| ๐ Back to Exam Syllabus | ๐บ RooCloud on YouTube | ๐ RooCloud Practice Exams |
CISSP 13.2 - The AAA Model (Part 1 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens the study of identity and access management from Domain 5, laying the groundwork for how systems recognize and trust the people and things that ask for access. It introduces the core model behind access control and the ideas every login you will ever design rests upon.
What this episode covers
- The three core functions โ authentication confirms who, authorization decides allowed actions, and accounting keeps the audit trail.
- Identification and authentication โ a two-step pair where a subject claims an identity and the system verifies the claim against a stored secret.
- Subjects and objects โ active parties reach out to passive ones, and the same entity can switch roles depending on who is asking.
- Identity proofing and registration โ checking documents before any account exists, then creating the account and capturing any biometric.
- Knowledge-based and cognitive passwords โ remote services quiz you on facts, while security questions fall short because answers leak online.
- Authorization and accounting โ granting access to specific objects and logging every action, which gives nonrepudiation.
- The three authentication factors โ something you know, something you have, and something you are, combined for multi-factor strength.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the three core functions of identity and access management?
They form a model you see everywhere. Authentication confirms that a user, service, or agent is who it claims to be. Authorization decides which actions that entity is allowed to take. Accounting keeps an audit trail of what actually happened. Together these three are known as authentication, authorization, and accounting.
How do identification and authentication work together?
They are a two-step pair, and you need both. Identification is when a subject claims an identity, like typing a username, swiping a smartcard, or presenting a face to a scanner. Authentication is when the system verifies that claim against stored records, usually by checking a secret. A core rule is that every subject must have a unique identity, and the secret is stored as a hash, never as plain readable text.
What are subjects and objects, and why do their roles switch?
A subject is the active party that reaches out to get information, while an object is the passive party that holds or provides it. A quick shortcut reads subject as user and object as file, but subjects also include programs, services, and computers. The roles flip depending on who is asking, so a web application is an object when queried, then becomes a subject as it looks up a database, then flips back to an object as it delivers the page.
How do you prove someoneโs identity the very first time?
This is identity proofing, and it happens before any account exists. For a new employee, human resources checks physical documents like a passport, a driverโs license, or a birth certificate. Once the documents are verified as genuine, registration begins, which can be as simple as creating an account and setting a password, and it may also capture a biometric such as a fingerprint.
What are the three factors you can use to prove identity?
There are three primary categories that climb in strength. Something you know is a memorized secret, like a password, a personal identification number, or a passphrase. Something you have is a physical object you carry, like a smartcard, a hardware token, or a phone app. Something you are is a biometric trait, like a fingerprint or an iris pattern. Using one is single-factor, while combining two or more different categories is multi-factor authentication.
๐ Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 13.2 - The AAA Model (Part 1 of 3).