Identity and Access Management (IAM)

Questions and Answers

Which of the following best describes the primary function of Identity and Access Management (IAM)?

• Overseeing marketing strategies and customer relations.
• Developing new software applications for internal use.
• Managing hardware assets across the organization.
• Ensuring appropriate access to digital resources based on user identity and permissions. (correct)

In what ways does IAM help organizations address the challenges posed by remote work and cloud computing?

• By solely focusing on on-premises security measures.
• By increasing the number of access points to critical resources.
• By centralizing control over all user activities, regardless of location.
• By streamlining access control and protecting assets without disrupting legitimate uses, tailored to user roles and compliance needs. (correct)

What is the role of a database or directory within a typical IAM system?

• To log network traffic for intrusion detection purposes.
• To store marketing data and customer feedback.
• To store details about each user, their identities, and their assigned permissions. (correct)
• To maintain a record of employee performance reviews.

How does Identity Lifecycle Management contribute to the overall security and efficiency of an organization?

By creating and maintaining digital user identities, ensuring each user has appropriate access tailored to their role and needs. (D)

Why is Role-Based Access Control (RBAC) commonly used in IAM systems?

To tailor user privileges according to their job function and level of responsibility, streamlining permission settings and reducing risk. (D)

What is the primary purpose of authentication in the context of IAM?

Verifying that a user is who they claim to be by validating their submitted credentials. (B)

How does Multi-Factor Authentication (MFA) enhance authentication processes?

By requiring users to provide two or more authentication factors, such as codes sent to their devices or biometric scans. (C)

What key benefit does Single Sign-On (SSO) provide to users and organizations?

The ability to access multiple apps and services with one set of login credentials. (D)

How does Adaptive Authentication enhance security measures in IAM systems?

By using AI and machine learning to analyze user behavior and adjust authentication requirements in real time based on risk levels. (A)

Which of the following best defines cyber risk management?

The process of identifying, prioritizing, managing, and monitoring risks to information systems. (B)

How does framing risk contribute to effective cybersecurity practices?

By defining the context in which risk decisions are made, allowing security controls to align with overall business strategies. (A)

What key elements are typically defined when framing cyber risks?

Asset inventory and prioritization, organizational resources, legal requirements, and the scope of the risk management process. (C)

What are the main objectives of a cybersecurity risk assessment?

Identifying threats and vulnerabilities, estimating potential impacts, and prioritizing the most critical risks. (C)

In the context of cybersecurity, what are vulnerabilities?

The flaws or weaknesses in a system, process, or asset that threats can use to do damage. (D)

What does 'risk mitigation' refer to in cybersecurity?

The use of security controls to make it harder to exploit a vulnerability or minimize the impact of exploitation. (A)

Regarding responding to risks, what does 'risk remediation' entail?

Fully addressing a vulnerability so it cannot be exploited, such as patching a software bug. (B)

How does monitoring contribute to cyber risk management?

By verifying that security controls work as intended, satisfying regulation, and adapting to new threats or assets. (C)

What is the primary purpose of Public Key Infrastructure (PKI)?

To protect data from unauthorized access through encryption and digital certificates. (D)

How does PKI promote confidentiality during data transmission?

By ensuring that only the legitimate receiver has intelligible access to the transmitted data. (A)

What role does the Registration Authority (RA) play in PKI?

Providing an interface between the user and the Certification Authority and ensuring that certificate usage constraints are met. (C)

What is the function of symmetric cryptography?

Using the same key for both encryption and decryption. (A)

How does asymmetric cryptography differ from symmetric cryptography?

It uses separate keys, a public key for encryption and a private key for decryption. (C)

What is the primary purpose of a digital certificate?

To provide information about the certificate's subject and verify the certificate holder's identity. (D)

What is the significance of non-repudiation in the context of data security?

The data source cannot deny the data's sending authenticity. (A)

An organization is implementing an IAM system. During the planning phase, they need to decide which assets and systems will be examined in the risk assessment process. Which aspect of risk management are they addressing?

Risk Framing (C)

A company identifies a critical software bug that could allow unauthorized access to sensitive customer data. The IT department develops and deploys a patch to fix the bug. Which risk response strategy is the company employing?

Risk Remediation (B)

An organization discovers that its current firewall configuration has a vulnerability that could allow malware to penetrate the network. They decide to place an intrusion-prevention system around a valuable asset to make it harder for the threat to reach it. Which risk response strategy is the organization employing?

Risk Mitigation (A)

A company decides to protect itself against potential cyberattacks by purchasing a cyber insurance policy that covers damages resulting from data breaches and system downtime. Which risk response strategy is the company employing?

Risk Transfer (D)

A company implements a new set of security controls to protect its sensitive data. To ensure that these controls are effective and compliant with regulatory requirements, the company regularly reviews security logs and conducts periodic audits. Which aspect of risk Management are they addressing?

Monitoring (C)

A financial institution uses digital signatures to ensure that electronic transactions are authentic and cannot be altered during transit. This measure is primarily intended to:

Ensure the integrity of data. (C)

During incidence response, a business activates its pre-established incident response plans. Based on this action, which of the following risk plans does this represent?

