Exam CISSP topic 1 question 60 discussion

Yet another horrible question purely due to ambiguous wording. Centralized IAM doesn't have to be across org boundaries. Which puts me off C and leans me towards D, which I don't like much either tbh

Centralized access control implies that a single entity (the IdP) performs all authorization verification. Decentralized access control (also known as distributed access control) implies that various entities perform authorization verification. The Identity Provider (IdP) is a third party that holds the user authentication and authorization information. Because centralized identity management is united across all applications, the user only needs to access one console to enable a variety of services and infrastructure. For example, a Service Provider such as a bank can use an IdP like provide customers with seamless access to banking services that are externally managed, like ordering checks, sending money through a cash app, or applying for a loan. If the customer updates their address in one application, it is updated in all applications.

Here's why the other options are less accurate: A. Service providers perform as both the credential and identity provider (IdP). This describes a more decentralized or federated approach, not centralized. In centralized identity management, the service providers don't handle credential management. B. Service providers identify an entity by behavior analysis versus an identification factor. Behavioral analysis is a separate security mechanism and isn't the defining characteristic of centralized identity management. Centralized identity management is about who manages the identity, not how it's verified.   C. Service providers agree to integrate identity system recognition across organizational boundaries. This describes federation or identity federation, which is related but distinct from centralized identity management. Federation allows for interoperability between different identity systems, but it doesn't necessarily imply a single, central authority. Centralized identity management can be part of a federated system, but federation itself doesn't define centralized identity management.

Centralized Identity Management Definition: In centralized identity management, a single, trusted entity (often called an Identity Provider or IdP) manages all user identities, credentials, and authentication for multiple systems or services within the same organization. Federated Identity Management Definition: Federated identity management allows multiple organizations or systems to share identities across boundaries. It enables a user from one organization to authenticate and access services in another organization without needing separate credentials. I would go with D

The correct answer is: C. Service providers agree to integrate identity system recognition across organizational boundaries. Explanation: Centralized identity management involves a single identity system being used across multiple services or organizations to authenticate and authorize users. This allows for a more streamlined process of managing user identities and their access across different systems and platforms. When service providers agree to integrate identity system recognition across organizational boundaries, they can rely on a centralized identity provider (IdP) to manage user credentials and access rights consistently.

he correct answer is: D. Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers. Explanation: Centralized identity management involves using a trusted third party (such as an identity provider) to manage user credentials and identifiers. This model consolidates identity and access management to a single authority, which simplifies authentication and ensures consistency across services. Here’s why the other options are incorrect: A. This describes a situation where the service providers themselves act as identity providers, which is more indicative of a decentralized or isolated identity management model. B. Behavior analysis does not describe centralized identity management; it relates more to behavioral authentication or continuous authentication. C. This refers to federated identity management, where multiple organizations agree to recognize each other's identity systems, rather than a centralized approach.

I think C is the right answer. CIM refers to the system where identity data and authentication are handled by a central authority, allowing multiple SPs to recognize and verify identities across different apps, platforms / organizations. It also aligns with Federated Identity management and SSO, where users / services (dispersed across org. boundaries) can authenticate once and get access to the services.

The answer is A - answer D refers to Federated Identity Management, which is not the same.

Horrible... While both options C and D describe centralized identity management, they represent different implementation models. Key difference: Option C: Multiple service providers share a common identity repository. Option D: A trusted third party manages identity information and issues credentials. Federated Identity Management. Both models aim to achieve the same goal of providing a unified identity management solution across multiple systems and organizations.

Leaning towards A. This is what the OSG 10e says. Implementing Identity Management Identity management (IdM) implementation techniques generally fall into two categories: Centralized access control implies that a single entity within a system performs all authorization verification. Decentralized access control (also known as distributed access control) implies that various entities located throughout a system perform authorization verification. A small team or individual can manage centralized access control. Administrative overhead is lower because all changes are made in a single location, and a single change affects the entire system.

Let’s calm down and read the options. If it is centralized, it doesn’t need to rely on TPP to provide IAM. The best answer is A which is to one SP is serving as central authority to provide credentials and IDP

The most fitting description for centralized identity management would be: A. Service providers perform as both the credential and identity provider (IdP). This option accurately portrays the concept of centralized identity management, where a single entity (the service provider) is responsible for both providing credentials (such as usernames and passwords) and verifying identities. This centralization streamlines the authentication process and enhances security by consolidating identity-related functions.

I though it was D, but copilot states the answer is A Centralized identity management is best described by option A: Service providers perform as both the credential and identity provider (IdP). In this model, a single authority (the service provider) is responsible for maintaining and managing the identities and access controls for all users within the system. This central authority acts as the identity provider (IdP), issuing credentials and managing user identities. This approach simplifies administration and improves security by providing a single point of control. However, it can also create a single point of failure and may not scale well for large, distributed systems. Options B, C, and D describe different aspects of identity management but do not accurately define centralized identity management.

wow soooo many wrong answers here. There is NO mention of federated identities in the question. Centralized just means you are using something like active directly for authentication where decentralized would be a peer-to-peer environment where authentication is handled locally on each system. Dont add extra context to what the question is asking!

"C" describes federated identity management, where organizations agree to share identity system recognition across their boundaries. Textbook definitions - that isn't centralised! Consider the danger of blanket statements - if there are any centralised management systems where multiple service providers don't integrate across boundaries, then the answer is too specific to be true. That leaves A or D to fill in the role of Centralised access - however the service provider would not typically be the one doing this in all cases. D fits the bill.

"Service providers agree to integrate identity system recognition across organizational boundaries" describes a form of federated identity management, not a centralized identity management.

Check SAML and OAuth