Managing Identification and Authentication of People and Devices
Managing Identification and Authentication of People and Devices

This course is the first of 3 modules of Domain 5 of the CISSP, covering Identity and Access Management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Identity and Access Management
  • Access Control 
  • Securing physical and logical assets 
  • Access modes
  • Managing Identification and Authentication, of People and Devices

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


We're going to continue our discussion in Section 2, Managing Identification and Authentication, of People and Devices. So this process of gaining access, we're going to explore how it actually takes place. This is the capability to access and manipulate information, and that it must be enabled through provisioning process, following management approval. As I described earlier, the process to define what a particular subject may need, needs to be separate from the actual implementation of that need. So the process begins with identification, which is a logical or physical characteristic used as a claim of identity. Followed by authentication, which is something that is offered that validates that claim and transforms the claim to an identity. We follow that with authorization, which is connecting this identity, once established, to a privileged profile or a capability profile. And of course, it must end with accountability, which involves two tasks. One is accounting, that is the recording of all of the accesses and other actions that the identity will take and auditing, which is the reviewing of all of the records of such actions.

So the identification is an assertion of a unique identity or an e-persona for the person or age, persona, human persona, or system that is the starting point of all access to be granted, or for that matter, denied. Without proper identification, it would be impossible to determine how to apply the appropriate controls. And indeed, how to identify the subject that is taking any action whatsoever.

In the authentication portion of this process, this is the process of verifying the identity of the user, where they offer a unique characteristic that validates the claim of identity that that subject is making. And this additional element must be used in conjunction with the claim of identity, but must itself be a separate characteristic altogether. Once the subject is authenticated, then we are able to connect that subject to a profile, which defines what resources may be accessed and what actions may be taken against that profile of resources. Authorization is itself the process of defining the specific resources that the user is authorized to have, and determining the type of access that that subject will have to those resources as was defined when management clarified that user's role, leading to this particular profiles definition.

So, the attribute and action relationships are these. The identification establishes the uniqueness, the authentication validates the claim of identity, authorization is the mechanism through which we implement the control, and accountability confirms subject actions, both positive and negative. Over time there have been of course many different ways that we are able to identify the subjects. They have become usernames. They were at one time a user ID, basically an arbitrary character string, usually put together by some scheme. The account number, such as you have at a bank. A Personal Identification Number, or PIN code. And then some form of digital identification, which is an equivalent to these other elements.

We have, of course, access badges - another form of identification. Now, this is a very common form of physical identification and authorization in organizations, based on the physical identification characteristic. It represents that the badge holder is officially recognized and has some status within the organization. Some badges display a good deal of information, other badges may display very little or none at all. Most badges will contain the name or logo of the organization, the name and a picture of the holder. Because it contains these characteristics, it is thought to provide a much stronger security mechanism. And it is used in multiple ways to enter secure areas of facilities in conjunction with readers that will extract the information from the card to process it, compare it to a stored profile, and then depending upon the outcome, allow or deny access with the presenter of that card.

The user ID was one of the first forms of identification. As I mentioned, this was an arbitrary character string, usually built to some scheme, possibly for a department, possibly for a physical location. But it was assigned to an individual when they were authorized access to a system or to a space, but the user ID itself, while uniquely identifying the individual associated with it, was itself intended to be unrevealing, unlike a username, which tends to be your name, followed by other characteristics.

We have, of course, the ever-present account number or personal identification number. Now, this account number does provide a unique identity for the user, who is its owner. The personal identification number can provide that, and it can provide the authentication information of the claimed identity associated with the account number.

Now, we have to identify all the humans that are going to be accessing these things, but the notion of identification has to extend to various resources within the system. One of the most commonly regarded is the media access control or MAC address. Now, this MAC address is a 48-bit hard-wired number, supposedly globally unique, that is assigned to the network interface card, within every computer.

Now, in a similar fashion to the MAC address, we have the IP address. Computers using TCP/IP network protocols are assigned an IP address. Unlike the MAC address, this is a logically assigned address to the device associated with the MAC address, and it is used by the network, devices, routers, and switches and so forth, to ensure that the devices are grouped in logical groups, networks, subnets, and the like and that they are uniquely identified, so that information intended to be routed to one or another of them is not misrouted.

We have RFID, the Radio Frequency Identification. Now, this is a non-contact, automatic identification technology that uses radio frequency signaling to identify and track almost any asset, person, vehicle or other item that can be tracked using this technology. RFID typically does not require any direct contact or line of sight in order to work. An RFID system is made up of several components. One is an integrated circuit for modulating and demodulating the radio signals and an antenna for receiving and transmitting the signal. 

Some forms that we find very commonly are RFID tags that do not carry an integrated circuit. These are made of fibrous materials that reflect a portion of the reader signal back and the unique return signal can be used as an identifier. This is the type that we find typically in books, in a store such as Barnes and Noble. The reader, shaped like a gun, sends out a beam, the tag reflects the beam back to the reader, and the reader can then sense what books are on shelves, instead of having to physically count them all, and can detect books that have been misfiled with great ease.

