๐Ÿ  Back to Exam Syllabus ๐Ÿ“บ RooCloud on YouTube ๐ŸŒ RooCloud Practice Exams

CISSP 13.2 - The AAA Model (Part 1 of 3)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens the study of identity and access management from Domain 5, laying the groundwork for how systems recognize and trust the people and things that ask for access. It introduces the core model behind access control and the ideas every login you will ever design rests upon.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What are the three core functions of identity and access management?

They form a model you see everywhere. Authentication confirms that a user, service, or agent is who it claims to be. Authorization decides which actions that entity is allowed to take. Accounting keeps an audit trail of what actually happened. Together these three are known as authentication, authorization, and accounting.

How do identification and authentication work together?

They are a two-step pair, and you need both. Identification is when a subject claims an identity, like typing a username, swiping a smartcard, or presenting a face to a scanner. Authentication is when the system verifies that claim against stored records, usually by checking a secret. A core rule is that every subject must have a unique identity, and the secret is stored as a hash, never as plain readable text.

What are subjects and objects, and why do their roles switch?

A subject is the active party that reaches out to get information, while an object is the passive party that holds or provides it. A quick shortcut reads subject as user and object as file, but subjects also include programs, services, and computers. The roles flip depending on who is asking, so a web application is an object when queried, then becomes a subject as it looks up a database, then flips back to an object as it delivers the page.

How do you prove someoneโ€™s identity the very first time?

This is identity proofing, and it happens before any account exists. For a new employee, human resources checks physical documents like a passport, a driverโ€™s license, or a birth certificate. Once the documents are verified as genuine, registration begins, which can be as simple as creating an account and setting a password, and it may also capture a biometric such as a fingerprint.

What are the three factors you can use to prove identity?

There are three primary categories that climb in strength. Something you know is a memorized secret, like a password, a personal identification number, or a passphrase. Something you have is a physical object you carry, like a smartcard, a hardware token, or a phone app. Something you are is a biometric trait, like a fingerprint or an iris pattern. Using one is single-factor, while combining two or more different categories is multi-factor authentication.

๐Ÿ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 13.2 - The AAA Model (Part 1 of 3).