| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 13.3 - Implementing Identity Management
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns to identity and access management in Domain 5, showing how identity management is actually built. It walks through the plumbing decisions that shape daily access, from where identity lives to how trust travels between systems and organizations.
What this episode covers
- Centralized vs decentralized control β one authority with low overhead but a single point of failure, versus spread-out decisions needing more effort.
- Single sign-on and its risk β authenticate once to reach many resources, at the cost of concentrating risk in one account.
- Directory services and trusts β a central database that powers single sign-on, with trusts bridging security domains one way or both ways.
- Federated identities β linking identities across organizations so members reach each otherβs resources while each still controls what it shares.
- Where a federation lives β on-premises, in the cloud, or a hybrid that connects an in-house setup with a cloud service.
- Just-in-time provisioning β creating an account the moment it is first needed, with no administrator intervention.
- Credential systems and session management β vaults storing secrets safely, and disciplined timeouts closing the door on idle sessions.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is the difference between centralized and decentralized access control?
It comes down to where the authorization decisions happen. Centralized control puts a single authority in charge, so overhead stays low and one change ripples everywhere, but it carries a single point of failure and scales well. Decentralized control spreads decisions across many points, needing more people and more effort since every change must be repeated everywhere and consistency gets harder to maintain.
How does single sign-on work, and what does it risk?
Single sign-on is a centralized technique where you authenticate once and then reach many resources without logging in again. It is convenient, quietly improves security because users are not writing down a dozen passwords, and cuts the number of accounts an administrator manages. The trade-off is concentration of risk, since if that one account is compromised the attacker inherits everything it could reach.
How do federated identities extend trust across organizations?
A federated identity management system links your identity in one place with your identities elsewhere, and multiple organizations can join a federation where they agree to share identity information. You log in once at your own organization, your credentials map to a federated identity, and that identity gets you into resources at other members without logging in again. Each organization still decides exactly what it will share.
What is just-in-time provisioning?
It is a way to create the account only at the moment it is first needed, with no administrator lifting a finger. Some federated solutions support it, automatically building the link between two parties. The first time an employee visits a portal, the system confirms they are logged into a trusted network, then exchanges details like name and email to create the account on the spot, often using a shared markup language.
How do you keep an idle session from becoming a hole?
You manage the session so it does not stay open unattended. On desktops and laptops, a password-protected screen saver kicks in after a set idle time and forces the user to authenticate again, and online sessions log you off after inactivity. Behind the scenes, web frameworks mint a session identifier, carry it through every request under transport encryption, and expire sessions, with high-value applications timing out in just a few minutes.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 13.3 - Implementing Identity Management.