Risk Mitigation (C)

During response, what does a business do with unlikely or low-impact risk?

They are accepted. (A)

In cryptography, which key encrypts the data?

Public key (C)

In cryptography, which of the following best describes Symmetric cryptography?

A security algorithm that uses the same keys for encryption and decryption. (B)

In IAM, what does CA refer to?

Certification Authority (D)

Which of the following are components of the Public Key Infrastructure?

A Certification Authority, Registration Authority, and Central Directory. (D)

In IAM, what processes exist to verify and validate identity?

Authentication and authorization (D)

Which of the following best describes IAM?

Identity access management (A)

Which organization depends on IT to carry out business functions today? (Select all that apply)

All companies across all industries (B)

Flashcards

What is Identity Access Management (IAM)?

A cybersecurity discipline that manages how users access digital resources, ensuring only the right users access the right resources.

What is Identity Lifecycle Management?

A process of creating and maintaining digital user identities for every human and nonhuman user in a system.

What is Access Control?

Enables companies to set granular access policies, granting different system permissions based on digital identities.

What is Authentication?

Determines that a user is who they claim to be, typically through credentials.

What is Multi-Factor Authentication (MFA)?

Requires users to provide two or more authentication factors to prove their identities.

What is Single Sign-On (SSO)?

Allows users to access multiple apps and services with one set of login credentials.

What is Adaptive Authentication?

Uses AI to analyze user behavior and change authentication requirements in real-time based on risk level changes.

What is Cyber Risk Management?

Identifying, prioritizing, managing and monitoring risks to information systems.

What is Risk Framing?

Defining the context in which risk decisions are made.

What is Risk Assessment?

Use cybersecurity risk assessments to identify threats and vulnerabilities, and to prioritize the most critical risks.

What are Threats?

People and events that could disrupt systems, steal data, or compromise information security.

What are vulnerabilities?

Flaws or weakness that threats can exploit to do damage.

What are Impacts?

What a threat can do to a company, such as disrupting critical services or stealing data.

What is Risk Mitigation?

Security controls make it harder to exploit a vulnerability or minimize exploitation impact.

What is Risk Remediation?

Fully addressing a vulnerability, such as patching a software bug.

What is Risk transfer?

Transferring responsibility for the risk to another party, like buying insurance.

What is Monitoring?

Monitors its new security controls to verify if they work as planned. In addition monitors threat and ecosystem.

What is Public Key Infrastructure (PKI)?

Set of physical components, human procedures, and software that manages life cycle of digital certificates.

What is Confidentiality?

Ensures data is only accessible to legitimate receiver.

What is Authentication?

Ensures only legitimate parties can access system resources.

What is Integrity?

Guarantees that data is not altered accidentally or intentionally.

What is Non-Repudiation?

Prevents the data source from denying the data's sending authenticity.

What is a Certification Authority (CA)?

Issues, manages, and signs certificates with its own digital certificate.

What is Registration Authority (RA)?

Interfaces between the user and the Certification Authority, verifying applicants and meeting usage constrains.

What is a Central Directory (CD)?

Stores and archives digital certificates, managing revoked certificates (CRL).

What is Cryptography?

Protects data by converting it into unreadable format. Symmetric and Asymmetric keys used to achieve functionality.

What is Symmetric Cryptography?

Encryption using same key for encryption and decryption.

What is Asymmetric cryptography?

Encryption using a pair of key to encrypt and decrypt data. Public and Private keys.

What is a Digital Signature?

Ensures authenticity of the sender. Used to verify integrity. Provides non-repudiation.

What is a Digital Certificate?

Provides data and algorithms digitally signed by CA for sender identification. Solves lack of physical contact.

Study Notes

Identity and Access Management (IAM)

• IAM is a cybersecurity discipline focused on how users access digital resources and what actions they can perform.
• IAM systems prevent unauthorized access.
• IAM ensures each user has the precise permissions required for their job.
• The average corporate network covers human users (employees, customers, contractors) and nonhuman users (bots, IOT, endpoint devices, and automated workloads).
• Remote work and cloud computing have made users and resources more dispersed.
• Organizations struggle to track user activity across diverse environments.
• Lack of control creates security risks, including undetected hackers and malicious insiders.
• IAM initiatives streamline access control and secures assets.
• IAM systems assign digital identities that are unique to each user with permissions to the users role.
• IAM ensures the appropriate users access the right resources and blocks unauthorized access.
• The purpose of IAM is to prevent unauthorized access while allowing authorized access to the resources they need.
• IAM implementations consist of tools and strategies.
• Typical IAM systems include a database or directory containing user details and permissions.
• IAM systems verify user identities, track actions, and enforce authorized activities.

