Managing the Identity and Access Provisioning Life Cycle
Start course

This course is the final module of Domain 5 of the CISSP, covering Identity and Access Management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Identity as a Service
  • Integrating 3rd party identity services
  • Implementing and managing authorization mechanisms
  • Preventing or mitigating access control attacks
  • Managing the Identity and access provisioning lifecycle

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So we're moving into Section Nine, in which we're going to learn Managing the Identity and Access Provisioning Life Cycle. Now, as was mentioned earlier in this particular module, having a process of decision making that determines what a subject will be granted in the way of privileges and information access within a system, must be separate from the actual process of implementing those decisions.

So in the Access Control and Identity Management Life Cycle, we begin with management requesting or authorizing a user role-based access to the data and systems. We do the provisioning, through the determination of those and then implementing them by the two separate processes, one to decide, one to implement. Then periodically we're going to need to re-evaluate what access a given subject has, in the case of needing to change it, elevate it or diminish it. When these changes are needed, suspension might take place beforehand by a role-related new set of permissions, except if the reason is termination. That is to say, that when a person changes roles in the organization, the functional role that they have today in the system that they're using, would be suspended. Then the new role, signifying what they will require for the new function they will be fulfilling, will be created and provisioned. And then if information transfer needs to take place, it will through a controlled channel.

This kind of a policy, this kind of a practice requires thoroughly consistent enforcement to ensure that we get all of the protected value that we need from it. These all make up the Administrative Cycle and the approaches to administration generally take these three forms. We have Centralized Administration, which provide for centrally defining and implementing policy and the provisioning process, and centrally controlling the enforcement of that policy. We have De-centralized Administration. Typically deriving its authority and the requirements it must be met from a centrally defined policy, it allows it to be implemented using local provisioning, giving local resource access and enforcement, but that it is limited to the local. We also have a combination, the Hybrid Approach. Centrally defined policy with enforcement over core resources and then local resource access augmenting this and control with central oversight and support.

The Centralized Access Process means that all access requests are passed through a central office or function, which employ the central repository. In this particular model, this repository is centralized and unshared. As a design, it can enforce policy and control at the enterprise level for all enterprise-controlled resources.

Now, the considerations and advantages that go with centralized access processing, means that there is a reduction in attack surface through a more unified and consistent policy implementation. It means that we have a policy for active monitoring with more consistent and better-integrated aggregation and correlation for event analysis. We have more uniform implementation and performance of device backup for better resilience and recovery, both of which are very important considerations in any access control system. It also gives us better program level redundancy, further enhancing recoverability.

Now, the de-centralized access process is certainly a valid one for use in certain environments. As a process, all requests are processed through a central office employing a replicated repository that is shared by local nodes. As a design, it can enforce access control based on a centrally defined policy, but with limited application to the local domain only. The considerations and advantages to de-centralized access include, reduction in attack surface through a more unified and consistent policy implementation, active monitoring with more consistent and better-integrated aggregation and correlation, more uniform implementation and performance of device backup for better resilience and recoverability, and better program-level redundancy for further enhancement and recoverability. Even while it gives access to local resources provisioned at the local level.

Now, provisioning entails that determination of the organizational requirements as one step to ensure that access to the information has been reviewed and approved by management. And it applies the appropriate access rights through a second process of actual implementation. The final step in the process is typically the periodic re-evaluation and review. In this part of our process, access rights and usage must be monitored on a basis commensurate with the risk, and the reviewing of access can be in the form of automated checks, manual audits and other methods. As the final step in the process, this is establishing accountability for the subject in the system. At the point where revocation is the action to be taken following the periodic review and evaluation. The revocation takes place after the review and it's invoked when the user has aggregated unnecessary access levels or access is not commensurate with the role of the user or, of course, when the user has terminated.

So, in our Domain Five, Identity and Access Management, we've discussed how to prevent unauthorized or inappropriate access, and as you've seen, it combines logical, procedural and physical methods. We described processes and procedures for determining who or what may have altered access or system information, potentially affecting the integrity of those assets, and this, of course, reflects our discussion on the identification, authentication, authorization and accountability process. And then we discussed how to match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, highlighting the accountability of accounting, wherein we are recording the records of the access and the actions taken and auditing the action of reviewing those to establish who has done what. And that brings us to the conclusion of our discussion of Domain Five, Identity and Access Management. Please continue to join us for the next module, Domain Six. We look forward to you joining us for that. Thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.