Domain 5 Β· Lesson 5 of 5

Identity Lifecycle (JML) & Directory Services

VΓ²ng đời Danh tΓ­nh (JML) & Dα»‹ch vα»₯ ThΖ° mα»₯c

JML β€” Joiners, Movers, Leavers

Phase Event Security Actions Timing
Joiner New employee starts Background check β†’ NDA β†’ Role assignment β†’ Access provisioning β†’ Security training Before first day
Mover Role / team change Remove OLD access FIRST β†’ Add new access β†’ Re-certify β†’ Update manager in system Day of change
Leaver Termination (any reason) DISABLE all accounts β†’ Revoke all access β†’ Hardware return β†’ Badge deactivation IMMEDIATELY on decision

Critical: Leaver timing

Access must be disabled IMMEDIATELY upon the termination decision β€” not at end of notice period, not on last working day. This applies equally to voluntary resignations. Disgruntled employees cause the most insider threat incidents during their notice period.

Mover: Remove BEFORE Add

When an employee changes roles, remove their old access BEFORE granting new access. This prevents privilege accumulation during the transition window.

Directory Services

Service Purpose Protocol / Port
LDAP Lightweight directory β€” query and modify directory data TCP 389 (LDAP), TCP 636 (LDAPS β€” encrypted)
Active Directory Microsoft directory service β€” Kerberos-based authentication for Windows domains Kerberos (TCP/UDP 88), LDAP (TCP 389/636)
RADIUS Centralized AAA for network access β€” VPN, WiFi, remote access UDP 1812 (authentication), UDP 1813 (accounting)
TACACS+ Cisco device admin AAA β€” separates AuthN/AuthZ/Accounting for granular control TCP 49 β€” encrypts ENTIRE packet

RADIUS vs TACACS+ β€” Critical Differences

RADIUS

  • β€’ UDP 1812/1813
  • β€’ Encrypts password only in packet
  • β€’ Combines AuthN + AuthZ in one exchange
  • β€’ Best for: network access (VPN, WiFi, 802.1X)
  • β€’ Less granular authorization control

TACACS+

  • β€’ TCP 49
  • β€’ Encrypts ENTIRE packet
  • β€’ Separates AuthN, AuthZ, and Accounting
  • β€’ Best for: privileged device admin (Cisco routers/switches)
  • β€’ More granular β€” different authz per command

Exam Trap: TACACS+ = more secure for privileged management

RADIUS only encrypts the password β€” rest of the packet (username, attributes) is sent in cleartext. TACACS+ encrypts everything. For managing privileged devices (routers, switches, firewalls), TACACS+ is the correct choice.

Access Recertification

The process of periodically reviewing and confirming that users still need the access they have. This is a management responsibility β€” not the security team's job to certify on behalf of managers.

Privileged Access

Quarterly review β€” admin portals, production system access, break-glass accounts

Standard Access

Annual review β€” regular application access, shared drives

Process: manager receives list of their team's current access β†’ confirms "still needed" or "revoke" β†’ uncertified access auto-revoked β†’ evidence stored for auditors.

Key Terms

JML Joiners Movers Leavers Access Recertification LDAP LDAPS Active Directory RADIUS TACACS+ Account Disable Account Provisioning
Exam Tips
  1. Leaver = IMMEDIATE disable β€” not "after notice period." This is the #1 exam trap. Timing of access revocation is the test.
  2. TACACS+ encrypts entire packet; RADIUS encrypts password only. TACACS+ is more secure for privileged device management.
  3. TACACS+ = TCP 49; RADIUS = UDP 1812 (auth) / 1813 (accounting). Know these port numbers.
  4. Access recertification = manager certifies (not security team β€” manager knows if the person still needs access).
  5. Mover: REMOVE old access BEFORE granting new access β€” prevents privilege accumulation during the transition.
Work Application β€” TS Engineer Offboarding Checklist (2-Hour Target)

Engineer leaving β€” all steps must complete within 2 hours of termination decision:

