Domain 2: Access Controls

Identity and Access Management (IAM)

The practice of managing user identities and controlling access to computer systems and resources.

Entity

A physical person, object, or group that requires access to an organization's systems or resources.

Identity

A representation of an entity within a system, often tied to roles such as employee, student, or administrator.

Attributes

Characteristics associated with an identity, such as job title, graduation year, or department.

Access Control

Mechanisms used to ensure that only authorized individuals or resources can access specific systems, data, or facilities.

Identification

The process where an individual makes a claim about their identity without providing proof.

Authentication

The step where an individual proves their identity to the access control system using credentials like passwords or biometric data.

Authorization

The process of verifying whether an authenticated user has the necessary permissions to access a resource.

AAA (Authentication, Authorization, and Accounting)

A security framework that ensures proper identification, access control, and activity tracking in an access control system.

Accounting

The process of tracking user activity and maintaining logs for auditing and security analysis.

Usernames

A common digital identification mechanism where individuals are assigned a unique identifier, often based on their name, for system access.

Access Cards

Physical identification tools issued by organizations to employees, often used for building access, authentication, or digital system access.

Magnetic Stripe Cards

Basic card-based identification systems that store data on a magnetic stripe, but are easily duplicated and not secure.

Smart Cards

Identification cards containing an integrated circuit chip that interacts with a reader to authenticate the card's validity.

Contact Smart Cards

Smart Cards that require direct insertion into a card reader for authentication.

Contactless Smart Cards

Also known as proximity cards, these cards use an antenna to communicate with a reader without physical contact.

Passive Cards

Contactless Smart Cards that require close proximity to a reader and are powered by the reader itself.

Active Cards

Contactless Smart Cards that contain a battery and can transmit data over longer distances, requiring periodic battery replacement.

Biometrics

A method of identifying and authenticating individuals based on physical characteristics, categorized as something you are.

Fingerprint Recognition

A biometric authentication method that scans and matches fingerprint patterns for identification and authentication.

Iris Scan

A biometric authentication technique that analyzes the color patterns of the iris.

Voiceprint Identification

A biometric authentication method that analyzes a user's voice pattern, susceptible to replay attacks.

Facial Recognition

A biometric system that scans and compares facial features to authenticate a user.

Hand Geometry

A biometric authentication method that measures and analyzes the shape and structure of a user's hand.

Vein Pattern Recognition

A biometric technique that examines the unique vein patterns in a user's hand for authentication.

Gait Analysis

A biometric method that identifies individuals based on their walking patterns.

Intrusiveness

The level of user discomfort or reluctance when using a biometric authentication system.

Registration

The process of gathering user information and creating an entity in the identity and access management system.

Identity Proofing

The verification process to ensure that an individual presenting themselves for registration is who they claim to be.

Requestor

The individual who initiates a request for the creation of a new entity in the system.

Approver

The individual responsible for reviewing and approving a registration request, ensuring it aligns with policy.

Registration Authority

A centralized role, often in human resources, responsible for performing identity proofing and other verification checks.

Issuer

The individual or entity responsible for issuing credentials after all verification steps have been completed.

Credential Issuance

The final step in the registration process, where an entity is provided with authentication credentials.

Photo Identification

Official government-issued identification documents, such as a passport or driver's license, used in identity proofing.

Fingerprinting

A biometric method used by some organizations and government agencies to verify identity against criminal or military records.

Background Check

A review of an individual's criminal, financial, or employment history to assess security risk before credential issuance.

Password Keys

Secret encryption keys used to manage access to a system.

False Acceptance Error

An authentication error where an unauthorized user is mistakenly granted access.

False Acceptance Rate (FAR)

The frequency at which false acceptance errors occur in an authentication system.

False Rejection Error

An authentication error where an authorized user is mistakenly denied access.

False Rejection Rate (FRR)

The frequency at which false rejection errors occur in an authentication system.

Crossover Error Rate (CER)

A measure of authentication system accuracy where the false acceptance and false rejection rates are equal.

Multifactor Authentication

An authentication approach that combines techniques from two or more different authentication factors, such as something you know and something you have.

Something You Know

An authentication factor based on knowledge, such as passwords or PINs.

Something You Have

An authentication factor requiring physical possession of a device, such as a smart card or smartphone.

Something You Are

An authentication factor based on biometric characteristics, such as fingerprints or facial recognition.

Soft Token

A software-based authentication method that generates one-time passwords (OTPs) on a smartphone app.

Physical Token

A hardware device, often carried on a keychain, that generates one-time passwords (OTPs) for authentication.

One-Time Password (OTP)

A temporary, single-use code generated for authentication, preventing reuse or replay attacks.

HMAC-Based One-Time Password (HOTP)

An OTP generation algorithm that uses a shared secret and an incrementing counter, producing a code that remains valid until used.

Time-Based One-Time Password (TOTP)

An OTP generation algorithm that uses the time of day and a shared secret, requiring synchronized clocks for proper function.

Smart Cards

A physical card with an embedded microchip used for authentication, often requiring insertion into a reader.

Common Access Card (CAC)

A smart card issued by the U.S. Department of Defense for authentication and access control.