Core Components of IAM Initiatives

• Identity lifecycle management involves creating and maintaining digital user identities.
• Organizations monitor activity and tailor permissions by differentiating users through digital identities.
• Digital identities consist of attributes such as name, login credentials, job title, and access rights.
• Digital identities are housed in a central database or directory.
• IAM systems use this information to validate users and regulate actions.
• Distinct digital identities facilitate user tracking and granular access policies.
• IAM enables specified system permissions to users.
• Many IAM systems use role-based access control (RBAC).
• RBAC bases user privileges on job function and responsibility level.
• RBAC streamlines permission settings and mitigates the risks of high level privileges.
• Authentication and authorization are how IAM systems implement access control policies.
• Authentication confirms a user's claimed identity, to be either human or nonhuman.
• Users submit credentials to prove their identity when logging in or requesting access.
• Multi-Factor Authentication (MFA) needs users to prove their identity.
• MFA needs two or more verification steps.
• Common MFA factors include security codes sent to phones, physical security keys, or biometric scans.
• Single sign-on (SSO) enables access to multiple apps and services with a single login.
• The SSO portal authenticates users generate security certificate or token for resources.
• SSO systems use open protocols like SAML to freely exchange keys between service providers.
• Adaptive authentication, also called risk-based authentication, uses AI and machine learning.
• Adaptive authentication analyzes user behavior and adjusts authentication needs based on risk.
• Risk-based authentication schemes protect critical assets from hackers and insider threats.

Risk Management

• Cyber risk management identifies, prioritizes, manages, and monitors risks to systems.
• Cyber risk management has become a component of enterprise risk efforts.
• Companies depend on information technology, which exposes them to various threats.
• Threats can disrupt systems, leading to revenue loss, data theft, reputation damage, and fines.
• Cyber risk management methodologies include NIST Cybersecurity Framework (CSF) and NIST Risk Management Framework (RMF).
• These methods share a similar set of core steps.

Risk Framing

• Risk framing defines the context for risk decisions and aligns risk management with business strategies.
• Risk framing helps prevent mistakes and controls.
• Framing risk, companies define the scope of the data, inventory, priorities, and compliance needs.

Risk assessment

• Cybersecurity risk assessments identify threats, vulnerabilities, impacts and determine critical risks.
• Risk assessment depends on priorities, scope, and risk tolerance.
• Most assessments evaluate threats, vunerablities, and impacts.
• Threats can disrupt systems, steal data, or compromise security, including ransomware, phishing, employee mistake, or natural disasters.
• Vulnerabilities are flaws or weaknesses that threats can exploit: these include technical issues or weak policies.
• Impacts refer to the consequences of a threat, such as service disruption, data loss, email compromise attacks, or stolen PII.
• Companies use risk assessment results to decide responses to risks.
• Low-impact risks may be accepted if security measures are expensive.
• Likely and High impact risks are normally addressed.
• Risk mitigation uses controls to reduce the impact of exploitation, like intrusion-prevention systems and incident response plans.
• Risk remediation addresses vulnerabilities through patching or retiring vulnerable assets.
• Risk transfer involves shifting responsibility, often through cyber insurance policies.

Monitoring

• Organizations monitor security controls to assure they are working and are meeting regulatory compliance.
• Continuous surveillance allows companies to proactively and refine cybersecurity and risk management strategies.

Cryptography and Public Key Infrastructure (PKI)

• Data security and privacy are crucial for internet users so encryption is used to protect data.
• Public Key Infrastructure (PKI) is a common method of cryptography.
• PKI combines physical components, human procedures, and software to manage digital certificates.
• Cryptographic tools and signatures enable confidentiality, authentication, integrity, and non-repudiation.
• Confidentiality ensures only authorized users can access data.
• Authentication verifies the legitimacy of access requests.
• Integrity ensures data has not been altered.
• Non-repudiation prevents senders from denying authorship.
• PKI comprises a certification authority, a registration authority, and a central directory.
• These components distribute and validate the digital certificates.
• A Certification Authority (CA) issues and manages certificate, signs each certificate to verify its own authority.
• A Registration Authority (RA) interfaces between users/certificate holders and the CA.
• Central directory stores digital certificates and manages the certificate revocation list (CRL).
• Cryptography protects data using unreadable ways for security.
• There are two cryptography way, symmetric keys and asymmetric keys for many security processes.
• Symmetric encryption uses the same key encrypt and decrypt, only the recipient has this key to decrypt.
• Asymmetric encryption encrypts with the public key and decrypts the private key, only the recipient has the private key to decrypt.
• The Digital Signature ensures the message is from an author and the integrity of a messafe.
• It prevents senders from denying a sent message through non-repudiation.
• Digital signatures have algorithms and values, the hash function generates a hash value to show the signature.
• Any message changes will be shown if the different hash value shows up which validates it.
• Digital Certificates provide information about the certificate's subject, validity, applications, and services.
• Digital certificates identify the certificate holder and use cryptographic methods to stop someone impersonating someone else.
• Certificates are digitally signed by the CA to certify that they are the correct certificate.

Description

IAM is a cybersecurity discipline focused on how users access digital resources. IAM systems assign digital identities that are unique to each user. IAM ensures the appropriate users access the right resources and blocks unauthorized access. The purpose of IAM is to prevent unauthorized access.