topic Re: What is maintenance in the process of identity management? in CCSP Study Group

What is maintenance in the process of identity management?

Masahiro — Mon, 09 Oct 2023 09:59:37 GMT

According to the question c03.046 of CCSP Official Practice Tests, the process of identity management includes maintenance.

What exactly do you think is maintenance? For example, does it include changing passwords and permissions?

Re: What is maintenance in the process of identity management?

JoeBuilder — Sun, 03 Oct 2021 10:17:50 GMT

I think IAM maintenance would mean:

1. Removing old identities for staff who have left the company.
2. Updating permissions for staff who have changed positions.
3. Perhaps removing roles that are no longer required.

Best Regards,

Joseph Charles-Walcott

1(868) 685-7969

Re: What is maintenance in the process of identity management?

Masahiro — Sun, 03 Oct 2021 21:50:27 GMT

Thank you, @JoeBuilder

I should have given you options of the question. They are as follows.

Provisioning
Maintenance
Deprovisioning
Redaction

Then I have reviewed your ideas and my ones. Here are my thoughts:

"changing permissions" and your idea #2 would be a kind of provisioning.
Your ideas, #1 and #3, would be deprovisioning.

So I am still wondering what exactly identity maintenance activities are.

Re: What is maintenance in the process of identity management?

CraginS — Mon, 04 Oct 2021 18:10:42 GMT

Very good question, @Masahiro

As others have pointed out,maintenace would involve reconfirming currently assigned roles, removing roles no longer held by the assignee, adding new roles then approved, and adding or changing other secondary data in the database, such as answers to challenge questions used for forgotten password tasks. Depending on the ID database, it may also involve updating or confirming secondary contact information, assigned supervisor (needed to confirm current privileges and roles), etc.

Craig

Re: What is maintenance in the process of identity management?

Masahiro — Tue, 05 Oct 2021 11:00:07 GMT

Thank you, @CraginS

I have understood as follows.

Identities start with provisioning, continue to be maintained and end with deprovisioning. It is identity and access management lifecycle. So there are many activities in the maintenance phase.

Re: What is maintenance in the process of identity management?

Masahiro — Sat, 16 Oct 2021 00:42:32 GMT

I found the definition of the maintenance in the process of identity management. ISO/IEC 24760-1:2019 defines it as follows.

10 Maintenance
An identity management system can perform maintenance on identity information it has registered by changing one or more of the attribute values in an identity. An identity management system shall specify mechanisms for maintaining the integrity and accuracy of attributes it stores. It shall maintain the identity information stored in the register as an accurate representation of the identity. An identity information authority shall provide the most accurate data available for an identity in a process that respects privacy.

You can download it from the following website for free.

https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

Re: What is maintenance in the process of identity management?

luisantonio — Tue, 19 Oct 2021 08:44:15 GMT

Hi,

Considering only Identity Management as part of the IAM, it includes provisioning (identity assertions) and password management. Password management covers generation, storage and security controls.

If we talk about permissions, that is part of RBAC, and access management. That is part of IAM, but not of the Identity Management.

I might be wrong. Please refer to the Official Study guide, section 7.4.

Hope it may help,

Luis.

Re: What is maintenance in the process of identity management?

AntiEvil — Wed, 20 Oct 2021 01:40:10 GMT

In my opinion, maintenance in IAM consists of a life cycle approach - JML or Joiners, Movers, and Leavers. Each part of the cycle includes onboarding, role change, and separation. Each of these includes differing amounts of maintenance activities. For example, joiners would include creation of the account, provisioning initial permissions to objects, communication to the end user, etc. Movers would require modification in terms of add or remove permissions, revaluation of application provisioning, etc. Leavers have maintenance of deprovisioning of all access, placing the account in a disabled state, updating reporting, etc.

Maintenance to me is a security operations function.

Re: What is maintenance in the process of identity management?

csjohnng — Thu, 21 Oct 2021 01:44:28 GMT

Agree, mainly is the JML process. joiner, mover and leaver.

Depend how you consider (some consider the below as security compliance):

recording and confirming entitlement,
determining segregation of duty and
recertification of identity, role and access

may also consider as part of maintenance.

Re: What is maintenance in the process of identity management?

ob1knb — Thu, 06 Jan 2022 04:11:12 GMT

The part that catches my eye in *maintenance* not mentioned - is that this is not a 1 time event 3 years ago - but implies an intentional routine check-up frequency or other effort to gain comfort an automated process control design is still working effectively (i.e., does not exclude new systems, entities, directories, attributes, credentialing secret types, changed policies requirements, etc.).