Password Authentication Protocol (PAP)

An early authentication protocol that transmits usernames and passwords in plaintext, making it insecure for modern use.

Challenge Handshake Authentication Protocol (CHAP)

A secure authentication protocol that uses a challenge-response mechanism with cryptographic hashing to verify passwords without transmitting them over the network.

Challenge Value

A random value sent by the server to the client in CHAP authentication, used to generate a cryptographic hash.

Response

The hash value computed by the client in CHAP authentication, sent back to the server for verification.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

A Microsoft-developed version of CHAP, later replaced by MS-CHAPv2.

MS-CHAPv2

An updated version of MS-CHAP, which has been found to be insecure and is not recommended for use.

Federated Identity Management

A system where multiple organizations agree to share identity information, reducing the number of individual identities a user must maintain.

Single Sign-On (SSO)

A system that allows users to authenticate once and gain access to multiple systems without re-entering credentials until the session expires.

Active Directory Federation Services (ADFS)

A Microsoft service that enables integration between Active Directory and other service providers, allowing for a federated single sign-on experience.

Shibboleth

An open-source single sign-on system designed for federated identity management, commonly used in higher education institutions.

One-Way Trust

A trust relationship where one domain trusts authenticated sessions from another, but the trust is not reciprocated.

Two-Way Trust

A trust relationship where both domains mutually trust each other's authenticated sessions.

Transitive Trust

A trust relationship where trust automatically extends across multiple domains, allowing indirect trust relationships.

Nontransitive Trust

A trust relationship that does not extend beyond explicitly defined domains, requiring administrators to manually establish additional trusts.

Network Border Firewall

A firewall that connects different security zones, controlling traffic between an organization's internal network, the internet, and other segments.

Internet Zone

The untrusted external network where inbound connections are generally restricted unless explicitly allowed by security policy.

Intranet Zone

The internal network where most organizational systems reside, often subdivided into segments for different business needs.

DMZ (Demilitarized Zone)

A network segment that hosts public-facing services such as web or mail servers, isolated to reduce risk if compromised.

Extranet

A dedicated network segment within an intranet that allows limited access for third-party vendors or business partners.

VPN (Virtual Private Network)

A secure communication tunnel that enables remote users or third parties to access an organization's network securely.

APIs (Application Programming Interfaces)

Interfaces that facilitate integration between software applications but require security measures such as authentication, authorization, input validation, and encryption to prevent exposure of sensitive data.

App Extensions

Additional software components that enhance application functionality but can introduce security risks if not properly secured.

Middleware

Software that enables communication between different systems and services, requiring strict access controls and regular security assessments to mitigate risks.

Third-Party Vendor Management

The process of assessing and monitoring external vendors to ensure their security practices align with organizational requirements.

Service-Level Agreements (SLAs)

Contracts that define security expectations and responsibilities, including specific security metrics and requirements for third-party service providers.

Zero Trust Network Architecture (ZTNA)

A security philosophy that eliminates trust based on network location, instead relying on strong authentication and authorization to verify user identities and grant access.

Security Information and Event Management (SIEM)

A system that collects and correlates log data from various security components to identify and analyze suspicious activity.

Security Orchestration, Automation, and Response (SOAR)

A platform that automates incident response using predefined playbooks to enable rapid reaction to security threats.

Cloud Access Security Broker (CASB)

A security solution that centralizes cloud security policy management, enforcing access controls and monitoring cloud service usage for unauthorized activity.

Endpoint Detection and Response (EDR)

A technology that monitors endpoints for potential compromises and automatically mitigates security threats to prevent unauthorized access.

Security Assertion Markup Language (SAML)

A protocol that enables browser-based single sign-on by allowing identity providers to authenticate users and pass security assertions to service providers.

Principal (SAML)

The end user who requests access to a web-based service in a SAML authentication process.

Identity Provider (IdP)

The organization that authenticates the user and provides proof of identity to the service provider.

Service Provider (SP)

The web-based service that relies on the identity provider to authenticate the user and grant access.

Security Assertion

A proof of identity issued by the identity provider, which the service provider validates before granting access.

OAuth

An authorization protocol that allows users to grant third-party applications access to their resources without sharing their credentials.

OpenID Connect (OIDC)

An authentication protocol that builds on OAuth to verify a user's identity and provide authentication services.

Digital Certificate

A digital credential used to authenticate users and devices by providing a trusted copy of a public key.

Public-Private Key Pair

A cryptographic key pair where the public key is shared for encryption and the private key is kept secret for decryption and authentication.

SSH (Secure Shell)

A protocol used for securely connecting to remote systems, often leveraging public-private key authentication.

PEM File

A file format that stores private keys, public keys, and certificates, commonly used in authentication.

Certificate-Based Authentication

A method of authentication that uses digital certificates signed by a trusted certificate authority to verify identity.

Certificate Authority (CA)

A trusted entity that issues and verifies digital certificates.

Personal Identity Verification (PIV) Card

A federal government-issued smart card that enables secure access to systems and facilities.

IEEE 802.1x

A network authentication standard that uses digital certificates for secure access control.

MAC-Based Authentication

A method that uses device MAC addresses for authentication, though it is insecure due to MAC address spoofing.