Image of a woman looking for data on her phone used on cissp domain 5-identety and access management - Destination Certification

November 9, 2023

Identity and Access Management comprises 13% of the CISSP exam. Domain 5 helps security professionals understand how they can control the way assets are accessed. Securing access control and management is needed to comply with the requirements of Confidentiality, Integrity, and Availability.

Having control over who has access to systems and information and the authorization mechanisms implemented in an organization is one of the most critical pillars of cybersecurity—for obvious reasons!

CISSP Domain 5: Identity and Access Management (IAM) addresses the following subdomains:

5.1. Control physical and logical access to assets

5.2. Manage identification and authentication of people, devices, and services

5.3. Federated identity with a third-party service

5.4. Implement and manage authorization mechanisms

5.5. Manage the identity and access provisioning lifecycle

5.6. Implement authentication systems

IAM helps organizations manage digital identities with the necessary technology to improve the end user experience, cost control, and risk mitigation. Let's have a look at the 5th domain's subdomains and key concepts you will need to know to pass the CISSP exam successfully.

5.1. Control physical and logical access to assets

Access control

What is access control?

Access control refers to the mechanisms that work together to protect organizational assets while simultaneously allowing controlled access to authorized subjects. Fundamental access control principles include: need to know, least privilege, and separation of duties. Access control is applicable at all levels of an organization and covers all types of assets.

Access control enables management to:

  • Specify which users can access the system

  • Specify what resources they can access

  • Specify what operations they can perform

  • Provide individual accountability—know who is doing what

Expect to be tested on: Understanding the fundamental access control principles and how they might be applied.

Access control principles

The fundamental access control principles are applied everywhere within access control:

Need to Know

Least Privilege

Separation of Duties

Defending sensitive assets by restricting access to only required personnel who require access

Defending sensitive assets by granting only the minimum permissions required by the user or system

Defending sensitive assets by requiring more than one person to complete a task, to prevent errors and fraud.

Access control applicability

Access control includes all aspects and levels of an organization and covers all types of assets, including:

  • Facilities
  • Systems/Devices
  • Information
  • Personnel
  • Applications

Access control system

Access control focuses on controlling a subject's access to an object through some form of mediation, which is based upon a set of rules.

The above point to the use of the RMC, or Reference Monitor Concept, where some type of rules-based decision-making tool is placed between subjects and objects to mediate access. All activity is logged and monitored for the sake of accountability and assurance. And any implementation of the RMC is known as a security kernel.

Image of reference monitoring concept, as well called RMC on cissp domain - Destination Certification
Image of reference monitoring concept, as well called RMC on cissp domain 5 - Destination Certification

Logical access modes

  • Access control is more granular than simply allowing subjects to access objects.

  • Access control rules allow the access control mechanism to be much more granular.

  • Specific access rules allow precision concerning what subjects can access what objects and exactly what those subjects can do with those objects.

  • Access should be based on the use of concepts like need to know and least privilege.

Administration approaches

Access control administration often takes one of two approaches: centralized or decentralized. Many organizations also utilize a hybrid approach. Both offer pros and cons.

Expect to be tested on: Understanding access control administration approaches and the pros and cons of each approach.




  • One central system controls access to remote systems
  • Approach taken by most organizations, and it means access control utilizes both approaches (centralized and decentralized)
  • Control is granted to the people closest to the resource
  • One username and password in the central system used to access all systems
  • This is often due to legacy systems in an organization that can't be integrated with newer, more modern access control systems
  • Access requests are not processed by one centralized entity; separate usernames and passwords exist on each resource
  • Central administrative point represents a single point of failure and potential target of attack
  • Lack of standardization, overlapping rights, and security holes may exist
  • Peer-to-peer relationship

5.2. Manage identification and authentication of people, devices, and services

Access control services

  • Access control services consist of identification, authentication, authorization, and accountability.Identification refers to the assertion of a user's identity or a process to a system.
  • Authentication refers to the verification of identity through knowledge, ownership, or characteristic.
  • Authorization refers to the level of access defined for the identified and authenticated user or process.
  • Accountability refers to proper identification, authentication, and authorization that is logged and monitored. It's also known as the principle of access control.
image of access control services on cissp domain 5 - Destination Certification
Image of access control services on cissp domain 5 - Destination Certification


Identification is the component of access control services that uniquely asserts a user's identity or a process to a system. Identification guidelines include unique identifiers, nondescriptive of job/role and secure issuance.

