An offboarding sales representative downloaded customer profiles owned by the head of the sales department from the file server onto a USB dongle on the day he left and sold it online. This data breach occurred because of the miscommunication between the HR and IT departments. The HR department didn’t notify the IT department to disable the user accounts and revoke the privileges of the unhappy employee in time. Which of the following best contributes to the solution that can prevent the data breach? (Source: Wentz QOTD)
A. LDAP
B. XACML
C. SAML
D. SPML
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. SPML.
The key point of this question is the user provisioning process, which leads to the data breach due. It is a typical instance of TOU/TOC. If the IT department can support and automate the user provisioning process with user provisioning technology or software, the data breach should have been prevented.
LDAP can be used in a user provisioning solution to access X.500-compliant directory services. There are a variety of identity stores, such as SQL, proprietary store, text-based, and so forth. In other words, LDAP is just part of a user provisioning solution. In contrast, SPML is specifically designed to support provisioning operations.
SAML is used in the authentication process and describing the access token and assertions. XACML is used to describe, exchange, and store authorization rules based on the attributes of a subject, object, or environment. They are not the primary vehicles to provision users or accounts.
User Provisioning
User provisioning or account provisioning technology creates, modifies, disables and deletes user accounts and their profiles across IT infrastructure and business applications. Provisioning tools use approaches such as cloning, roles and business rules so that businesses can automate onboarding, offboarding and other administration workforce processes (for example, new hires, transfers, promotions and terminations). Provisioning tools also automatically aggregate and correlate identity data from HR, CRM, email systems and other “identity stores.” Fulfillment is initiated via self-service, management request or HR system changes. Regulatory compliance and security efficiencies continue to drive most user-provisioning implementations.
Source: Gartner Glossary
SPML
SPML (Services Provisioning Markup Language) is an Extensible Markup Language (XML)-based language that facilitates the exchange of provisioning information among applications and organizations, corporations, or agencies. Provisioning, according to the technical group providing support for it, is “the automation of all the steps required to manage (setup, amend, and revoke) user or system access entitlements or data relative to electronically published services.”
Source: TechTarget
Reference
- Separation of Employment Policy – Procedures for Voluntary and Involuntary (Including Employee Death) Terminations
- User Provisioning
- User provisioning software
- Service Provisioning Markup Language
- XACML
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.