Episode 69: Network and Endpoint Security
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Identity management is the foundation of all access control. Without a clear understanding of who is accessing a system and what they are allowed to do, it is impossible to enforce confidentiality, integrity, or availability. Managing identity properly prevents unauthorized system access, reduces the risk of data breaches, and supports compliance with a wide range of legal and regulatory frameworks. Identity controls enable organizations to manage account provisioning, authentication, and de-provisioning in a secure and consistent way. Every security decision, from assigning privileges to investigating an incident, begins with identity. On the CISA exam, identity management is a frequently tested topic. Candidates must be able to assess how identities are created, managed, and retired. They must also evaluate whether organizations enforce their access policies, and whether those policies are aligned with the principle of least privilege.
Managing the identity lifecycle involves more than just creating user accounts. It includes every stage of a user’s relationship with the organization, from onboarding to departure. Provisioning occurs when a new user joins. Their account must be created in relevant systems, assigned the correct roles, and configured according to job requirements. As users change roles or take on new responsibilities, their access must be modified. This may involve granting additional permissions or removing access to systems that are no longer needed. The final step is de-provisioning, which ensures that accounts are removed when users leave or when their access is no longer required. A complete identity lifecycle also covers contractors, vendors, and third-party users. These accounts often fall outside of internal HR processes, making them easy to overlook. Auditors examine whether identity lifecycle steps are timely, properly documented, and consistently applied. Delays or oversights in any stage of the lifecycle can lead to significant risk exposure.
Authentication is the process of verifying that a user is who they claim to be. It is the first line of defense in any access control strategy. Single-factor authentication, such as entering a password, is still common but offers limited protection. Multi-factor authentication adds a layer of security by requiring two or more types of credentials, such as something you know, something you have, or something you are. This could include a password combined with a token, a code sent to a mobile device, or a biometric scan such as a fingerprint. Strong authentication policies should also include password complexity requirements and expiration periods to prevent brute-force attacks. Even with strong authentication, vulnerabilities may still exist if tokens are stolen, biometric data is compromised, or session controls are weak. CISA exam questions often involve scenarios where authentication has failed or been bypassed. Candidates must be able to identify weaknesses in authentication processes and recommend appropriate mitigations.
Authorization defines what a user is allowed to do after authentication has been completed. This is where the principle of least privilege comes into effect. Access should be assigned based on the user’s job role, and users should be granted only the permissions necessary to perform their functions. Role-based access control is one common approach, where roles are mapped to specific sets of permissions. Attribute-based access control goes further by taking into account factors such as time, location, or user attributes to grant or deny access. Access control lists and group policies are tools used to enforce these rules across systems. Sensitive functions require additional safeguards, such as segregation of duties and management approval for access changes. Auditors compare role definitions with actual access levels and look for signs of over-permissioning or unapproved privilege escalation. Understanding how authorization is structured and enforced is essential for identifying and correcting access violations.
Identity and access management platforms allow organizations to centralize identity controls and automate much of the identity lifecycle. These platforms may include tools like Okta, Azure Active Directory, or SailPoint. They provide features such as self-service account requests, password resets, and single sign-on capabilities. IAM systems also support access reviews, audit logging, and policy enforcement. By integrating with human resources systems, IAM platforms can automatically update or deactivate accounts when personnel changes occur. This reduces the likelihood of human error and shortens the time between role changes and access updates. Audit logs generated by IAM tools should capture every change, request, and approval related to user access. Auditors review these logs for completeness, looking for patterns of unauthorized changes or policy violations. On the CISA exam, candidates should know how IAM platforms support compliance and security, and how to evaluate whether an IAM system is configured and monitored effectively.
Privileged access management is a specialized area of identity control that focuses on accounts with elevated privileges. These include system administrators, root users, and database owners. Privileged accounts offer full access to critical systems and data, making them a high-value target for attackers. Organizations must restrict the use of privileged accounts to only those who need them and must enforce additional safeguards. Credentials should be rotated frequently and stored in secure password vaults. Session recording provides accountability by capturing what was done during a privileged session. Some organizations implement just-in-time access, which grants elevated permissions only for the duration of a specific task or timeframe. When the session ends, the elevated access is revoked automatically. The CISA exam often includes questions about the risks of shared or poorly managed privileged accounts. Candidates should know how to assess privileged access policies and identify whether those accounts are being monitored and controlled appropriately.
Identity federation and single sign-on simplify user access by allowing authentication across multiple systems or organizations. Federation allows users to log in once and use credentials from a trusted source, such as a corporate identity provider, to access third-party systems. Protocols such as SAML, OAuth, or OpenID Connect are used to facilitate these exchanges. Single sign-on increases user convenience and reduces password fatigue by eliminating the need to log in to each system individually. However, these benefits come with risk. If the initial authentication is compromised, access to multiple systems may be exposed. For that reason, strong underlying authentication and strict session controls are essential. Federated systems must enforce token expiration, refresh policies, and logout synchronization. Auditors assess whether trust relationships are formally defined and whether session security is being enforced. On the exam, CISA candidates should understand both the benefits and the security requirements of SSO and identity federation.
Access reviews and certifications are periodic evaluations that confirm whether users have the correct entitlements. These reviews are often conducted quarterly or semiannually, and they typically involve managers or system owners validating the access rights of their employees. The purpose is to catch accounts that no longer need access, excessive privileges, or access that was granted without proper approval. Adjustments made as a result of the review must be documented and follow change control procedures. Many IAM platforms provide automated workflows that notify reviewers, track approvals, and implement changes directly. This not only improves efficiency but also ensures that the process is auditable. The CISA exam may test your ability to assess how an access review was conducted or how findings were handled. Candidates must understand what constitutes an effective review, who should be involved, and how to respond to review discrepancies or non-compliance.
Identity-related risks are among the most common findings in audit reports. Orphaned accounts, which remain active after employees leave or change roles, are a frequent issue. These accounts can be exploited by insiders or external attackers and are often used in data breaches. Another issue is excessive privilege, where users are granted more access than their job requires. This creates unnecessary exposure and may violate policy or compliance requirements. Shared accounts or generic logins reduce accountability and make it difficult to trace actions back to specific users. Finally, weak or default passwords that are never changed can be easily guessed or cracked. Auditors must investigate these anomalies, identify misconfigurations, and evaluate the effectiveness of compensating controls. On the exam, you should expect to answer questions about how these risks arise, what their consequences might be, and how to address them through better identity governance.
For CISA exam success, identity and access management must be viewed as more than just a technology. It is a process that includes provisioning, authentication, authorization, and ongoing validation. You must be prepared to evaluate how users are added, how their roles are defined, how access is approved and monitored, and how it is revoked when no longer needed. Expect to analyze access logs, IAM system settings, and the outcomes of access reviews. Questions may involve the consequences of failed authentication, missing role documentation, or poor privilege control. Identity is the foundation of accountability and risk management. Without knowing who has access to systems and data, it is impossible to protect them. Auditors play a critical role in validating that identity controls are not only present but also effective, timely, and enforceable. Strong identity management builds trust in the systems we rely on every day.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
