CISSP: Domain 5 - Identity and Access Management (IAM) - Module 1

The course is part of this learning path

Identity and Access Management (IAM)

This course is the first of 3 modules of Domain 5 of the CISSP, covering Identity and Access Management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Identity and Access Management
  • Access Control 
  • Securing physical and logical assets 
  • Access modes
  • Managing Identification and Authentication, of People and Devices

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy presentation of the CISSP exam preparation seminar. We're gonna continue our discussion with Domain 5: Identity and Access Management. But before one can begin a comprehensive overview of the Identity and Access Management domain, it is important to have an understanding of some key concepts that will be important throughout this domain. These concepts form the basis for understanding how access management works, why it is a key security discipline, and how each individual component to be discussed in this domain relates to the overall access management universe.

The most fundamental and significant concept to master is a precise definition of what is meant by the term access control. For the rest of this domain and throughout, the following definition is going to be used: Access control is the process of allowing only authorized users, programs or other computer systems (such as those connected by a network) to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users. Almost all physical and logical entry points to the organization and its information systems need some type of access control. Given the pervasive nature and importance of access controls throughout the practice of security, it is necessary to understand the four key attributes of access control that enable good security management. Specifically, what I mean is the access controls enable management to specify which users can access a system or a facility, specify what resources those users can access, specify what operations those users can perform on those resources, and enforce accountability for those users' actions.

Each of these areas, though seemingly interrelated, represents an established and individual approach to defining and access control policy and strategy. The information in this domain will assist the security professional in determining the proper course of action to satisfy each of the attributes as it applies to a particular system, process, or facility. The goals of information security are to ensure the continued confidentiality, integrity, and availability of an organization's assets. This, of course, includes both physical assets such as places and spaces and of course the human aspect and information assets such as company data and the systems in which that data exists. 

Access controls, therefore, play a key role in ensuring the confidentiality of systems and the information they contain and process. Managing access to physical and information assets is fundamental to the preventing of exposure of data by controlling who can see, use, modify, or destroy those assets. In addition, managing an entity's admittance and rights to specific enterprise resources ensures that all valuable data and services will not be abused or if that is attempted, that it can be detected, misappropriated, or stolen. It is also a key factor for many organizations that are required to protect personally identifiable information in order to get into and remain compliant with appropriate legislation, internationally or domestically, and industry compliance requirements.

Now, the act of controlling access inherently provides features and benefits that protect the integrity of these business assets. By preventing unauthorized or inappropriate access organizations can achieve greater confidence in data and system integrity. If an organization is without controls to manage who has access to specific resources and what actions they're able to perform, there are a few alternate controls to ensure that information and systems are not modified by unwanted influence. Access controls are also giving greater visibility into determining who or what may have altered data or system information, potentially affecting the integrity of those information assets. These controls can be used to match an entity, the identity of the human or of the computer, with the actions that that entity has taken against the valuable assets, allowing organizations to have better understanding of the state of their security posture.

Finally, access control processes go hand in hand with efforts to ensure the availability of these resources within an organization. One of the most basic rules to embrace for any valuable asset, especially one whose criticality requires that it must be available for use over long periods of time, it is that only people with a need to use that particular asset should be allowed to do so. Taking this stance ensures that the resource is not blocked or congested by people who have no business and no authorization to have access to it or use it. This is why most organizations only allow their employees and other specifically trusted individuals into their facilities or onto their networks.

Restricting access therefore to only those who need to use a resource reduces the likelihood that malicious agents can gain access and cause damage to the assets or that non-malicious individuals with unnecessary access can cause accidental damage. In either case, the asset affected can be rendered untrustworthy and therefore any actions or decisions rendered from access to that asset would therefore become ill-informed.

Let's go on to slide two and look at our domain agenda. We're going to explore all of these topics during the course of our discussion of identity and access management, including controlling physical and logical access, identification and authentication of persons and of devices, integrating identity as a service, integrating third-party identity services (becoming more and more common), implementing and managing authorization mechanisms, and then as we do with all of our domains, talking about preventing or mitigating various attacks and concluding with managing the identity and access provisioning life cycle.