Expect to be tested on: Identification as the first component of access control services, identification methods, and guidelines.


There are three factors that can be used to verify a user's identity regarding authentication.

Authentication by knowledge

Authentication by ownership

Authentication by characteristic

Something you know

Something you have

How you behave or your physiology; something you are

Authentication by knowledge

Authentication by knowledge is the component of access control services that refers to verifying identity through something known, like a password, passphrase, or questions.

It is also known as something you know; it simply means that a person uses a password, a passphrase, or a response to one or more security questions to authenticate to a system.

Ideally, whether a password, passphrase, or questions are used, each should be unique to the user and not easily guessed or otherwise determined.

Expect to be tested on:

  • Authentication by knowledge as one type of authentication.
  • Different forms of authentication by knowledge.

Authentication by ownership

Authentication by ownership is the component of Access Control Services that refers to the verification of identity through something a user possesses. These are some of the key concepts:

  • One-Time Passwords (OTP) are generated via synchronous or asynchronous processes.
  • Soft tokens refer to software-based applications, like Google Authenticator, that generate one-time passwords.
  • Hard tokens refer to small physical tokens, like RSA's SecureID device, that generate one-time passwords.
  • Smart cards are typically credit-card-size plastic cards with an embedded semiconductor chip that stores, accepts, and sends information; they work in collaboration with a smart card reader.
  • Memory cards are typically credit-card-size plastic cards with a narrow magnetic strip on the back of that card that contains information related to the card owner, issuing bank, account number, PIN, etc.

Expect to be tested on:

  • Authentication by ownership as another type of authentication.
  • Understanding the difference between asynchronous and synchronous password generation
  • Understanding the differences between smart and memory cards
Image of one time password asynchronous on cissp domain 5 - Destination Certification
Image of one time password asynchronous on cissp domain 5 - Destination Certification

One-time passwords:


(less commonly used)

Image of one time password synchronous on cissp domain 5 - Destination Certification
Image of one time password synchronous on cissp domain 5 - Destination Certification

One-time passwords:


(more commonly used)

Authentication by characteristics

Authentication by characteristics refers to physiological and behavioral biometric types. The accuracy of biometric devices can vary and is not always 100 percent accurate. Their use must consider processing speed, user acceptance, protection of biometric data, and accuracy.

In addition, Crossover Error Rate (CER) represents the intersection between Type 1 (false reject) and Type 2 (false acceptance) errors, and it measures the accuracy of a biometric system.

Expect to be tested on:

  • Biometric error types and which is worse
  • Crossover error rate and what it represents
  • Biometric device types and least/most accurate

Physiological and behavioral authentication types

Physiological characteristics

Behavioral characteristics


The way a person writes

Hand geometry

The way a person walks—their gait

Facial features

The way a person speaks—their voice

Eyes (retina and iris)

The way a person types—keyboard dynamics

Biometric device considerations

Due to the nature of how biometric authentication works, factors like the ones noted below must be considered:

  • Processing speed
  • User acceptance
  • Protection of biometric data
  • Accuracy

Biometric device accuracy/types of errors

They're not always 100% accurate. The same cannot be said of a system that uses physiological or behavioral attributes for authentication. When considering biometric systems and their accuracy, two primary types of errors need to be understood:

Type 1—False Rejection

Type 2—False Acceptance

A valid user is falsely rejected by the system

An invalid user is given access to a system


Much more serious and potentially dangerous situation

Type 2 errors are much more dangerous than Type 1 errors.

Crossover Error Rate (CER)

When Type 1 (false reject errors) are low, Type 2 (false accept errors are high) and vice versa. The intersection of the two error plots is what's known as the Crossover Error Rate (CER).

The crossover error rate is a useful metric for biometric systems because it's a way to measure the system's overall accuracy. A number closer to zero means the system is more accurate.

Image of cross error rate (CER) on cissp domain 5 - Destination Certification
Image of cross error rate (CER) on cissp domain 5 - Destination Certification

Biometric templates

If someone's password is exposed, they can just change their password and memorize the new password. However, if their biometric data is exposed, they can't just grow a new finger or eyeball.

Accordingly, raw or original biometric data should never be stored, such as a simple picture of a fingerprint. Instead, good biometric systems will use one-way mathematical functions to create a representation of the features or characteristics of the source data. This digital representation is called a template.

