Domain 5 — Identity and Access Management (IAM) Summary
This domain constitutes a significant 13% of the CISSP exam, making its mastery essential for your success. This summary is designed to be a powerful revision tool, distilling the most important concepts you need to know about controlling access, managing identities, and implementing robust authentication and authorization mechanisms. By understanding these principles, you are learning how to directly uphold the core tenets of security: Confidentiality, Integrity, and Availability. Let's dive in and solidify your knowledge.
5.0 Controlling Physical and Logical Access to Assets
Access control defines who can interact with organizational assets, under what conditions, and to what extent. In CISSP, access control is evaluated as a governance and risk decision, not a technical configuration task. Effective access control ensures that interactions between subjects (users, processes) and objects (data, systems, applications) are explicitly authorized, traceable, and revocable.
For the exam, the focus is on policy enforcement, risk reduction, and accountability.
Core Principles of Access Control
Principle | Purpose | CISSP Exam Mindset |
|---|---|---|
Need to Know | Limits access to only those who require the information | Reduce exposure of sensitive assets |
Least Privilege | Grants only minimum required permissions | Limit damage from mistakes or compromise |
Separation of Duties (SoD) | Splits critical tasks across roles | Prevent fraud and unilateral abuse |
Note
If one person can complete a sensitive action alone, risk is too high.
Access Control Administration Models
Organizations enforce access control using different administrative structures, each with trade-offs.
Model | CISSP Perspective |
|---|---|
Centralized | Strong consistency, easier auditing, but high-value target |
Decentralized | Flexible, but inconsistent and difficult to audit |
Hybrid | Most common in real organizations due to legacy systems |
Exam Focus:
Hybrid models exist because reality is messy, not because they are ideal.
5.1 Managing Identification and Authentication
Identification and authentication are the foundation of access control. In the CISSP exam context, these mechanisms establish who is requesting access and how confidently that identity can be trusted. Without strong identification and authentication, authorization and accountability controls become meaningless.
CISSP evaluates authentication as a risk and assurance decision, not a technical configuration task.
The IAAA Access Control Framework
Access control services operate in a strict sequence:
Component | Purpose | CISSP Exam View |
|---|---|---|
Identification | Claiming an identity | “Who are you?” |
Authentication | Verifying the identity claim | “Prove it” |
Authorization | Granting permissions | “What can you do?” |
Accountability | Tracing actions to an identity | “Who did what?” |
Authentication Factors
Authentication relies on one or more independent factors:
Factor | Description | CISSP Insight |
|---|---|---|
Something You Know | Passwords, PINs, passphrases | Most common, weakest |
Something You Have | Tokens, smart cards, OTP devices | Stronger, possession-based |
Something You Are | Biometrics | Strong identity binding |
Using two or more factors = Multifactor Authentication (MFA). MFA requires different factor types, not multiple passwords.
Knowledge-Based Authentication
Password-based authentication is vulnerable to:
Brute-force and dictionary attacks
Credential reuse
Social engineering
CISSP Focus:
Strong password policies, salting, lockout thresholds, and user awareness reduce — but do not eliminate — risk.
Ownership-Based Authentication
This factor relies on possession of an object:
One-Time Passwords (OTP)
Hardware or software tokens
Smart cards
OTP Type | CISSP View |
|---|---|
Synchronous | Time or counter-based |
Asynchronous | Challenge–response |
Loss of the token ≠ compromise unless combined with another factor.
Biometric Authentication
Biometrics use unique physiological or behavioral traits.
Physiological | Behavioral |
|---|---|
Fingerprints | Keystroke dynamics |
Iris / Retina | Voice patterns |
Facial features | Gait |
Biometric systems store templates, not raw biometric data.
Biometric Error Types
Error Type | Meaning | Risk Impact |
|---|---|---|
Type 1 (FRR) | Valid user rejected | Usability issue |
Type 2 (FAR) | Invalid user accepted | Security breach |
Exam Rule:
Type 2 errors are more dangerous than Type 1 errors.
The Crossover Error Rate (CER) is where FAR = FRR.
Lower CER = more accurate system.
Authentication Assurance Levels (AAL)
NIST defines authentication strength as:
Level | Assurance | CISSP Interpretation |
|---|---|---|
AAL1 | Some assurance | Single-factor |
AAL2 | High confidence | MFA required |
AAL3 | Very high confidence | MFA + hardware-based cryptography |
Higher risk systems demand higher AAL.
Session Management
Authentication does not eliminate risk after login.
Session hijacking allows attackers to take over valid sessions.
Primary Controls:
Session expiration
Re-authentication
Secure session handling
Key Takeaway
Authentication is about confidence, not convenience.
CISSP questions reward candidates who choose authentication methods based on risk, assurance level, and impact, not popularity or ease of use.