So here's section one. We're going to talk about controlling physical and logical assets. So the access control systems can be physical or electronic systems that are designed to control who or what may have access to a network or to any other kind of an asset. The simplest example of this, of course, would be a door that has a lock on it, thus limiting anyone who may be able to pass through that portal from one side to the other, possibly gaining access to a sensitive area.

So we're going to examine the facility access control and its counterpart in the computer systems and networks, to logical access control. Now the basic rule of access granted should employ essentially the same standard, what is actually required by the individual to execute their duties, and that should apply equally in context to whether it's access to places and spaces or access to systems and the data that they contain.

So let's cover a few basics. One form of system entity is, of course, the subject. Now the subject is defined as active entities within a system that are seeking access to perform functions or tasks. These, of course, can be either persons or processes and programs. These have two basic attributes that correspond to a similar associated with an object. For the subject, we look at clearance, which is a measure of trustability or reliability. The subject, of course, also must establish a need to know which reflects the resource requirements associated with the role fulfilled by the subject.

The other primary entity we have is the object. Objects are passive entities within a system, data containers or other components that are acted upon by subjects in performance of their functions or tasks. These can be files, directories, or any other kind of a repository. They can, of course, be processes, I/O devices, and programs. They have two basic attributes that correspond to similar associated with subjects. The object will have classification, typically defined as a measure of sensitivity, criticality or confidentiality requirements. Accompanying that is compartment or category. A categorization that reflects the functional use or application of the object.

So let's compare these two so that we can align the various characteristics we just spoke of. For the subject we have clearance. This equates to the classification of the corresponding object. Now the clearance is a parameter compared to the object classification at this first level and is typically hierarchical in nature. For the object, the classification is similar. It's compared to the subject clearance at this first level and it too is also typically hierarchical.

Now the subject's second trait is need to know. This is a parameter that matches to the compartment or category of the object and this typically must match precisely. On the object side, we have the compartment or category and this must match the need to know as a parameter of the subject and it typically must be the thing that the need to know must match precisely. 

So we have these access control principles, one that I'm sure you're well familiar with, least privilege. This is all that is required at the lowest feasible level of exposure. This least privilege places limits on the abuse potential by the subject. Along with that, we have least functionality. This is the lowest level of processing that will be accomplished to accomplish the defined purpose or need. And this characteristic puts limits on the damage potential that can be caused by the subject.

Now we have separation of duties and this carries two characteristics with it. By implementing this properly, it prevents too much access authority, which might enable the circumvention of the controls by the subject. But it also carries the idea that we have to prevent combinations of job function that will create conflicts of interest such as combining processing of accounts payable and processing of accounts receivable in the hands of the same person. 

Now on looking at these access control principles, we're faced with a couple of situations. We have the ideal role relationships which have very clear demarcation points across which will be a process through which role one and role two will be able to share things but there's no overlap between the two. What we find in the real world, though, is the actual role relationships where overlaps do in fact exist. Sometimes these create conflicts, sometimes they create difficult situations for us to configure the controls to account for those overlaps. But it is the more common situation that you find there on the right of this slide with the actual role relationships and this complicates the access control landscape.

So we have the expected interaction. We have to ask some basic questions. Who is attempting access? What is being accessed by that who? And how is this action enabled? So subjects are granted rights to objects to describe how the access is going to work. Objects, for their part, have permissions at various levels to describe what actions are possible. And in our diagram, we have our who, the subjects given their rights. We have the what, the data object or other resource that they're going to attempt to access with its permissions and as long as there's a proper comparison between the rights and the permissions, this accords to who the privileges that they need to access the what to accomplish their particular task.

That brings us to a discussion of what the access modes are. Now the access modes that you see begin with none. None is the lowest level of access oftentimes given to the greatest number of users and none is indeed the lowest level of access, it is a mode. Just up from that will be read only. Now read only is often misunderstood. It doesn't mean that you can simply open a file and read it. There are other operations that can be performed such as copying or saving as. Up from there, we go to read and write. This permits creation, alteration, and saving. From there we go to execute, which gives us the ability to access and run processes with permissions equal to those that we ourselves hold as subjects. And then at the top, we have full control which includes all of the above and grants ownership and permission for grant or modify authority for other users to be given.

