D3: CRYPTOGRAPHY

Question 1

IAM architecture objective

Answer 1

Provide a coherent design so that the right subjects gain the right access to the right resources at the right time based on policy and risk

Question 2

Digital identity

Answer 2

Set of attributes that uniquely describes a subject such as a person device or service within a given context

Question 3

Authoritative source of identity

Answer 3

System of record that provides the most trusted identity data for a population such as human resources for employees

Question 4

Identity lifecycle

Answer 4

Sequence from onboarding through changes to offboarding where identities and associated access must be created modified and removed

Question 5

Joiner mover leaver process

Answer 5

Standard workflow that creates access for new users adjusts privileges when roles change and revokes access when users depart

Question 6

Identity proofing

Answer 6

Process of verifying that a person or entity is genuinely who they claim to be before issuing credentials or privileged access

Question 7

Authentication

Answer 7

Process of verifying a claimed identity using one or more factors such as something known something possessed or something inherent

Question 8

Authorization

Answer 8

Decision about what actions an authenticated subject is allowed to perform on which resources based on policies and attributes

Question 9

Single sign on

Answer 9

Capability that enables a subject to authenticate once and then access multiple applications without repeated credential entry

Question 10

Federated identity

Answer 10

Trust arrangement in which one domain authenticates a subject and passes assertions to another domain which relies on that information

Question 11

Identity provider

Answer 11

Service that performs authentication and issues tokens or assertions containing identity information and claims

Question 12

Relying party

Answer 12

Application or service that consumes assertions or tokens from an identity provider and makes authorization decisions

Question 13

Claims based access control

Answer 13

Model where decisions are based on claims in tokens such as roles group membership or device posture rather than just identity

Question 14

Role based access control

Answer 14

Authorization model that assigns permissions to roles and then assigns users to roles to simplify entitlement management

Question 15

Attribute based access control

Answer 15

Model that evaluates subject object action and environmental attributes against rules to reach fine grained decisions

Question 16

Context aware access

Answer 16

Access control approach that considers contextual attributes such as location time risk score or device state when granting access

Question 17

Directory service

Answer 17

Central repository that stores identity objects credentials groups and related attributes and supports lookup and authentication

Question 18

Group and role design

Answer 18

Architectural activity of structuring groups and roles to reflect job functions segregation of duties and least privilege

Question 19

Least privilege in IAM

Answer 19

Principle that access rights should be limited to the minimum necessary for subjects to perform their responsibilities

Question 20

Segregation of duties in IAM

Answer 20

Practice of ensuring no single identity has conflicting capabilities that together could enable significant fraud or error

Question 21

Privileged account

Answer 21

Identity with elevated capabilities such as system administration configuration changes or wide data access requiring stronger controls

Question 22

Privileged access management

Answer 22

Set of processes and tools such as vaulting session control and just in time elevation that govern use of powerful accounts

Question 23

Service account governance

Answer 23

Management of non human accounts including purpose scoping credential protection rotation and ownership

Question 24

Machine identity

Answer 24

Identity used by devices applications containers or services to authenticate to other components in machine to machine interactions

Question 25

Multifactor authentication

Answer 25

Authentication that uses at least two different factor types to significantly increase assurance in identity verification

Question 26

Risk based authentication

Answer 26

Adaptive authentication that changes requirements based on evaluated risk such as demanding additional factors for unusual logins

Question 27

Step up authentication

Answer 27

Mechanism that requires stronger authentication when a subject attempts higher risk actions or accesses more sensitive resources

Question 28

Credential lifecycle

Answer 28

Phases through which credentials pass including issuance binding renewal revocation and expiration

Question 29

Password policy

Answer 29

Set of rules governing complexity reuse storage and change of passwords while balancing usability and security

Question 30

Passwordless authentication

Answer 30

Approach that replaces passwords with mechanisms such as hardware tokens biometrics or device bound credentials

Question 31

Token based authentication

Answer 31

Use of security tokens such as JWT or SAML assertions that carry identity information and can be validated by resource servers

