CISSP Playbook – Domain 5: Identity and Access Management

---

Identity Is the New Perimeter. Govern It Like One.

Identity & Access Management – A CISO Operating Guide

By Praveen Kumar | TheCyberThrone

Scope Note

This playbook covers the complete Domain 5 landscape — governance, architecture, protocols, access models, lifecycle management, and exam decision rules.
Built for the security professional who needs both the mindset and the technical depth to pass the exam and operate in the real world.

Purpose of Domain 5

Domain 5 is about who gets access, how that access is proven, what they are allowed to do, and how every action is tied back to an accountable identity.

Domain 5 mindset:
“Access is not a convenience. It is a controlled risk decision.”

This domain tests policy thinking and architecture judgment, not protocol memorization.

Executive Context

Identity failures are not technical failures.
They are governance failures that manifest as technical events.

When Domain 5 fails in the real world:

Former employees retain access months after departure
Privileged accounts are shared across administrators
Access rights accumulate silently as roles change
No one can answer: who has access to what, and why?

The question Domain 5 forces every organization to answer:
“Can you prove that every identity with access today deserves that access today?”

If the answer is uncertain — Domain 5 has already failed.

1. Core Objectives of Identity & Access Management

IAM exists to ensure:

• Only authorized identities can access resources
• Access is granted at the right level — not above, not below
• Every action is traceable to an accountable identity
• Access is revoked when it is no longer needed

Key truth:

Most insider threats do not exploit zero-days — they exploit excessive access that was never removed.

2. The IAAA Framework

Everything in Domain 5 maps back to four concepts:

Identification

• Claiming an identity — username, card, biometric
• Not proof — just a declaration

Authentication

• Proving the claimed identity
• Something you know / have / are

Authorization

• Determining what an authenticated identity is permitted to do
• Governed by access control models

Accountability

• Ensuring actions can be traced back
• Enabled through audit logs, monitoring, and non-repudiation

CISSP rule:
All four must work together. Any gap breaks the chain.

3. Authentication Factors & Mechanisms

The Three Classic Factors

• Something you know — password, PIN
• Something you have — token, smart card, OTP device
• Something you are — biometrics

Exam trap:
Two passwords is NOT multi-factor. Factors must be different types.

Biometrics

• FAR — False Acceptance Rate (wrong person let in)
• FRR — False Rejection Rate (right person locked out)
• CER/EER — Crossover Error Rate: where FAR = FRR. Lower CER = more accurate system

CISSP mindset:
FAR and FRR trade off against each other. You cannot minimize both simultaneously.

Single Sign-On (SSO)

• One authentication, multiple system access
• Benefit: reduced credential fatigue, centralized control
• Risk: single point of failure

Design principle:
SSO must be protected with strong authentication at the entry point.

4. Identity Protocols You Must Understand

Kerberos

• Ticket-based, symmetric encryption
• Components: KDC → AS → TGT → TGS → Service Ticket → Resource
• Vulnerable to: pass-the-ticket, golden ticket attacks

CISSP exam reality:
Understand the flow and trust model — not the packet structure.

RADIUS vs TACACS+

• RADIUS: UDP, combines AuthN + AuthZ, encrypts password only
• TACACS+: TCP, separates AuthN + AuthZ + Accounting, encrypts full payload

Design rule:
TACACS+ for device administration. RADIUS for network access authentication.

SAML / OAuth / OIDC

• SAML: XML-based enterprise federation for SSO
• OAuth 2.0: authorization delegation — NOT authentication
• OpenID Connect: authentication layer built on top of OAuth 2.0

Exam trap:
OAuth is not an authentication protocol. OIDC is.

5. Identity Lifecycle Management

Provisioning

• Creating accounts, assigning roles, granting access
• Must follow least privilege from day one

Maintenance

• Updating access when roles change
• Transfers and promotions require access review — not just addition

Deprovisioning

• Revoking access when employment ends or role changes
• CISSP priority: First action on termination is disabling access — before collecting equipment

Access Recertification

• Periodic reviews to confirm access is still appropriate
• Primary defense against privilege creep

Key truth:

Privilege creep is not a technical failure. It is a governance failure.

6. Access Control Models

You are tested on which model fits which situation — not definitions alone.

DAC — Discretionary Access Control

• Owners control access to their own resources
• Flexible but weak
• Vulnerable to Trojan horse attacks

MAC — Mandatory Access Control

• System enforces access based on labels and clearances
• Used in government and military environments

Models under MAC:

• Bell-LaPadula — Confidentiality model. No read up. No write down.
• Biba — Integrity model. No read down. No write up.

Exam anchor:
Bell-LaPadula protects secrecy. Biba protects accuracy.

RBAC — Role-Based Access Control

• Access based on job role, not individual identity
• Most common enterprise model
• Reduces administrative burden significantly

ABAC — Attribute-Based Access Control

• Access based on subject attributes, object attributes, and environment
• Most flexible and granular
• Preferred for cloud and dynamic environments

CISSP mindset:
Match the model to the sensitivity and business context — not to what is easiest to deploy.

7. Privileged Access Management

Privileged accounts are the highest-value targets in any environment.

Controls:

• Just-in-time access provisioning
• Session recording and monitoring
• Credential vaulting
• Separation of duties enforcement
• No shared privileged accounts

CISSP rule:
Privileged access must be treated as a high-risk surface — not a convenience.

8. Identity Federation

Federation allows identities from one organization to be trusted by another.

Key concepts:

• Trust models — one-way, two-way, transitive, federated
• SCIM — System for Cross-domain Identity Management. Automates user provisioning.
• WS-Federation — Microsoft’s cross-domain identity standard

Design principle:
Federation extends trust boundaries. Extending trust is extending risk.

9. Physical and Logical Access Controls

Domain 5 is not just about logical systems.

Physical access considerations:

• Badge systems
• Biometric entry controls
• Visitor management
• Facility access logs

Logical access considerations:

• Account provisioning workflows
• Access control lists
• Directory services (LDAP / Active Directory)

CISSP mindset:
Physical and logical access must be aligned. Inconsistency creates exploitable gaps.

10. Monitoring, Auditing & Accountability

Access without accountability is incomplete security.

Key controls:

• Audit log generation and protection
• Non-repudiation mechanisms
• Access review triggers (role change, unusual behavior)
• Separation of duties in log management

CISSP bias:
Logs that can be modified by the same person who generated them have no integrity value.

11. CISSP Exam Decision Rules for Domain 5

When in doubt:

1. Choose least privilege over convenience
2. Choose deprovisioning immediately over gradual revocation
3. Choose MFA over single-factor for sensitive access
4. Choose role-based access over individual assignment at scale
5. Choose accountability over anonymity in any access model
6. Choose policy enforcement over manual review for provisioning

Final Domain 5 Playbook Truth

“Identity is the new perimeter. If you don’t control who gets in, architecture and encryption mean nothing.”