5.2 Federating Identity with a Third-Party Service
Federated identity extends Single Sign-On beyond organizational boundaries by allowing trusted third parties to rely on a shared authentication process. This model is foundational to cloud services, SaaS platforms, and business-to-business integrations.
CISSP evaluates federation as a trust decision, not a protocol configuration.
SSO vs Federated Identity (Exam-Critical Distinction)
Single Sign-On (SSO):
One authentication grants access to multiple systems within the same organization.Federated Identity:
Authentication performed by one organization is trusted by external organizations, eliminating duplicate accounts.
Federated Identity Roles
Principal (User): Requests access
Identity Provider (IdP): Authenticates the user
Relying Party / Service Provider (SP): Grants access based on trust in the IdP
Exam Rule:
Trust flows from the IdP to the Service Provider.
Identity as a Service (IDaaS)
IDaaS delivers identity and access management as a cloud service, supporting both on-premises and cloud-based applications.
Common Capabilities:
SSO and MFA
Identity provisioning
Directory services
Centralized administration
Key Risks:
Provider availability outages
Third-party control of PII
Vendor trust and concentration risk
Exam Rule:
IDaaS improves scalability but increases dependency risk.
Federation Protocols (Recognition-Level Only)
Protocol | Primary Purpose | CISSP View |
|---|---|---|
SAML | Authentication & authorization | Enterprise federation |
OAuth | Delegated authorization only | API and app access |
OpenID Connect | Authentication + authorization | Modern identity standard |
Exam Rule:
OAuth ≠ authentication.
5.3 Implementing and Managing Authorization Mechanisms
Authorization determines what an authenticated user is allowed to do. CISSP tests authorization as a policy enforcement decision, not a permission-setting task.
Access Control Models (High-Yield Exam Area)
Model | Core Logic | Best Use |
|---|---|---|
DAC | Owner controls access | General-purpose systems |
MAC | Labels + clearances | Military / government |
RBAC | Role-based permissions | Enterprise IAM |
Rule-Based | If–then rules | Firewalls, routers |
ABAC | Attribute-driven | Cloud, zero trust |
Risk-Based | Context-aware decisions | Financial systems |
Exam Rule:
RBAC scales.
ABAC adapts.
MAC enforces confidentiality.
5.4 Managing the Identity and Access Provisioning Lifecycle
Identity management spans the entire user lifecycle and is essential to preventing orphaned accounts and privilege creep.
Identity Lifecycle Stages
Provisioning:
Identity proofing, background checks, credential issuance.Review:
Periodic access validation to prevent excessive privileges.Revocation:
Immediate removal of access during role changes or termination.
Exam Rule:
Privileged accounts require more frequent reviews.
Privileged Access Management (PAM)
Privileged accounts present the highest risk.
Vertical Escalation: Gaining higher privileges
Horizontal Escalation: Accessing peer resources
Key Controls:
Just-in-Time (JIT) access
Password rotation
Credential vaulting
Secure service account handling
Exam Rule:
Standing admin access = risk.
5.5 Implementing Authentication Systems
This final section focuses on the specific technologies used to implement the authentication and authorization concepts we've discussed, particularly for securing remote access to network devices and corporate resources. Choosing the right protocol is crucial for establishing secure connections for remote users and administrators.
Compare and Contrast Remote Access AAA Protocols
AAA (Authentication, Authorization, and Accounting) protocols provide a centralized framework for managing remote access.
RADIUS
Open standard and widely supported
Encrypts only the password (not the full session)
Combines authentication and authorization
Best used for: centralized user authentication (VPN, wireless access)
DIAMETER
Successor to RADIUS with improved security and scalability
Designed for modern, large-scale environments
Limited adoption in typical enterprise scenarios
Best used for: telecom and high-scale service environments
TACACS+
Cisco proprietary protocol
Encrypts the entire packet
Separates authentication, authorization, and accounting
Allows command-level authorization
Best used for: network device administration (routers, switches, firewalls)
These systems are the technical backbone that enforces the identity and access management policies essential for a secure enterprise.
CISSP Exam Memory Hook
RADIUS → Users
TACACS+ → Network Devices
DIAMETER → Scalable successor (rarely the best answer)
If a question mentions device command control → TACACS+
If it mentions VPN or Wi-Fi user access → RADIUS
Conclusion
As you wrap up your review of Domain 5, remember that it all comes down to control and accountability. The core mission is to know who is accessing your assets, why they are accessing them, and to ensure they have only the minimum permissions necessary to do their job—and not an ounce more.
For the CISSP exam, pay close attention to the distinctions between related concepts. Be ready to compare and contrast DAC vs. MAC vs. RBAC, explain the difference between SAML and OAuth, and know when to use RADIUS versus TACACS+. These comparisons are classic exam topics. Master these concepts, and you'll be in a great position to conquer this domain. Best of luck on your exam!