Provisioning/de-provisioning, permissions, identity proofing

4.4 Identity & access management

📘CompTIA Security+ (SY0-701)

Identity and Access Management (IAM) is a core concept in cybersecurity that focuses on who has access to what in an organization’s IT environment.
It ensures that only authorized users can access systems, data, and applications — and only with the appropriate level of access.

In this section, we’ll focus on three important IAM processes:

  1. Provisioning and De-Provisioning
  2. Permissions
  3. Identity Proofing

Let’s go through each of them in detail.

1. Provisioning and De-Provisioning

Provisioning

Provisioning means creating and setting up user accounts and assigning appropriate access when a new employee, contractor, or system is added to the organization.

It ensures that users have the right tools and privileges to perform their job roles securely.

Key steps in provisioning:

  1. Account Creation:
    • A new user account is created in the organization’s directory (like Active Directory or an IAM system).
    • This account includes details such as username, department, role, and contact information.
  2. Access Assignment:
    • Access rights and permissions are assigned based on the user’s role (Role-Based Access Control – RBAC).
    • For example, an HR employee gets access to HR databases, while an IT admin gets system-level access.
  3. Authentication Setup:
    • Security measures such as multi-factor authentication (MFA), password policies, and identity verification are configured.
  4. Logging and Monitoring:
    • The new account is added to logging systems to monitor activities for auditing and compliance purposes.

De-Provisioning

De-provisioning is the process of disabling or deleting user accounts when an employee leaves the organization, changes roles, or no longer requires certain access.

It helps prevent unauthorized access after someone’s relationship with the company ends or their role changes.

Key steps in de-provisioning:

  1. Account Disabling:
    • The user account is disabled immediately to prevent login.
    • This is crucial to stop potential insider threats or misuse.
  2. Access Removal:
    • Access to systems, networks, applications, and data is revoked.
    • For instance, removing access to email, databases, and shared drives.
  3. Device Recovery:
    • Company-issued laptops, phones, or security tokens are collected.
  4. Audit and Verification:
    • IT security teams verify that the account is removed from all systems.
    • Logs are reviewed to ensure no further access attempts occur.

Why It’s Important:

  • Prevents data breaches caused by active accounts of ex-employees.
  • Reduces attack surface by limiting unnecessary accounts.
  • Ensures compliance with data protection regulations.
  • Maintains the principle of least privilege (PoLP) — users should only have the minimum access needed.

2. Permissions

Permissions define what actions a user can perform on a system or resource.
They control read, write, execute, delete, or modify capabilities within files, applications, or network systems.

Types of Access Control Models:

  1. Discretionary Access Control (DAC):
    • The owner of a resource decides who can access it.
    • Common in operating systems like Windows, where file owners set sharing permissions.
  2. Mandatory Access Control (MAC):
    • Access is controlled by security labels or classifications (like Confidential, Secret, Top Secret).
    • Users cannot change permissions themselves.
    • Used in environments with high security, like government systems.
  3. Role-Based Access Control (RBAC):
    • Permissions are assigned based on job roles.
    • For example, all “Finance” users get access to financial systems.
    • Simplifies management and ensures consistency.
  4. Attribute-Based Access Control (ABAC):
    • Access decisions are made based on attributes like user department, device type, time, or location.
    • Example: A user may access a database only during business hours and from the corporate network.
  5. Rule-Based Access Control:
    • Uses rules or policies to grant access.
    • Example: Firewall rules that allow or block traffic based on IP address or protocol.

Principles of Access Control:

  • Least Privilege:
    Users get only the access they need to perform their duties.
  • Separation of Duties:
    Tasks are divided so no one person has complete control (e.g., one person approves purchases, another processes them).
  • Need to Know:
    Access to sensitive information is granted only to those who must use it for their job.
  • Privilege Auditing:
    Regular reviews ensure users still need their current permissions.

3. Identity Proofing

Identity proofing is the process of verifying that a person is who they claim to be before giving them access to a system or creating an account.

It helps ensure that only legitimate users are added to the organization’s systems and that attackers cannot impersonate others.

Stages of Identity Proofing:

  1. Collection:
    • The organization collects personal or identifying information from the user (e.g., name, employee ID, government-issued ID, email).
  2. Validation:
    • The information is checked for accuracy and authenticity.
    • For example, verifying that an employee ID matches HR records.
  3. Verification:
    • The identity is confirmed through secure methods, such as:
      • One-time passwords (OTPs) sent to a verified email or phone number.
      • Biometric verification (fingerprint, facial recognition).
      • Third-party identity validation services.
  4. Account Activation:
    • Once verified, the account is approved and provisioned.

Why Identity Proofing Is Important:

  • Prevents identity fraud and unauthorized account creation.
  • Ensures trust in digital identities used within the organization.
  • Supports compliance with regulations like GDPR or NIST SP 800-63 (Digital Identity Guidelines).
  • Strengthens zero trust architecture by confirming user authenticity before granting access.

Exam Tip Summary

ConceptDescriptionPurpose
ProvisioningCreating and configuring new user accountsEnsure users have correct access
De-ProvisioningDisabling or deleting accounts no longer in usePrevent unauthorized access
PermissionsDefine what users can doEnforce least privilege and access control
Identity ProofingVerifying a person’s identity before granting accessPrevent impersonation and fraud

Best Practices for IAM (Exam Key Points)

  • Use automated provisioning/de-provisioning tools integrated with HR systems.
  • Implement multi-factor authentication (MFA) for all user accounts.
  • Enforce least privilege and role-based access control (RBAC).
  • Perform regular access reviews and audit permissions.
  • Use identity proofing for all new hires and high-privilege accounts.
  • Apply strong password policies and account monitoring.

✅ Summary

Identity and Access Management ensures that the right people have the right access to the right resources at the right time.
By properly implementing provisioning/de-provisioning, permissions, and identity proofing, organizations reduce the risk of unauthorized access, insider threats, and compliance violations.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by