  1. GitHub: Remove from all repos and GitHub org (automate via HR trigger to GitHub Org API)
  2. Vault: Revoke all policies and tokens within 1 hour (vault token revoke -accessor)
  3. GCP IAM: Remove all IAM role bindings (gcloud projects remove-iam-policy-binding)
  4. Kubernetes RBAC: Delete ClusterRoleBinding and RoleBinding for the user
  5. Datadog: Deactivate user account (audit trail preserved β€” do not delete)
  6. Slack: Deactivate (NOT delete β€” preserve message history for compliance)
  7. Partner portals: Deactivate in eKYC Vendor, AML Vendor, Bank A admin, Card Processor dashboard (each portal separately)
  8. Physical: Badge deactivated, laptop returned and wiped

Automation gap: steps 1-6 should be triggered automatically by the HR system on the termination record being created. Manual steps 7-8 should be checklisted in the HR ticket.

Practice Quiz

Q1. An employee resigns with a 2-week notice period. When exactly should their system access be disabled?

β–Ό Reveal Answer
Immediately upon the termination decision β€” not at the end of the 2-week notice period, not on the last day. Access is disabled on day 1 of the notice period (or the day the resignation is accepted).
The notice period represents maximum insider threat risk β€” the employee knows they're leaving and may have motivation (or pressure) to exfiltrate data, sabotage systems, or retain access for future use. CISSP treats voluntary and involuntary termination identically from an access control perspective. The employee can continue working (if needed) under close supervision or with a temporary reduced-access account, but full prior access must be revoked immediately.

Q2. An engineer moves from Platform C team to Platform A team. What should happen to their Platform C access, and in what order relative to Platform A access?

β–Ό Reveal Answer
Platform C access should be removed FIRST, then Platform A access granted. Never grant new access before revoking old access β€” this prevents accumulation of excessive permissions during the transition window.
Movers are a common source of privilege creep. If Platform A access is granted before Platform C access is revoked, even for just a few hours, the engineer temporarily has access to both systems β€” which violates least privilege. The correct sequence: remove old access β†’ update manager in directory β†’ provision new role β†’ grant new access. This should all happen on the day of the role change, not weeks later.

Q3. RADIUS vs TACACS+ β€” which protocol encrypts the entire packet, and which is preferred for managing Cisco network device access?

β–Ό Reveal Answer
TACACS+ encrypts the entire packet (TCP 49). TACACS+ is preferred for privileged device management (Cisco routers, switches, firewalls) because of full encryption and per-command authorization granularity.
RADIUS encrypts only the password field β€” the rest of the packet (username, attributes, NAS information) is plaintext and can be observed. For VPN and WiFi users (where the password is the main concern), RADIUS is fine. For managing network devices where an admin might run "show running-config" or "no shutdown" on an interface, TACACS+ is required: full packet encryption plus the ability to authorize specific commands per user.

Q4. In an access recertification review, who is responsible for certifying that an employee still needs their current access β€” the manager or the security team?

β–Ό Reveal Answer
The manager β€” because the manager knows whether the employee still performs the job function that requires the access. The security team runs the process (sends the lists, tracks completion, enforces revocations) but cannot certify business need on behalf of managers.
This is a management control, not a technical one. The security team doesn't know whether Alice still needs access to the loan origination system β€” her manager does. If the security team certifies on behalf of managers, the recertification is worthless (they'll approve everything they don't know about). Auditors check that the actual manager of record signed off on each access certification, not a security analyst.

Q5. LDAP vs LDAPS β€” what port numbers are used and what does LDAPS add?

β–Ό Reveal Answer
LDAP uses TCP port 389 (unencrypted). LDAPS uses TCP port 636 β€” adds TLS encryption to protect directory queries and credentials in transit. Always use LDAPS in production (LDAP sends credentials in cleartext).
LDAP (Lightweight Directory Access Protocol) is used to query directories like Active Directory. Plain LDAP on port 389 sends everything including bind (authentication) credentials in cleartext β€” anyone on the network can read them. LDAPS wraps LDAP in TLS (port 636), protecting credentials and directory data in transit. STARTTLS on port 389 is an alternative that upgrades the connection to TLS after initial connection. For CISSP: LDAP = 389, LDAPS = 636, know that LDAPS is encrypted.
← Lesson 4: PAM Domain 6: Security Assessment β†’