Provisioning and Identity Management
- The Identity Lifecycle (The "Provisioning" Piece) Provisioning isn't just "creating an account." It's a formal process that follows the user from their first day to their last.
Provisioning: The initial stage. It involves creating the digital identity and assigning permissions based on the Principle of Least Privilege.
Key Tech: SCIM (System for Cross-domain Identity Management) is often used to automate this across different cloud apps.
Self-Service: Features that allow users to manage their own attributes (like updating a phone number or resetting a password) without calling the Help Desk.
Account Maintenance: Managing changes. If a user moves from "Accounting" to "Sales," provisioning systems must update their access. Failure to do this leads to Privileged Creep (accumulating too many rights).
Deprovisioning (The Most Important for Security): Disabling access immediately when an employee leaves.
The Danger: Orphaned Accounts (active accounts with no owner) are a massive back-door for hackers.
- Directory Services & Identity Providers (IdP) This is where the accounts "live."
Identity Provider (IdP): The source of truth for identities (e.g., Okta, Azure AD/Entra ID).
Directory Services: Databases that store these identities.
LDAP (Lightweight Directory Access Protocol): The language used to query these databases (Port 389, or 636 for LDAPS).
Federation: A system that links identity across different organizations. If you use your work email to log into a specialized research site, that's federation.
- Authentication Protocols (The Technical "How") You cannot pass Module 4 without knowing these three:
RADIUS (Remote Authentication Dial-In User Service): Centralizes authentication for users connecting to a network (like Wi-Fi or VPN). It only encrypts the password.
TACACS+: The Cisco version of RADIUS. It is more secure because it encrypts the entire communication and separates authentication and authorization.
Kerberos: Used by Windows Active Directory. It uses "Tickets" to prove identity so passwords aren't constantly sent over the wire. It prevents Replay Attacks.
- Access Control Models This is how the system decides what a user can actually do after they log in.
Model | How it Works | Best For... |
RBAC (Role-Based) | Access is based on job title (e.g., "Nurse" or "Admin"). | Corporate environments. |
ABAC (Attribute-Based) | Uses "If/Then" logic based on attributes (Location, Time, Device). | Cloud and highly dynamic environments. |
MAC (Mandatory) | Data has labels (Secret, Top Secret). Users must have matching clearance. | Military and government. |
DAC (Discretionary) | The file owner decides who has access. | Small, informal teams; social media. |