Chapter 8 Identity and Access Management

Questions and Answers

What is the preferred method for deprovisioning accounts according to the provided information?

Completing access reviews

Deleting accounts completely (correct)

Archiving inactive accounts

Disabling accounts temporarily

What does 'Just-in-time (JIT)' permissions aim to prevent?

Ongoing access for users when not needed (correct)

Unauthorized access when accounts are disabled

Multiple logins by the same user

Frequent password changes

Which feature of Privileged Access Management (PAM) focuses on managing temporary permissions?

Account provisioning

Access reviews

Just-in-time (JIT) permissions (correct)

Password vaulting

What is a potential risk of simply disabling an account instead of deleting it?

It allows for the possibility of reenabled accounts for attacks Signup and view all the answers

What is the main purpose of password vaulting in a PAM environment?

To allow access to privileged accounts without sharing passwords Signup and view all the answers

Which of the following is NOT a feature associated with Privileged Access Management tools?

Unlimited strength password generation Signup and view all the answers

What primary principle do PAM tools help maintain through their processes?

Principle of least privilege Signup and view all the answers

How do PAM tools improve the auditing process for privileged accounts?

Through detailed reporting and monitoring capabilities Signup and view all the answers

What is the primary focus of NIST regarding password security?

Length as the primary control Signup and view all the answers

Which method is NOT classified as a biometric authentication?

Password entry Signup and view all the answers

Which access control model allows users to control who can access certain resources?

Discretionary access control Signup and view all the answers

What technique is often used by Privileged Access Management systems to better control access?

Just-in-time permissions Signup and view all the answers

Which of the following methods is commonly used for multifactor authentication?

Software tokens Signup and view all the answers

How do password vaults enhance password security?

By providing cryptographically secured storage Signup and view all the answers

What feature is essential for identity verification in authentication?

The use of smartcards, tokens, or certificates Signup and view all the answers

Which of the following is a characteristic of passwordless authentication?

It replaces passwords with secure tokens or applications Signup and view all the answers

What is the primary purpose of password vaulting?

To allow privileged credentials to be checked out and create logged events Signup and view all the answers

What defines an ephemeral account?

A temporary account with a short lifespan for specific purposes Signup and view all the answers

Which access control model relies on a central authority to enforce security policies?

Mandatory Access Control (MAC) Signup and view all the answers

Which of the following best describes authorization in the context of identity and access management?

Providing authenticated users with the rights needed to perform their roles. Signup and view all the answers

In which scenario is Discretionary Access Control (DAC) commonly utilized?

Where file owners can assign permissions as needed Signup and view all the answers

What is a characteristic of Mandatory Access Control (MAC) systems?

Control is enforced based on a security policy Signup and view all the answers

What is the primary function of authentication in identity management?

To prove the identity of a user through various factors. Signup and view all the answers

Which of the following is NOT a benefit of using password vaults?

Providing unlimited access to all users Signup and view all the answers

Which technologies are commonly associated with single sign-on (SSO) solutions?

OAuth, OpenID, and SAML Signup and view all the answers

What is critical for the successful implementation of ephemeral accounts?

Ensuring they are properly deprovisioned after use Signup and view all the answers

How does multifactor authentication enhance security?

By requiring multiple forms of identity verification. Signup and view all the answers

An example of a high-security system that uses Mandatory Access Control is:

SELinux Signup and view all the answers

What is the purpose of accounting policies in user account management?

To define the lockout and disabling conditions for accounts. Signup and view all the answers

Privileged access management is primarily concerned with:

Managing and monitoring the accounts with elevated privileges. Signup and view all the answers

Federation in identity management allows users to:

Reuse the same identity across various relying party locations seamlessly. Signup and view all the answers

What is a potential risk of improperly set filesystem permissions?

Exploitation by attackers to access unauthorized data. Signup and view all the answers

What is the primary focus of privileged access management (PAM)?

Managing privileged accounts and rights Signup and view all the answers

Which access control scheme uses user attributes to determine access rights?

Attribute-based access control (ABAC) Signup and view all the answers

Which method allows users to control access to resources they own?

Discretionary access control (DAC) Signup and view all the answers

Which technique in privileged access management allows temporary access for specific tasks?

Just-in-time permission granting Signup and view all the answers

What distinguishes role-based access control (RBAC) from rule-based access control?

RBAC is based on user roles while rule-based relies on conditions Signup and view all the answers

Which access control model relies on the system administrator to set permissions?

Mandatory access control (MAC) Signup and view all the answers

Which of the following is NOT a component of privileged access management?

Permanent access rights Signup and view all the answers

Which of the following schemes allows for flexible access rights based on predefined rules?

Rule-based access control Signup and view all the answers

Study Notes

Privileged Access Management (PAM)

PAM focuses on managing privileged accounts and their rights through techniques like just-in-time permissions and ephemeral accounts.
Just-in-time (JIT) permissions are granted for specific tasks and revoked afterward to limit ongoing access.
Password vaulting allows users to access privileged accounts without knowing passwords, keeping a logged record of usage.
Ephemeral accounts have a limited lifespan, ideal for temporary access needs, ensuring timely deprovisioning.
PAM tools ensure the principle of least privilege is maintained by limiting privileges to the minimum required for tasks.

Access Control Schemes

Access control schemes determine user rights and include:
- Attribute-based access control (ABAC): Uses user attributes for access determination.
- Role-based access control (RBAC): Assigns permissions based on user roles.
- Rule-based access control: Applies rules for access control, often confused with RBAC.
- Mandatory access control (MAC): Centralized control enforced by the operating system, prevalent in high-security systems.
- Discretionary access control (DAC): Users can grant permissions on objects, commonly used in personal computing.

Account Deprovisioning

Limited deprovisioning may occur when accounts are modified, and it's often more secure to fully remove accounts rather than disable them.
Deleted accounts eliminate risks of unauthorized reactivation, whereas disabled accounts can lead to security vulnerabilities.

Authentication Methods

Multifactor authentication enhances security by combining factors like something you know (password), something you have (token), and something you are (biometric).
Biometric authentication methods, such as fingerprints and facial recognition, can have accuracy issues.
Password best practices have shifted towards emphasizing length over complexity in the context of increasing use of multifactor authentication.

Identity and Access Management

Identity is foundational to security, established through authentication processes that often involve certificates, tokens, and smartcards.
Authorization assigns necessary privileges to authenticated users based on their roles.
A range of account types exists, including guest users, normal users, service accounts, and privileged accounts, each with specific policies governing their use.

Single Sign-On and Federation

Single sign-on (SSO) enables users to log in once and access multiple systems with that identity.
Federation allows users to utilize identities through service providers and relying parties across different platforms without needing separate accounts.
Technologies like RADIUS, LDAP, and SAML facilitate the integration of identity and access management systems.

Filesystem Permissions

Filesystem permissions control access to files, with operations such as read, write, and execute defined for users.
Inadequate or ineffective permission settings can lead to security breaches, like directory traversal attacks.
Secure filesystem permissions are crucial to prevent unauthorized data access and application execution.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge on privileged access management, focusing on accounts, rights, and access control schemes. This quiz covers key concepts like just-in-time permission granting and various access control models including ABAC and RBAC.