Factors of authentication

  • Factors of authentication refer to the three types of authentication: authentication by knowledge, authentication by ownership, and authentication by characteristic.
  • Single-factor authentication refers to any of the three types of authentication used.
  • Multifactor Authentication (MFA) refers to two (or more) of the three types of authentication being used.

Expect to be tested on: Understanding the difference between single-factor authentication and multifactor authentication and what constitutes each type.


One of the major SSO authentication protocols is known as Kerberos. Drawing from the myth, Kerberos protects access to resources and provides three primary functionalities:

  • Accounting

  • Authentication

  • Auditing

Kerberos is an old and complicated protocol; thankfully, you do not need to be an expert on how the protocol works for the exam. This is a simplified description of the major steps in the Kerberos authentication process:

Image of kerberos protocol on cissp domain 5 -Destination Certification
Image of kerberos protocol on cissp domain 5 -Destination Certification

📺 You can learn more about Kerberos in our in-depth explanation video.


Secure European System for Applications in a Multi-Vendor Environment, better known as SESAME, is an improved version of Kerberos. Like Kerberos, SESAME is a protocol for enabling single sign-on.

Also, one of the big advantages of SESAME over Kerberos is that it supports symmetric and asymmetric cryptography, so it naturally solves the problem of key distribution.

Even though SESAME is a better protocol, Kerberos is far more prevalent because it's built into many prevalent systems, including the Windows operating systems, macOS, and various Linux and Unix distros.


CAPTCHA is a security measure that works by asking a user—typically a visitor to a website or portal—to complete a simple test to prove they're human and not a robot or automated program. It is used to prevent automated account creation, spam, and brute-force password decryption attacks.

Expect to be tested on: Understand what CAPTCHA is and why it is most often used.

Session management

Session management refers to the management of sessions created through successful user identification, authentication, and authorization process. A session represents the connection and interaction between a user and a system.

Session hijacking is a risk where no session management exists, and session termination and re-authentication is the best way to prevent or mitigate session hijacking.

Expect to be tested on:

  • What is session hijacking?

  • How can session hijacking be prevented?

Image of session management on cissp domain 5 - Destination Certification
Image of session management on cissp domain 5 - Destination Certification

Session hijacking

Through simple carelessness or sophisticated technical means, somebody other than a legitimate user could gain access to a session and use it for malicious purposes.

How do you prevent session hijacking?

The preventive measure for session hijacking is session termination, which is an important component of session management. There are several major ways exist to terminate a session. The primary and best way to prevent session hijacking is through frequent re-authentication.

Additionally, a user is continually re-authenticated by the system in a manner that is transparent to the user. That makes it much more difficult for an attacker to compromise a user's active session.

Registration and proofing of identity

Identity proofing—registration—is the process of confirming or establishing that somebody is who they claim to be. It is a component of provisioning in the identity life cycle.

Authenticator Assurance Levels (AAL)

Authenticator Assurance Levels (AAL) refer to the strength of authentication processes and systems.

AAL levels rank from AAL1 (least robust) to AAL3 (most robust).


  • Some assurance
  • Single-factor authentication
  • Secure Authentication protocol


  • High confidence
  • Multifactor authentication
  • Secure Authentication protocol
  • Approved cryptographic techniques


  • Very high confidence
  • Multifactor authentication
  • "Hard" cryptographic authenticator providing proof of possession of key and impersonation resistance

Federated Identity Management (FIM)

Single sign-on refers to one-time authentication to gain access to multiple systems in one organization; federated identity management (FIM) refers to one-time authentication to gain access to multiple systems, including systems associated with other organizations. It relies on trust relationships established between different entities, including principal/user, identity provider, and relying party:

  • Principal/user. The person who wants to access a system.
  • Identity provider. The entity that owns the identity and performs the authentication.
  • The relying party is also known as the service provider.
Image of federated identity management-FIM on cissp domain 5 -Destination Certification
Image of federated identity management-FIM on cissp domain 5 -Destination Certification

Federated access standards

Key Federated Access protocols include Security Assertion Markup Language (SAML), WS-Federation, OpenID (for authentication), and OAuth (for authorization):

SAML is frequently used in Federated Identity Management (FIM) solutions and provides authentication and authorization. SAML assertions are written in XML or Extensible Markup Language. XML is a way of communicating in a manner that is machine and human-readable.

OpenID and OAuth are open-standard federated access protocols that provide authentication via OpenID and authorization via OAuth.

