SecurITyCerts dot Org

       Navigating Security Certifications

CISSP Acronym Edge: CISSP Study & Review Guide December 2016+

Main CISSP Acronym Edge Index

Domain 5: Identity and Access Management

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

Identity – Who an entity claims they are. “I am Ted Demopoulos.”

Authentication – Proving an identity, for example by showing a government issued ID or entering a correct password or biometrics.

AAA – Authentication, Authorization, and Accountability.

OTP – One Time Passwords, for example created by a hardware device like RSA SecurID or software like S/KEY.

FRR – False Reject Rate. In biometric systems, the FRR is the percentage of authentic users who are denied access. It is also known as Type I Error (pronounced as “type one error”). I remember it as Type I as it is not as bad as Type II, below.

FAR – False Accept Rate. In biometric systems, Type II Error (pronounced as “type two error”) is the percentage of fake or unenrolled users allowed access. I remember it as Type II as it is worse than Type I (of course the requirements of the system are an issue, but in general it is worse).

CER – Crossover Error Rate. A biometric system can be tuned to minimize FAR or FRR. The CER is when a system is tuned so that the FAR and FRR are the same, and is used as a metric to indicate the overall accuracy of the biometric system.

Enrollment Time - In biometric systems, how long it takes to initially enter a user into the system. In enrollment, information about the user is captured and entered into the system. An enrollment time of 2 minutes is considered acceptable.

Throughput Time – After enrollment, how long it takes it takes to identify or authenticate a user. 6 to 10 seconds per user, or 10 to 6 users per minute, is considered standard and acceptable.

SSO – Single Sign On.

KDC – Key Distribution Server. In the Kerberos Authentication System, the KDC is essentially a login server that knows everyone’s password (or “secret key”) and issues login credentials, known as TGTs.

TGT – Ticket Granting Ticket. Kerberos issues a TGT when a user first logs in. It is sent to the user encrypted by a secret key derived from their password, and if they got their password correct, the TGT is decrypted and their login succeeds.

SESAME – Secure European System for Applications in a Multi-Vendor Environment. Kerberos is seen by ISC2 as USA centric, as it was developed at MIT in Massachusetts. SESAME is the same idea, but considered international by ISC2 (European somehow equals international). Kerberos uses tickets and symmetric encryption, SESAME uses Privilege Attribute Certificates or PACs and both symmetric and asymmetric encryption. This conveniently avoids the issue that SESAME never took off or was widely implemented at all, and essentially doesn’t exist anymore (yes, I’m aware there is a smidgen of legacy use at Master Card, but really, who cares?).

PAC – Privilege Attribute Certificate. Again, SESAME uses PACs, while Kerberos uses tickets.

LDAP – Lightweight Directory Access Protocol. Although a protocol, LDAP is commonly used to refer to directory services/databases that support this protocol.

Federated IdM – Federated Identity Management. Single Sign On (SSO) usually refers to identity management across an enterprise. Federated Identity Management refers to identity management across enterprises. Two main Federated Identity Management standards are OpenID and SAML.

OpenID – An “open and decentralized identity system” which is considered consumer oriented (but which doesn’t have to be). For example, Google, Yahoo!, Facebook, and Wordpress use OpenID.

IdP – Identity Provider. An OpenID and SAML term that refers to an online service such as a Web site that provides identity information and authenticates users.

RP – Relying Party. An OpenID term. Sites that can use identity information from Identity Providers.

SAML – Security Assertions Markup Language. A standards based approach that allows leveraging authentication across multiple disparate identity providers. Can also be used for authorization.

SP – Service Provider. A SAML term that refers to applications that can use identity and authentication information from Identity Providers.

IDaaS – Identity as a Service (IaaS, Infrastructure as a Service, was already taken).

DAC – Discretionary Access Control. A system where access controls are under the discretion of the owner of a resource as well as the administrators. For example, Windows is a DAC system and if you own a file, you can give rights to other users. Also an administrator can give rights to users. When you think DAC, think consumer and most commercial systems.

MAC – Mandatory Access Control. A MAC system is one where access control is based on labels (such as security classifications and clearances), enforced by the system, and cannot be overridden. If you think government systems with classified data on them you have the right idea. Ordinary operating systems like Windows, Unix, and Linux are not MAC. There are MAC versions of Unix and Linux.

RBAC - Role Based Access Control. A system where access is based on what roles you have. In reality, these roles are usually mapped to operating systems groups, so the access or rights you have are determined by what groups you belong to.

Get a PDF of The CISSP Acronym Edge: CISSP Study & Review Guide -  signup below & I'll send it to you.

We respect your email privacy