CISSP Domain 5—Identity and Access Management (IAM)—is one of the most operationally critical domains in the entire CISSP Common Body of Knowledge. In modern environments, the network perimeter is no longer the primary line of defense—identity is.
From ransomware incidents to cloud breaches, the overwhelming majority of successful attacks begin with compromised credentials or abused authentication flows. Poor identity controls can directly impact all three pillars of the CIA triad—confidentiality, integrity, and availability—often simultaneously.
This first part of Domain 5 focuses on identity, authentication mechanisms, and trust establishment, laying the foundation for access control concepts covered later.
What CISSP Domain 5 Covers
CISSP Domain 5 evaluates your understanding of how identities are:
- Created and validated
- Authenticated and federated
- Monitored and audited
- Protected from misuse
Key topic areas include:
- Identity management systems
- Authentication protocols
- Single Sign-On (SSO)
- Multi-Factor Authentication (MFA)
- Accountability and session management
- Credential storage and protection
- Remote access AAA protocols
Identity vs Authentication: A Critical Distinction
Before diving into technologies, it’s important to distinguish two commonly confused concepts:
- Identity is a claimed representation (username, account, certificate).
- Authentication is the process of proving that identity.
Most security failures occur after identity is established, not before—making authentication strength and design essential.
LDAP: The Backbone of Enterprise Identity Stores
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol used to store and retrieve identity data across enterprise environments.
LDAP directories typically store:
- User accounts
- Group memberships
- Computer objects
- Organizational attributes
- Contact metadata
LDAP enables centralized identity management, which supports authentication, authorization, and automation.
Active Directory and LDAP
The most widely deployed LDAP implementation is Microsoft Active Directory Domain Services (AD DS).
Active Directory uses:
- LDAP for directory access
- Kerberos for authentication
- DNS for service discovery
In practice, LDAP directories often become mission-critical infrastructure, and their compromise usually results in total environment compromise.
Kerberos: Secure Authentication at Scale
Kerberos is a ticket-based authentication protocol designed to authenticate entities over untrusted networks using symmetric cryptography.
Why Kerberos Matters
Kerberos prevents:
- Password transmission over the network
- Replay attacks
- Credential reuse
It is the default authentication protocol for:
- Active Directory
- Unix/Linux environments
- NFS
- Samba
Key Kerberos Components
- Client – Requests access on behalf of the user
- Server – Hosts the requested service
- Authentication Server (AS) – Verifies user credentials
- Ticket Granting Server (TGS) – Issues service tickets
- Key Distribution Center (KDC) – Central authority hosting AS and TGS
How Kerberos Works (Simplified Flow)
- Client requests authentication from the AS
- AS validates credentials and issues a Ticket Granting Ticket (TGT)
- Client requests service access using the TGT
- TGS issues a service ticket
- Client presents ticket to the service server
Kerberos relies heavily on time synchronization, which is why clock skew is a common failure point in real environments.
Single Sign-On (SSO): Convenience vs Risk
Single Sign-On allows users to authenticate once and access multiple systems without repeated logins.
Benefits of SSO
- Improved user experience
- Reduced password fatigue
- Fewer helpdesk calls
- Centralized access control
Security Trade-Off
SSO concentrates risk. If an identity is compromised, attackers gain access to multiple systems simultaneously. This makes MFA mandatory in any serious SSO deployment.
SSO Implementation Options
Federated SSO
Federation uses trust relationships between identity providers (IdPs) and service providers (SPs).
Common federation protocols:
- SAML
- OAuth 2.0
- OpenID Connect (OIDC)
Federation improves:
- Scalability
- Security
- Cloud integration
- User experience
Password-Based SSO
Used mainly for legacy or on-premises applications. Credentials are securely stored and replayed by the identity provider.
This method:
- Increases compatibility
- Increases risk
- Should be transitional, not permanent
Linked SSO
Provides access shortcuts without true SSO. Useful during migration phases but offers limited security benefits.
Disabled SSO
Users authenticate separately to each system. While this reduces blast radius, it increases credential sprawl and weak password reuse.
Multi-Factor Authentication (MFA): A Non-Negotiable Control
MFA requires two or more authentication factors, drastically reducing the risk of credential-based attacks.
Authentication Factors
- Knowledge: passwords, PINs
- Possession: tokens, phones
- Inherence: biometrics
- Location
- Behavior
From a practitioner’s perspective, MFA is the single most effective IAM control available.
Biometric Authentication: Strengths and Limitations
Biometrics authenticate users based on physiological or behavioral traits.
Common Biometric Types
- Fingerprint
- Facial recognition
- Iris and retinal scans
- Voice recognition
- Keystroke dynamics
- Gait analysis
Unique Risk
Biometrics cannot be changed if compromised. This makes template protection and secure storage critical.
Biometric Operating Modes
Verification Mode (1:1)
Confirms identity by comparing a biometric sample to a specific template.
Identification Mode (1:N)
Determines identity by comparing against all templates in a database.
Identification mode introduces greater privacy and performance concerns.
Biometric Performance Metrics (Exam Critical)
- FRR (False Rejection Rate) – valid users denied
- FAR (False Acceptance Rate) – unauthorized users accepted
- CER (Crossover Error Rate) – point where FAR equals FRR
Lower CER indicates better biometric system accuracy.
Remote Access AAA Protocols
Remote access requires strong Authentication, Authorization, and Accounting (AAA) controls.
RADIUS
- Uses UDP
- Encrypts credentials (not full session)
- Ports 1812/1813
- Widely used for VPNs and Wi-Fi
RADIUS is scalable but limited in flexibility and security granularity.
Diameter
Designed as RADIUS’ successor:
- Uses TCP or SCTP
- Supports larger AVP sets
- Improved reliability and scalability
Diameter is common in telecom and mobile networks.
TACACS+
- Developed by Cisco
- Separates authentication, authorization, and accounting
- Encrypts the entire payload
- Uses TCP port 49
TACACS+ is preferred for network device administration.
Expert Insight: Why IAM Fails in Practice
Most IAM failures are not technical—they’re governance failures:
- Weak onboarding/offboarding
- Poor MFA adoption
- Legacy authentication dependencies
- Overprivileged service accounts
CISSP Domain 5 is not about memorizing protocols—it’s about understanding trust, accountability, and lifecycle management.
Final Thoughts
Identity is now the primary attack surface. Authentication establishes trust—but trust must be earned continuously, monitored, and revoked when necessary.
CISSP Domain 5 Part 1 lays the groundwork for understanding how identities are validated and protected. Mastering these concepts is essential not just for passing the exam—but for defending real-world environments where identity compromise is inevitable without strong controls.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.