Now through our administration process, what we're doing is we're establishing the access granted to subjects, we're establishing the permissions assigned to objects, and then we're going to find the way to properly implement them so that they can actually be used. We're going to have to set up monitoring functions to ensure that we can track who is doing what and how. We have to, of course, modify and there has to be a process that will establish how we're going to do that to ensure that we have proper authorization and audit trail. We have to be able to test various aspects so that we can be certain that what we think we're doing is in fact what we are doing and that there is not more or less that may not be in our direct vision. And obviously, we have to be able to terminate access when necessary.

Now the administration process is the set of mechanical processes that we will follow to do these various tasks. The one thing that it does not include, however, is the actual making of the decisions as to who will have access to what and with what capability. That has to be a separate process run by the management of the subjects who will be requesting the access to accomplish their tasks.

Now physical access is about granting or denying access to places and spaces. Granting or restricting access to buildings, rooms and floors is making certain that we have met the need to know parameter for the various subjects who will be requesting access to ensure that they are able to go into those places and spaces or that they are properly denied access. Now the accessibility itself as the actual process of entry is typically controlled by some form of key, a token of some kind, a card or possibly the entry of some form of combination into a keypad. One form of this is dual control, also called the two man rule. Picture, for example, the safety deposit box repository inside the vault of your bank. Access to the safety deposit boxes inside the vault require two valid keys, one of which is held by the bank officer, the other of which is held by the boxes owner. These keys are required simultaneously in order for either party to be granted access to the boxes. This enforces separation. The contents of the safety deposit box are safe from the bank because they have only one key, but it's also safe in the sense that the individual who is the box owner cannot enter the vault without having a bank officer escort them. Both keys must be used simultaneously and neither key can be held by both parties to ensure that we are limiting access as appropriate and making sure that we deter collusion.

One of the favorite forms of logical access would be a password, a type 1 authenticator also called something that you know. The information can be stored on a token that is presented to a reader, it can be something that is made up and remembered, and it can be sent to the system when it's entered into the keypad or whatever the mode of entry is so that the system can process it and grant or deny the access to the subject.

We have the access control tokens, a type 2 authenticator also called a something that you have. The information is stored on this token and then as it's passed over a reader of some form or passed through a card reader, a slot or through a chip that is touched by a contact inside the reader, the reader extracts the information and sends it onto the system for processing. Then, of course, we have the biometric system process. This is a type 3 authenticator, something that you are or do. It's based on the observation or capture of whatever that biometric data happens to be, which can be either an action that's performed such as a voiceprint where you speak a phrase and it's recognized or not, or it's a passive characteristic such as a retina scan or a fingerprint. As it's captured, it is converted and this describes the observed trait using a digital representation called a template. All of the biometric characteristics are boiled down to a hexadecimal data stream that is then stored in a secured file within the system. And as you present the characteristic, let's say a fingerprint, it's read, it's then converted to a hexadecimal data string, and then it's compared to the one stored in the file and when that compare operation, it has taken the presented exemplar and then it's compared to one of the stored images. For example, if you scan all five fingers on one hand, you present one finger, there will be typically five templates, one for each finger, and then it will compare the one that is presented to the five that are in the file. The one that's presented when it finds the match will grant the access given to the subject.

Now, whatever your access control or identity management system may be, it must have a policy that defines how this access is to be granted, what the mechanisms are, processes for provisioning, activation, monitoring, termination. We have to of course account for the mechanisms and as you'll see later on in this domain, we'll discuss various forms of access control models for both logical and physical access. One form of integration between physical and logical access is what is called a PACS or a Physical Access Control System. This is a system that is used to allow authorized security personnel to simultaneously manage and monitor multiple points of entry from a single centralized location and is oftentimes tied into several different components, including system access within the facility. It combines the elements of identification, visitor management, parking permit management, and as all access control systems have, they have an alarming, monitoring, and intrusion detection functionality as well.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.