CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
all right. Now, the next way, we're gonna protect our network and our information in our environment is we're gonna be very restrictive of who gets access to that environment. And that's where identity and access management comes in.
00:14
So with identity and access management, it's all about who gets an account in our environment.
00:21
Uh, how that account is created,
00:24
how the user's then gonna take that account information, identify themselves to a system. They're gonna prove that information,
00:33
and then they're gonna be authorized to access certain features or functions.
00:39
Um then, of course, users are audited, they're held accountable, and then our accounts are ultimately going to be de provisioned. So this is identity and access management. Again, we don't really need to get in depth. But the first stage identity proofing before I'd ever let you on my network
00:58
proved to me
00:59
your identity. Show me your driver's license, your social Security card. Think about all the things you have to do before getting hired with the company. And then once you're hired, before you'd ever get an account, right? So you're going through the phase of identity proofing your proof You're providing proof of your identity.
01:18
Now, once I believe that I'm going to create an account for you. That's the provisioning peace. It would be great if we automatically provisioned accounts. So, for instance, when you come on board nine or your information into our HR database,
01:34
it would be great if that information was pulled over to active directory and you were automatically created an account
01:40
based on what we enter right. That makes it very, very smooth for administrators.
01:45
Once you have your account
01:47
as a user, when you attempt to access a resource, you go through the eye triple a identification, authentication, authorization and auditing.
01:57
So identification. You make a claim, your user name and account number and I p address a Mac address. However you make your claim, but it claim it's no good cause claims air very easily spoofed right. I mean, I can claim to be administrator. That doesn't mean I am.
02:16
So we have to provide proof and that's authentication. So identification Make a claim. Authentication. Prove it.
02:25
Prove it to me
02:27
and we authenticate with something. I know
02:31
something I have or something I am
02:36
So I know a password.
02:38
I have a key.
02:39
I am Kelly hander hand based on my biometrics right thumb print, retina scan, hand geometry, Whatever.
02:47
The best and strongest authentication is multi factor.
02:53
Not multiple things, but a combination of types. So it's something I know in a something I have
03:00
something I have in something. I am
03:02
something I am something I know. So like a driver's license and passport that would not be multi factor. They're both something I have,
03:10
but a retina scan in depend.
03:14
That's multi factor.
03:15
All right, now, once you've proven your identity, your then authorized based on who you are, So authorization is all about getting your rights and permissions assigned to you.
03:29
Now,
03:30
when we create an account, when we're crate creating accounts that are based on you as an individual or me as an individual, so I'm Kelly Hander hand I get the account
03:43
que handle him, right.
03:45
Um, the problem with that in an environment is the longer I'm in the company and the moron move from department to department or within the organization.
03:54
What tends to happen is I accumulate rights and permissions. We sometimes call that privilege creeps.
04:01
So with identity based accounts, you know when you move you just tend to keep and continue to accumulate. So role based access control is a really is A is a better way to control what users are authorized to do.
04:18
So instead of Kelly Hander Han, I'm graded access to an account called Trainer one.
04:24
Um, when I'm done being trainer. Wanna move to sales? I'm given sales one
04:30
in that way. My permissions from before don't follow me, and I'll tell you on the exam. There is, ah, big preference placed on role based access control because it really can limit privilege creep in abusive privileges.
04:44
All right, so identify in Kelly H. I prove it. Here's my thumbprint. My password, I'm authorized to gain certain resource is and then auditing or accountability just simply means that actions that happen can be traced to an individual.
05:01
And then all good things must come to an end. At that point in time, perhaps when I leave the organization, my account would be de provisions

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor