Domain 5 . Identity and Access Management (IAM)

--- 最後更新 : 2021/04/03 17:30 --- ###### tags: `CISSP` `D5` [TOC] # Domain 5 . Identity and Access Management (IAM) ## 5.1 Control physical and logical access to assets ### Information ### Systems ### Devices ### Facilities ## 5.2 Manage identification and authentication of people, devices, and services ### Identity management implementation ### Single/multi-factor authentication ### Accountability ### Session management ### Registration and proofing of identity ### Federated Identity Management (FIM) ### Credential management systems ## 5.3 Integrate identity as a third-party service ### On-premise ### Cloud ### Federated ## 5.4 Implement and manage authorization mechanisms ### Role Based Access Control (RBAC) ### Rule-based access control ### Mandatory Access Control (MAC) ### Discretionary Access Control (DAC) ### Attribute Based Access Control (ABAC) ## 5.5 Manage the identity and access provisioning lifecycle ### User access review ### System account access review ### Provisioning and deprovisioning ### D5 考題觀點 :::danger - Capability tables ![](https://i.imgur.com/uagZYgc.png) - 身分驗證 ![](https://i.imgur.com/G0cDjZy.png) - Kerbors ![](https://i.imgur.com/VIUMc12.png) ![](https://i.imgur.com/6ylRwMt.png) - 字典檔攻擊 ![](https://i.imgur.com/fgwd6Fp.png) - 分散式管理的缺點，無一致性的管理 ![](https://i.imgur.com/cMcasCr.png) - Kerbors 身分驗證 ![](https://i.imgur.com/CzMFnrZ.png) - RADIUS (與SSO無關) ![](https://i.imgur.com/5z2KZeE.png) - Constrained Interface 受限的介面 ![](https://i.imgur.com/4UtWjGG.png) - Kerberos ![](https://i.imgur.com/tClPH2y.png) ![](https://i.imgur.com/jNWacZ8.png) ![](https://i.imgur.com/OYhlEy1.png) - Ritana Sscan 視網膜掃描議題 ![](https://i.imgur.com/wJlzl3u.png) - MAC 安全控制 ( Lattice based 基於晶格) ![](https://i.imgur.com/HUeHs4X.png) - RADIUS ![](https://i.imgur.com/9VuOB1P.png) - RADIUS 預設值 ![](https://i.imgur.com/QscxbJj.png) - Resource Based Access Control ![](https://i.imgur.com/NN2gxa9.png) - Kerbros 相關組成 ![](https://i.imgur.com/dAij2mr.png) - Privilege creep 範疇潛變 ![](https://i.imgur.com/TvnBDCh.png) - LDAP 表示法 ![](https://i.imgur.com/pkn1yTM.png) - 儲存生物資訊範本 reference template ![](https://i.imgur.com/9LBKHA5.png) - 密碼複雜度 ![](https://i.imgur.com/od1TBNy.png) - 生物辨識考量辨識率與報名所需時間 ![](https://i.imgur.com/zmLGdYz.png) - SAML 題組 ![](https://i.imgur.com/rZvyhTm.png) - Q1 ![](https://i.imgur.com/Gw1OZ84.png) - Q2 架構 ![](https://i.imgur.com/fYhKz4z.png) - Q3 ![](https://i.imgur.com/WPXgPNh.png) - DAC 具擴展性 ![](https://i.imgur.com/O7nbtbW.png) - SPML ![](https://i.imgur.com/PAhKtHj.png) - LDAP (Port 636 is the default port for LDAP-S,) ![](https://i.imgur.com/J8ZRPRi.png) - Identity proofing 可採用雙方都知道的資訊 ![](https://i.imgur.com/rTv5PPh.png) - OpenLDAP 密碼預設儲存使用明文 ![](https://i.imgur.com/ItqUIn5.png) - 生物辨識的 Type 1 /Type 2 Error Type1 FRR ; FAR Type 2 ![](https://i.imgur.com/rVdc3Xz.png) - 密碼存放 ![](https://i.imgur.com/Y8RpgVh.png) - 提問類型 ![](https://i.imgur.com/nwvRXR7.png) - AccessContrl Matrix , ACL , Capability Table ![](https://i.imgur.com/uwzcCGl.png) - 密碼處理 ![](https://i.imgur.com/FJi6Kmi.png) - RADIUS 保護 ![](https://i.imgur.com/MYc3o22.png) - OAuth 提供與雲服務驗證能力 ![](https://i.imgur.com/SHxsTya.png) - CAC (Common Access Card ) 是 Smart Card ![](https://i.imgur.com/ylpLgK3.png) - MAC 標籤核定什麼層級,只能存取該層級 ![](https://i.imgur.com/HXeZBR3.png) - Contentext dependtent Control (基於時間序列也是) ![](https://i.imgur.com/hRIzxe9.png) - Token (同步) ![](https://i.imgur.com/aAu08PK.png) - Tokne (非同步) ![](https://i.imgur.com/JrZHVhu.png) - 生物辨識設備評估 ![](https://i.imgur.com/Pq8f5fN.png) - Simple Authentication and Security Layer , SASL (SASL 提供 LDAP 安全的驗證模式) ![](https://i.imgur.com/pt0zzPo.png) - OpenID ![](https://i.imgur.com/JuDrDMo.png) - RAID 屬於 Recovey ![](https://i.imgur.com/lWfbHDq.png) - RADIUS 替代方案 Diameter ![](https://i.imgur.com/qlGVjTp.png) - Kerberos 注意時間同步問題 ![](https://i.imgur.com/G6snle4.png) - Kerberos (Kerberos, KryptoKnight, and SESAME) 都是 SSO 系統 ![](https://i.imgur.com/e9Nd0oF.png) - LDAP ![](https://i.imgur.com/ajWX8at.png) :::