6.1. Physical and Logical Access Control

💡 First Principle: An identity is a representation of a subject (person, system, or process) within a security domain. Before any access control decision can be made, the subject must have an established, managed identity. Identity management governs that entire lifecycle: how identities are created, maintained, and removed, and how the attributes associated with them are kept accurate.

Identity management failures are among the most exploited vulnerabilities in real breaches. Orphaned accounts (former employees whose accounts weren't disabled), over-provisioned accounts (users who accumulated access rights over years of job changes), and service accounts with excessive privilege represent the majority of the identity attack surface in most organizations.

Why this matters: Provisioning and deprovisioning questions frequently appear as "what should you do FIRST?" scenarios. The correct answer almost always involves access revocation before or simultaneous with any other action — a recurring theme from Domain 1's personnel security section.

⚠️ Common Misconception: "Authentication proves identity." Authentication proves that the presenter knows a credential (password, private key, biometric) associated with an identity — it does not prove the presenter IS that identity. A stolen password authenticates the thief as successfully as the legitimate owner. This is why MFA and behavioral analytics (is this login pattern consistent with the claimed user's history?) are needed alongside credential authentication.