Several major protocols enable federated access, with Security Assertion Markup Language (SAML) being one of the most important to understand. WS-Federation, OpenID, and OAuth are the others that should be known at a high level.

image of federated access standards on cissp domain 5 - Destination Certification
Image of federated access standards on cissp domain 5 - Destination Certification

Security Assertion Markup Language (SAML)

SAML provides two capabilities: authentication and authorization.

  1. First, the user (principal) must authenticate via the identity provider.

  2. The identity provider will authenticate the user through the process of identification and authentication, at which point the user will be issued a SAML assertion ticket.

  3. Once the SAML assertion ticket is provided to the user, the user will pass it on to the service provider.

These are SAML's key components:




Authentication, authorization, and other attributes


Defines how entities request and respond to requests


Mapping of SAML onto standard communication protocols (ex: HTTP)


Define how SAML can be used for different business use cases (ex: Web SSO, LDAP, etc.)

Accountability = principle of access control

To achieve accountability, several things need to happen:

  1. Users must be uniquely identified
  2. Users must be properly authenticated
  3. Users must be properly authorized
  4. All actions should be logged and monitored

Just-in-time (JIT) Access

Just-in-time access refers to the elevation of user privileges to an authorized user for a short period, so a user may complete necessary but infrequent tasks.

It mitigates the need for long-term elevation of privileges, which minimizes potential security risks. The way it is set up and administered oftentimes allows for access to be granted in an automated fashion versus a manual process.

5.3 Federated identity with a third-party service

Identity as a Service (IDaaS)

Identity as a Service (IDaaS) refers to the implementation or integration of identity services in a cloud-based environment.

IDaaS has a variety of capabilities, which are:

  • Provisioning
  • Administration
  • Single Sign-on (SSO)
  • Multifactor authentication (MFA)
  • Directory Services
  • On-premise and in the Cloud

It supports multiple types of identities/accounts: cloud identity, synced identity, linked identities, and federated identity.


Account Stored

Authentication by

Cloud Identity

Created and managed in the cloud

Cloud service

Synced Identity

Created and managed in a local store (e.g., active directory) and synced/copied to the cloud or vice versa

Either local or cloud

Linked Identities

Two separate accounts which are linked. For example: one account in a local store and a second account in the cloud service

Either local or cloud

Federated Identity

Identity Provider

Identity Provider

Identity and Access Management Solutions

Identity and Access Management (IAM) solutions can use any of these three models: on-premise, cloud, and hybrid.


  • Systems controlled by a private organization
  • They are not reliant on the internet to function
  • Are typically very secure


  • Service and systems provided by a cloud service provider
  • Using Federated Identity protocols (like SAML), organization user identities and credentials can be used
  • Can be subject to availability risks as well as security risks due to the multitenant nature of the public cloud


  • Hybrid IAM solutions combine the best features of on-premises and cloud and offer the most flexibility for a dynamic and growing organization

IDaaS risks

The following are potential risks relating to IDaaS:

  • Availability of the service. If the cloud service provider suffers an outage or the service is otherwise unavailable, the users will be unable to access systems.
  • Protection of critical identity data. PII and other sensitive data will be under the control of the cloud service provider. That means adequate protection of data is based on protection mechanisms the provider has available.
  • Entrusting a third party with sensitive or proprietary data. Based on the identity data shared with the cloud service provider, other information about the organization might also be gained. Protections need to be in place to protect against this information from being leaked or shared with any unauthorized parties.
Personal CISSP Mentoring call ad - Destination Certification

5.4 Implement and manage authorization mechanisms

Within the realm of authorization, a number of different philosophies and methodologies exist, and these can be broadly categorized as discretionary, mandatory, and non-discretionary. Their main characteristics are illustrated in the following table:

Discretionary Access Control (DAC)

  • Owner determines access rules

Role-Based Access Control (RBAC)

  • Access to resources is based on user roles (e.g., firewall administrator or accounts payable clerk)

Rule-Based Access Control

  • Access to resources is based on a set of rules (e.g., an Access Control List, ACL)

Attribute-Based Access Control

  • Access to resources is based on user attributes (e.g., OS, browser version, IP address)

Mandatory Access Control (MAC)

  • System determines access rules based on labels

Risk-Based Access Control

  • Considers elements of a user connection (IP address, time of access request) to determine a risk profile associated with the request. Based on the result, further authentication challenges may be presented to the user.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) means an asset owner determines who can access the asset; access is given at the discretion of the owner. In other words, it means somebody determines who can access an asset. That somebody is the owner.

