6.6. Reflection Checkpoint

Key Takeaways

• Identity lifecycle: provisioning → maintenance → deprovisioning. Orphaned accounts and privilege creep are the two most common identity hygiene failures.
• Authentication ≠ authorization ≠ accountability. Each is a distinct step with distinct controls.
• MFA factor independence is critical — two factors from the same category (two passwords) provides no real MFA benefit.
• FIDO2/passkeys are the most phishing-resistant MFA. SMS OTP is the weakest. TOTP is good but phishable in real-time.
• SAML for enterprise web SSO. OIDC for modern app authentication. OAuth 2.0 for authorization delegation only.
• Kerberos: TGT → Service Ticket. 5-minute clock skew. KRBTGT compromise = Golden Ticket. Golden Ticket defense: protect DCs, rotate KRBTGT.
• RBAC simplifies management; role explosion eliminates that benefit. ABAC enables fine-grained contextual access; requires accurate attribute maintenance.
• Logs must be protected from the insiders who generated them. Ship to central, immutable store in real time.
• Session tokens: cryptographically random, Secure + HttpOnly flags, short lifetime, invalidated on logout. JWTs are stateless and non-revocable until expiry without explicit revocation infrastructure.
• Password spraying evades lockout by staying below the threshold — detection requires behavioral analytics across accounts.

Connecting Forward

Phase 7 (Domain 6 — Security Assessment and Testing) asks: how do we verify that the controls from Domains 1–5 actually work? Assessment and testing is the feedback loop that closes the security lifecycle. Penetration testing finds gaps that architecture reviews miss; vulnerability assessments find what scanners can find; audits verify compliance posture; and the metrics from these activities feed back into the risk management cycle from Domain 1.

Self-Check Questions

• A systems administrator has been granted permanent Domain Admin rights "temporarily" three years ago and the access was never revoked. Six months after this administrator was terminated, an incident responder discovers the account is still active and has been used to access financial records. Identify all IAM lifecycle failures in this scenario and which specific control would have prevented each.
• Your organization is transitioning from password-based authentication to MFA. The security team proposes SMS OTP because it's familiar to users. The CTO proposes FIDO2 keys. Construct a business case comparing the two options that addresses threat resistance, user experience, deployment cost, and regulatory compliance context.