ISSAP - Information Systems Security Architecture Professional Identity and Access Management Questions and Answers

Question 1

A large, multinational corporation is designing an access control architecture for a new, highly dynamic environment. The system must support fine-grained access decisions based on a user's role, their geographic location, the time of day, and the data sensitivity of the resource being accessed. Traditional access control models are proving too static. Which of the following access control models would be MOST suitable for this architecture?

Accepted Answer

Attribute-Based Access Control (ABAC)

Answer

Attribute-Based Access Control (ABAC) is the most suitable model because it makes access decisions based on a combination of attributes of the user, resource, action, and environment. This allows for the creation of dynamic, context-aware policies that can handle the complexity described in the scenario (role, location, time, data sensitivity). RBAC is limited to user roles, while DAC is user-managed and MAC is based on security labels, neither of which provide the required flexibility.

Question 2

As a security architect for a financial services company, you are evaluating solutions to streamline user access across dozens of cloud-based (SaaS) and on-premises applications. The primary goals are to improve user experience with single sign-on (SSO), centralize identity management, and reduce the administrative burden of managing credentials in multiple systems. Which of the following architectural approaches BEST meets these requirements?

Accepted Answer

Adopting an Identity as a Service (IDaaS) solution.

Answer

Identity as a Service (IDaaS) is a cloud-based subscription model that provides comprehensive identity and access management capabilities, including Single Sign-On (SSO), multi-factor authentication, and centralized user management. This directly addresses the company's need to streamline access across hybrid environments, improve user experience, and reduce administrative overhead. A SIEM is for monitoring, a HIDS is for host-level threat detection, and a manual process would increase, not decrease, administrative burden.

Question 3

An organization is building a partnership with several external companies, allowing their employees to access a shared collaboration portal. To avoid creating and managing separate user accounts for each partner employee, the security architect needs to design a solution where users can authenticate with their own corporate credentials. Which of the following technologies is fundamental to enabling this cross-domain trust and authentication?

Accepted Answer

Federated Identity Management (FIM)

Answer

Federated Identity Management (FIM) is the architectural pattern and set of standards (like SAML and OpenID Connect) that allows identities from one trust domain (the partner company) to be accepted by a service provider in another trust domain (the collaboration portal). This enables users to use their existing corporate credentials, establishing a trust relationship between the identity provider and the service provider. Kerberos and LDAP are typically used within a single organizational domain, and RADIUS is often used for network access control.

Question 4

A security architect is designing the identity lifecycle management process for a large enterprise. The architect must ensure that access rights are correctly assigned when an employee is hired, adjusted when they change roles, and revoked promptly when they leave. Which of the following frameworks is specifically designed to address these stages of the identity lifecycle?

Accepted Answer

Joiner-Mover-Leaver (JML)

Answer

The Joiner-Mover-Leaver (JML) framework is a core process within identity and access management that specifically outlines the procedures for onboarding (Joiner), role changes (Mover), and offboarding (Leaver). It ensures that user access privileges are managed dynamically and appropriately throughout their tenure with an organization, enforcing principles like least privilege. The other options are enterprise architecture frameworks, not specific IAM process models.

Question 5

When designing a federated identity solution using Security Assertion Markup Language (SAML), what is the primary role of the Identity Provider (IdP)?

Accepted Answer

To authenticate the user and issue a security assertion containing identity information.

Answer

In a SAML federation, the Identity Provider (IdP) is the entity responsible for authenticating the user and, upon successful authentication, creating a security assertion (a SAML token) that contains information about the user's identity and attributes. This assertion is then sent to the Service Provider (SP), which consumes it to make an authorization decision. The SP hosts the resource. While an IdP uses a directory, its primary role in the federation is authentication and assertion issuance.

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Identity and Access Management Questions and Answers