Question 32

Session management

Answer 32

Creation maintenance and termination of authenticated sessions including timeouts renewal and protection against hijacking or fixation

Question 33

Delegated administration

Answer 33

Design that allows limited administrative capabilities to be delegated to specific roles or units without granting full control

Question 34

Identity governance and administration

Answer 34

Discipline and tooling that provide policy driven provisioning access reviews role management and reporting

Question 35

Access certification

Answer 35

Periodic review process where managers or data owners confirm that identities still require their entitlements

Question 36

Orphaned identity

Answer 36

Account that remains active without a valid owner or business justification often resulting from incomplete offboarding

Question 37

Identity synchronization

Answer 37

Propagation of identity data and attributes between systems or directories to keep records consistent across environments

Question 38

Hybrid identity

Answer 38

Architecture that integrates on premises directories with cloud identity services to provide seamless access across both

Question 39

External or partner identity

Answer 39

Mechanisms for granting controlled access to users from other organizations often using federation or guest accounts

Question 40

Customer identity and access management

Answer 40

Scalable IAM capabilities tailored for external customers including registration consent privacy and self service

Question 41

Device identity in IAM

Answer 41

Assignment of credentials to devices so policies can require compliant trusted devices in addition to user authentication

Question 42

Policy decision point

Answer 42

Logical component that evaluates access requests against policies and attributes and returns permit or deny decisions

Question 43

Policy enforcement point

Answer 43

Component that intercepts access requests and enforces decisions from the policy decision point

Question 44

Access request workflow

Answer 44

Process through which users request access approvals are captured and entitlements are granted and documented

Question 45

Identity analytics

Answer 45

Use of data analysis and machine learning to detect anomalous identity and access patterns that may indicate risk

Question 46

Directory segmentation

Answer 46

Design where different identity stores or partitions are used for separate populations or trust levels such as internal vs external users

Question 47

Audit and logging for IAM

Answer 47

Recording key events such as logons failures changes to roles and provisioning actions to support accountability and forensics

Question 48

IAM reference architecture

Answer 48

Standardized pattern that defines identity stores connectors authentication services and integration methods for the enterprise

Question 49

IAM architecture objective

Answer 49

Provide a coherent design so that the right subjects gain the right access to the right resources at the right time based on policy and risk

Question 50

Digital identity

Answer 50

Set of attributes that uniquely describes a subject such as a person device or service within a given context

Question 51

Authoritative source of identity

Answer 51

System of record that provides the most trusted identity data for a population such as human resources for employees

Question 52

Identity lifecycle

Answer 52

Sequence from onboarding through changes to offboarding where identities and associated access must be created modified and removed

Question 53

Joiner mover leaver process

Answer 53

Standard workflow that creates access for new users adjusts privileges when roles change and revokes access when users depart

Question 54

Identity proofing

Answer 54

Process of verifying that a person or entity is genuinely who they claim to be before issuing credentials or privileged access

Question 55

Authentication

Answer 55

Process of verifying a claimed identity using one or more factors such as something known something possessed or something inherent

Question 56

Authorization

Answer 56

Decision about what actions an authenticated subject is allowed to perform on which resources based on policies and attributes

Question 57

Single sign on

Answer 57

Capability that enables a subject to authenticate once and then access multiple applications without repeated credential entry

Question 58

Federated identity

Answer 58

Trust arrangement in which one domain authenticates a subject and passes assertions to another domain which relies on that information

Question 59

Identity provider

Answer 59

Service that performs authentication and issues tokens or assertions containing identity information and claims

Question 60

Relying party

Answer 60

Application or service that consumes assertions or tokens from an identity provider and makes authorization decisions

Question 61

Claims based access control

Answer 61

Model where decisions are based on claims in tokens such as roles group membership or device posture rather than just identity

Question 62

Role based access control

Answer 62

Authorization model that assigns permissions to roles and then assigns users to roles to simplify entitlement management

Question 63

Attribute based access control

Answer 63

Model that evaluates subject object action and environmental attributes against rules to reach fine grained decisions

Question 64

Context aware access

Answer 64

Access control approach that considers contextual attributes such as location time risk score or device state when granting access