So the typical components include the tag, the reader, and a back-end database that holds the various values assigned to these RFID tags. Now, each RFID tag is intended to be a unique identity code associated with the object that it is in. The reader will emit a low-level radio frequency magnetic field that energizes the tag, the tag responds with the reader's query and announces its presence via radio waves, transmitting its own unique identification data. The data is then decoded by the reader and passed to the local application system via a form of middleware. And the middleware acts as an interface between the reader and the RFID application system including its back-end database where the various values that the tags return are stored.

RFID systems, however, are subject to various forms of attack, such as eavesdropping or skimming. These radio sequence signals transmitted from the tag and the reader can be detected in several meters way by other radio receivers. It is, therefore, possible for an unauthorized user to access the data contained in the RFID tag, if the legitimate transmissions are not properly protected, such as through encryption.

This means that these signals are subject to traffic analysis, to a person who has the appropriate radio frequency detection equipment. Even if tag data is protected, it is possible to use traffic analysis tools to track predictable tag responses over periods of time. Correlating and analyzing the data builds a picture of movement, social interactions, or financial transactions. Abuse of this traffic analysis has a direct impact on privacy. For example, abusing this would enable someone reading the signals to figure out what books someone may be checking out from the library or purchasing from a bookstore without their knowledge, thus invading and compromising their privacy.

Systems like this are subject to spoofing. Based on the data collected, it is possible to perform tag spoofing, either by insertion into the radio frequency signal, or by switching out tags. 

These systems are also subject to denial of service, or even distributed denial of service attacks. Now, a denial of service attack against RFID infrastructure can happen if, for example, a large batch of tags have been corrupted. Picture for a moment, a bookstore receiving a shipment of 1000 books with various tags in them. The tags themselves, through their own manufacturing process, have been made imperfect, which means that the reader will not be able to read the signals properly. And given the volume of books, a lot of manual labor will be necessary to correct the situation. In the meantime, the tags being imperfect will be unusable.

It is systems like RFID, the fact that no line of sight or physical contact is necessary, are sometimes considered to be a bit of a risk or even a threat to personal privacy. Widespread item-level RFID tagging of products raises public concerns regarding this. Individuals can be profiled and tracked without their knowledge or consent by those who have the appropriate RFID reading equipment and having no need to be present or in contact with the article, they can read it from a distance, out of sight of the individual who is possessing the article.

Now, user identification guidelines, regardless of the system that is being used, must be established. Because we need to establish the uniqueness of the individual, it is preferred that whatever the identifier is that's used is not descriptive, meaning that it doesn't reveal anything about its owner. And that we have a process to ensure secure issuance of these credentials, that they cannot be intercepted or hijacked by any other individual.

So in the identity management implementation, we have several things we must take care of. The technologies utilized in this include elements that will deal with password management, account management, profile management, directory management, and a form that brings many of these things together, single sign-on.

Now, password management is comprised of policies, standards and complexity rules associated with the password use, and these need to be managed in a consistent way throughout the enterprise so that we have a unique but consistent level of rules and enforcement of the policy.

Now, there are many different types of password management systems. These are installed in order to manage passwords consistently across the enterprise. They're usually achieved through a central tool capable of synchronizing passwords across multiple systems. And with cloud computing and a variety of server-based systems, synchronization of passwords across multiple systems is indeed a very critical issue.

Along with that, we have account management. Now, these systems attempt to streamline the administration of user identity across these multiple systems. Sometimes compatible, sometimes incompatible in the forms that they need, the password rules that they can enforce and so on.

Now, our account management systems will typically include one or more of the following characteristics. There will be a central facility for managing user access to multiple systems simultaneously. There is a workflow system to ensure that all the steps that are needed to be covered are covered and are none are missed. It has to see to the automatic replication of data to ensure consistent capturing of the credentials and the systems in which these credentials exist. There must be a facility for loading batch changes to user directories, and there needs to be a way to facilitate automatic creation, change or removal of access to system resources. For example, a person to having access to three or four systems or more. If we have to go through and look at all the individual systems, individually, there's a very good chance we will miss one or more. Having the ability to do this automatically facilitates much smoother and much less costly administration.

Now, in profile management, this is the collection of information associated with a particular identity or group, and can include a variety of factors, such as the username and password, obviously, the name of the individual associated with that user ID and password, telephone number, email address, home address, date of birth, information related to privileges, an entire variety of things well beyond what you might find in a typical phone book. Now, as far as profile management is concerned, the items selected should be carefully protected because as you see by this list, there are a number of personal characteristics that it would be a violation of the individual's privacy, should they be revealed to any unauthorized administrator or other person. But as a minimum, user ID, name, telephone number, email address, would probably be preferred.

That brings us to the end of our first module in our discussion of domain five, identity and access management. Be sure to come back for the remaining modules, when we continue our discussion. Thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.