top of page
Search

Security+: Given a Scenario, Implement Identity and Account Management Controls

  • Writer: Tony Stiles
    Tony Stiles
  • Jun 20, 2024
  • 3 min read

Given a Scenario, Implement Identity and Account Management Controls



Identity

Identity refers to the unique characteristics and traits that identify an individual or entity within a system or environment. In information security, identity and account management controls are used to ensure that only authorized individuals or entities are granted access to resources and data within a system.


Some related concepts in this domain include:

  • Identity provider (IdP): An entity that creates, maintains, and manages digital identities for users within a system. IdPs are responsible for issuing authentication credentials and managing user access rights.

  • Attributes: Characteristics or properties of a user's digital identity, such as their name, email address, role, group membership, etc. Attributes are used to define access policies and control user access to resources.

  • Certificates: Digital documents used to verify the identity of an entity, such as a user or a device. Certificates are issued by a trusted authority and are used to authenticate users and encrypt communications.

  • Tokens: Small pieces of data that are used to authenticate a user's identity. Tokens can be physical (such as a smart card or a USB key) or digital (such as a software token or a mobile app).

  • SSH keys: Secure Shell (SSH) keys are used for secure remote access to systems and resources. SSH keys provide a way to authenticate the identity of the user or device requesting access.

  • Smart cards: Physical tokens that store digital certificates and are used for authentication and access control. Smart cards typically require a user to enter a PIN to unlock the card and access its contents.


Account Types

Account types refer to the different types of accounts that exist within an organization's IT environment. Here are some common types of accounts:

  • User account: A user account is assigned to an individual user and provides access to specific resources, applications, and services based on the user's job role and responsibilities.

  • Shared and generic accounts/credentials: Shared accounts are used by multiple users, typically for accessing common resources such as a shared mailbox or a team collaboration tool. Generic accounts, on the other hand, are used for non-human entities such as applications or system services.

  • Guest accounts: Guest accounts are temporary accounts created for individuals who do not have a permanent role in the organization, such as contractors or vendors. These accounts have limited access and are typically time-limited.

  • Service accounts: Service accounts are used by applications or services to access other resources on the network. These accounts are often automated and have their own set of credentials.

In addition to account types, identity and account management also involve managing various aspects of these accounts, such as authentication, authorization, and access control. It also involves managing the lifecycle of these accounts, such as creation, modification, and termination.


Account Policies

Account policies are a set of rules and guidelines designed to manage user and account security within an organization. The policies cover various aspects of account management, such as access controls, password complexity, and account audits, among others.


Here are some of the topics covered by account policies:

  • Password complexity: This policy requires users to create complex and strong passwords that are difficult to guess or crack. A strong password typically contains a mix of upper and lowercase letters, numbers, and special characters.

  • Password history: This policy prevents users from reusing their previous passwords when creating a new password.

  • Password reuse: This policy prevents users from reusing the same password for multiple accounts or systems.

  • Network location: This policy restricts user access to certain network resources based on their location.

  • Geofencing: This policy defines geographical boundaries and restricts access to certain resources based on the user's location.

  • Geotagging: This policy tags user's location information into digital media.

  • Geolocation: This policy uses the location of the user's device to verify their identity and determine their access rights.

  • Time-based logins: This policy restricts user access to certain resources based on the time of day or day of the week.

  • Access policies: This policy defines user access rights to certain resources based on their role or job function.

  • Account permissions: This policy specifies the level of access users have to certain resources or systems.

  • Account audits: This policy requires periodic reviews of user accounts to ensure they are still necessary and have the appropriate level of access.

  • Impossible travel time/risky login: This policy detects and flags login attempts from locations that are impossible for the user to reach within a certain time frame, or from devices that are not recognized as belonging to the user.

  • Lockout: This policy automatically locks out user accounts after a certain number of failed login attempts to prevent unauthorized access.

  • Disablement: This policy automatically disables or deletes user accounts that are no longer needed or pose a security risk.

bottom of page