Question 65

Directory service

Answer 65

Central repository that stores identity objects credentials groups and related attributes and supports lookup and authentication

Question 66

Group and role design

Answer 66

Architectural activity of structuring groups and roles to reflect job functions segregation of duties and least privilege

Question 67

Least privilege in IAM

Answer 67

Principle that access rights should be limited to the minimum necessary for subjects to perform their responsibilities

Question 68

Segregation of duties in IAM

Answer 68

Practice of ensuring no single identity has conflicting capabilities that together could enable significant fraud or error

Question 69

Privileged account

Answer 69

Identity with elevated capabilities such as system administration configuration changes or wide data access requiring stronger controls

Question 70

Privileged access management

Answer 70

Set of processes and tools such as vaulting session control and just in time elevation that govern use of powerful accounts

Question 71

Service account governance

Answer 71

Management of non human accounts including purpose scoping credential protection rotation and ownership

Question 72

Machine identity

Answer 72

Identity used by devices applications containers or services to authenticate to other components in machine to machine interactions

Question 73

Multifactor authentication

Answer 73

Authentication that uses at least two different factor types to significantly increase assurance in identity verification

Question 74

Risk based authentication

Answer 74

Adaptive authentication that changes requirements based on evaluated risk such as demanding additional factors for unusual logins

Question 75

Step up authentication

Answer 75

Mechanism that requires stronger authentication when a subject attempts higher risk actions or accesses more sensitive resources

Question 76

Credential lifecycle

Answer 76

Phases through which credentials pass including issuance binding renewal revocation and expiration

Question 77

Password policy

Answer 77

Set of rules governing complexity reuse storage and change of passwords while balancing usability and security

Question 78

Passwordless authentication

Answer 78

Approach that replaces passwords with mechanisms such as hardware tokens biometrics or device bound credentials

Question 79

Token based authentication

Answer 79

Use of security tokens such as JWT or SAML assertions that carry identity information and can be validated by resource servers

Question 80

Session management

Answer 80

Creation maintenance and termination of authenticated sessions including timeouts renewal and protection against hijacking or fixation

Question 81

Delegated administration

Answer 81

Design that allows limited administrative capabilities to be delegated to specific roles or units without granting full control

Question 82

Identity governance and administration

Answer 82

Discipline and tooling that provide policy driven provisioning access reviews role management and reporting

Question 83

Access certification

Answer 83

Periodic review process where managers or data owners confirm that identities still require their entitlements

Question 84

Orphaned identity

Answer 84

Account that remains active without a valid owner or business justification often resulting from incomplete offboarding

Question 85

Identity synchronization

Answer 85

Propagation of identity data and attributes between systems or directories to keep records consistent across environments

Question 86

Hybrid identity

Answer 86

Architecture that integrates on premises directories with cloud identity services to provide seamless access across both

Question 87

External or partner identity

Answer 87

Mechanisms for granting controlled access to users from other organizations often using federation or guest accounts

Question 88

Customer identity and access management

Answer 88

Scalable IAM capabilities tailored for external customers including registration consent privacy and self service

Question 89

Device identity in IAM

Answer 89

Assignment of credentials to devices so policies can require compliant trusted devices in addition to user authentication

Question 90

Policy decision point

Answer 90

Logical component that evaluates access requests against policies and attributes and returns permit or deny decisions

Question 91

Policy enforcement point

Answer 91

Component that intercepts access requests and enforces decisions from the policy decision point

Question 92

Access request workflow

Answer 92

Process through which users request access approvals are captured and entitlements are granted and documented

Question 93

Identity analytics

Answer 93

Use of data analysis and machine learning to detect anomalous identity and access patterns that may indicate risk

Question 94

Directory segmentation

Answer 94

Design where different identity stores or partitions are used for separate populations or trust levels such as internal vs external users

Question 95

Audit and logging for IAM

Answer 95

Recording key events such as logons failures changes to roles and provisioning actions to support accountability and forensics

Question 96

IAM reference architecture

Answer 96

Standardized pattern that defines identity stores connectors authentication services and integration methods for the enterprise