device health, user behavior, geographic location, time anomalies.
• Integrates with User and Entity Behavior Analytics (UEBA).
• Often used in adaptive access control.

Example: If a user logs in from an unusual country, access to sensitive data is blocked, or additional MFA is required.

🔐 Access Policy Enforcement

Key Components:

• Policy Decision Point (PDP): Evaluates access requests based on policies.
• Policy Enforcement Point (PEP): Enforces the decision (e.g., allow or deny access).

Flow:

1. A user attempts to access a resource.
2. The PEP intercepts the request.
3. The PDP evaluates it using current policies.
4. The PEP enforces the PDP’s decision.

Example: In an enterprise web portal, access requests to confidential documents are evaluated by PDPs that check group memberships, ABAC policies, and session context.

Effective authorization mechanisms are central to minimizing attack surface and limiting the blast radius of potential breaches. Understanding the strengths, weaknesses, and proper application of RBAC, MAC, DAC, ABAC, and risk-based controls is key to secure design.

In CISSP exam scenarios, choose authorization methods that enforce least privilege, support auditing, and align with organizational policies or compliance frameworks.

5.5 – Manage the Identity and Access Provisioning Lifecycle

Identity and access provisioning is the foundation for ensuring that users, systems, and services have the appropriate access at all times—no more, no less. It encompasses the entire identity lifecycle, from onboarding to offboarding, including regular audits and privilege management.

🔍 1. Account Access Review

Purpose:

To ensure access remains appropriate and aligned with current roles.

• Conduct periodic reviews of user accounts, roles, and privileges.
• Review system accounts (e.g., database admin, app accounts) and service accounts.
• Identify orphaned accounts (e.g., inactive accounts, terminated employees).
• Use access certification campaigns with department heads or system owners.

Example: Quarterly access reviews reveal that a contractor who left three months ago still has VPN access.

🔄 2. Provisioning and Deprovisioning

Provisioning:

• Establish new accounts during onboarding.
• Assign correct roles and permissions based on least privilege.
• Automatically sync with HR systems or directories (e.g., Azure AD, Okta).

Deprovisioning:

• Disable or remove accounts upon termination or transfer.
• Revoke tokens, disable smart cards, block physical access.
• Archive audit logs for forensic and compliance purposes.

Automation Tip: Use Identity Governance and Administration (IGA) tools to enforce timely provisioning and deprovisioning.

Example: When an employee is terminated in the HR system, all associated accounts in email, VPN, and cloud apps are automatically disabled within 15 minutes.

🔁 3. Role Definition and Transition

Goal:

Ensure access is aligned with job functions and kept current when roles change.

• Define roles with specific permissions for job functions.
• When an employee transfers or is promoted, old access is revoked and new access granted.
• Use role mining and role engineering techniques to define roles based on real usage.

Example: When a software engineer becomes a team lead, their access to code repositories is expanded, but write access to production is removed.

⬆️ 4. Privilege Escalation

Challenge:

Temporary or unintended elevation of privileges can lead to insider threats or abuse.

• Monitor use of sudo and other elevation tools.
• Enforce Just-In-Time (JIT) access for temporary admin rights.
• Log and audit all privileged actions (e.g., command history, file access).
• Separate duties to avoid toxic combinations (e.g., system admin + financial access).

Example: A database admin uses sudo to patch production. All sudo commands are logged and reviewed weekly by the security team.

⚙️ 5. Service Account Management

What are Service Accounts?

Non-human accounts used by applications or automated processes.

• Examples: Database connection accounts, scheduled jobs, backup scripts.
• Often run with excessive privileges and no password rotation.

Best Practices:

• Assign minimal required privileges.
• Rotate credentials regularly (automated via vaulting systems).
• Avoid interactive logins.
• Monitor and alert on abnormal behavior (e.g., login at odd hours).

Example: A backup script runs with a service account that is monitored and has credentials rotated every 30 days using CyberArk.

Proper identity and access lifecycle management ensures that users and systems only have access when needed and no longer than necessary. Automating provisioning, enforcing role-based access, auditing privileges, and securing service accounts are core security practices that reduce the risk of both external and insider threats.

For the CISSP exam, focus on ensuring processes are timely, accurate, and auditable, and align with least privilege, separation of duties, and lifecycle controls.

5.6 – Implement Authentication Systems

Authentication systems verify the identity of users, devices, or services before granting access to resources. Implementing a secure and scalable authentication system is vital for protecting assets and reducing the risk of unauthorized access.

🔐 Types of Authentication Systems

1. Single-Factor Authentication (SFA)

• Relies on one method (usually a password).
• Low assurance; vulnerable to phishing and brute-force attacks.
• Still widely used for low-risk access.