Image of discretionary access control-DAC on cissp domain 5 - Destination Certification
Image of discretionary access control-DAC on cissp domain 5 - Destination Certification

Three primary types of DAC exist: rule-based access control, role-based access control, and attribute-based access control.

Within the realm of discretionary access control, three primary types of DAC exist:

  1. Rule-Based Access Control: Access to an object by a given subject is based upon one or more rules determined by the owner.
  2. Role-Based Access Control (RBAC): Access to an object by a given subject is based upon the role or job function and related authorizations needed to perform duties.
  3. Attribute-Based Access Control: Access to an object by a subject is much more granularly controlled and based upon attributes, such as job function, type of device being used to access the object, time of day, classification of the asset, and so on.

Mandatory Access Control (MAC)

Mandatory Access Control is very rare to see in use and only typically used in government organizations, where confidentiality is often of primary importance, requiring every asset in an organization to have a classification and every user to be assigned a clearance level. It determines access based upon the clearance level of the subject and classification, or sensitivity, of the object.

Image of mandatory access control-MAC on cissp domain 5 - Destination Certification
Image of mandatory access control-MAC on cissp domain 5 - Destination Certification

The system itself makes access control decisions based upon the classification of the objects being accessed and the clearance of the subject requesting access. In a MAC environment, every single object should be classified with a specific classification label, e.g., public, secret, top secret, and so on. Correspondingly, all users should have a security clearance that aligns with the classification system used for objects. Within this framework, access will then be granted or denied accordingly.

Non-discretionary access control

Non-discretionary Access Control means that somebody other than the asset owner determines who gets access. It should be avoided, if possible. Although this isn't a security best practice, it's an existing working practice in many companies and leads to someone in the IT department.

Image for non-discretionary access control on cissp domain 5 - Destination Certification
Image for non-discretionary access control on cissp domain 5 - Destination Certification

Additionally, situations may exist where the owner (accountable) delegates responsibility of access control to areas like IT, but then the owner doesn't offer input with regard to who should be given access.

5.5 Manage the identity and access provisioning life cycle

Vendor access

Vendor identity and access provisioning for systems and data should be considered with the same or more care than employee identity and access provisioning. It might also include a security review component that includes a deeper review of the vendor or inspection of a vendor's facilities, systems, and other relationships.

Identity life cycle

The identity life cycle comprises three parts: provisioning, review, and revocation.

  • Provisioning: upon hire of a new employee and when an employee changes roles. Provisioning activities include background checks, confirming skills, and identity proofing, among other things.
  • Review (also known as user access review): should take place as often as necessary and more frequently for higher privilege accounts. Assets and systems to which a user has access should be reviewed by the asset or system owner to determine if ongoing access is necessary or if access should be modified.
  • Revocation: upon voluntary or involuntary termination. It typically takes place when an employee leaves the organization, through voluntary or involuntary separation, but it can also take place when an employee changes role.
Image of identity life cycle on cissp domain 5 - Destination Certification
Image of identity life cycle on cissp domain 5 - Destination Certification

User access review

Account access review is an ongoing process, regardless of the type of account (user, system, service), and its frequency should be based upon the value of resources and associated risks. However, privileged accounts should be reviewed more frequently.

How often should access reviews be performed?

In the case of a user changing roles, their access should be reviewed at the time of the change. New access should be granted as needed, and any access that is not needed should be removed. Of course, access should always be reviewed and approved by the owner. When someone leaves the company (through voluntary or involuntary termination), that user's access should be reviewed, and in most cases, all access should be removed.

Privilege escalation

In addition to more frequent reviews of privileged accounts, a recommended security practice is for system administrators (users with admin, root, and similar privileges) to only use their privileged accounts when strictly necessary.

Privileged users should utilize two accounts. They should use a standard user account for regular business purposes, such as checking email, participating in meetings, and so on, and they should use a separate account with elevated privileges only when performing administrative tasks that require a higher level of access.

5.6. Implement authentication systems

Authentication systems

Authentication systems are used to prove or verify an identity or system assertion. Popular authentication systems include:

  • OpenID Connect (OIDC)/Open Authorization (OAuth)
  • Security Assertion Markup Language (SAML)
  • Kerberos
  • Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+)

OAuth is an access delegation standard that target applications can use to provide client applications with secure delegated access over HTTPS. It authorizes devices, APIs, servers, and applications with access tokens rather than credentials.

On the other hand, OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end user and obtain basic user profile information. While OAuth 2.0 is about resource access and sharing, OIDC is about user authentication.