2. Multi-Factor Authentication (MFA)

• Requires two or more of the following:
  • Something you know (password, PIN)
  • Something you have (OTP device, smartphone, smartcard)
  • Something you are (fingerprint, facial recognition, retina scan)
• Greatly increases access security and is a must for sensitive operations.

Example: Logging into a VPN requires a password (knowledge) and a smartphone OTP app (possession).

🔒 Authentication Technologies

1. Password-based Authentication

• Use of salted hashing algorithms (e.g., bcrypt, PBKDF2) for storage.
• Enforce complexity, rotation, and length policies.
• Apply account lockout and monitoring for brute-force prevention.

2. Token-based Authentication

• Hardware tokens (RSA SecurID)
• Software tokens (Google Authenticator, Microsoft Authenticator)
• Time-based One-Time Passwords (TOTP): Expire every 30 seconds.

3. Biometric Authentication

• Fingerprints, facial recognition, iris scans.
• Risk of false positives/negatives.
• Biometric data must be securely stored and never reused.

4. Certificate-based Authentication

• Uses digital certificates (e.g., X.509) issued by a trusted Certificate Authority (CA).
• Common in PKI environments, especially for device and server authentication.
• Supports mutual authentication.

5. Federated Authentication

• Leverages identity providers (IdP) via SAML, OAuth, OpenID Connect.
• Enables SSO across domains.
• Popular for cloud applications and business-to-business integrations.

Example: A user logs into Google Workspace using enterprise credentials via SAML federation.

📶 Authentication System Architectures

Centralized Authentication:

• All authentication requests are processed by a central system (e.g., Active Directory, RADIUS).
• Easier to manage but can become a single point of failure.

Distributed Authentication:

• Used in cloud-native and microservices environments.
• Uses token-based systems (e.g., OAuth2 with JWTs).

Directory Services:

• LDAP or Active Directory.
• Used for storing credentials and policy enforcement.

Cloud Authentication (IDaaS):

• Services like Azure AD, Okta, Google Identity provide cloud-based authentication.
• Support MFA, federation, SSO, and device compliance.

🛡️ Authentication Best Practices

• Enforce MFA for all administrative and remote access.
• Implement adaptive authentication (risk-based – adjust requirements based on context).
• Rotate shared credentials regularly or use Just-In-Time access.
• Protect credential stores (e.g., hash passwords, secure biometric templates).
• Use TLS/SSL to encrypt all authentication traffic.

Authentication systems are the front gate to your digital infrastructure. The choice and implementation of these systems should consider the risk level, user convenience, integration capabilities, and compliance requirements. As a CISSP professional, your focus should be on deploying strong, resilient, and scalable authentication mechanisms that integrate with the broader identity ecosystem.

In the CISSP exam, prioritize solutions that reduce credential exposure, support centralization and scalability, and follow the Zero Trust principle.

✅ Exam Tips

🔐 1. Understand the “Why” Behind IAM

• Think business justification: Why does this access exist? Who approved it?
• Questions often test your ability to balance security with usability (e.g., when to implement MFA or SSO).

🔄 2. Master the Access Control Models

• Know when to apply:
  • RBAC (organizational role-based access)
  • MAC (military/government with classification labels)
  • DAC (owner-defined access)
  • ABAC (attribute-based, used in cloud/zero trust)
  • Risk-based access control (adaptive authentication)
• Understand their strengths, weaknesses, and compliance implications.

🧾 3. Identity Lifecycle = Provisioning + Monitoring + Deprovisioning

• Expect scenario-based questions like:
  “An employee has moved departments — what should the security team do first?”
  → Revoke old access before assigning new.
• Ensure you know how to manage orphaned accounts, privilege creep, and service accounts.

📡 4. Federated Identity and SSO

• Know the protocols:
  • SAML → Enterprise SSO
  • OAuth2 / OpenID Connect → Web/Mobile
  • Kerberos → On-premise AD
• Understand the identity provider (IdP) vs service provider (SP) model.

🔐 5. Authentication Strength Matters

• MFA beats SFA every time — but don’t overapply it (e.g., internal low-risk systems may not need it).
• Understand password-less authentication, certificates, and biometrics.
• Know how adaptive authentication adjusts based on behavior or risk.

🧪 6. Just-In-Time & Privileged Access

• If access must be elevated:
  → Use JIT, enforce logging, and tie actions to an approval trail.
• Questions may present scenarios where an admin abuses standing privileges — choose least privilege + audit + escalation limits.

🧠 7. Think from a Risk-Based Lens

• Questions often present trade-offs:
  • Security vs Cost
  • Usability vs Compliance
• Choose the answer that applies least privilege, defense in depth, and accountability.

🧠 Key Principle Recap:

• IAM is not just about logins — it’s about who gets access to what, when, and how it’s managed.
• Every access path should be authorized, monitored, and revocable.