Implementing More Stringent Controls over Administrator/Root Credentials and Service Accounts | CompTIA Security+ Exam SY0-601
Question
An organization needs to implement more stringent controls over administrator/root credentials and service accounts.
Requirements for the project include: -> Check-in/checkout of credentials -> The ability to use but not know the password -> Automated password changes -> Logging of access to credentials Which of the following solutions would meet the requirements?
A.
OAuth 2.0 B.
Secure Enclave C.
A privileged access management system D.
An OpenID Connect authentication system.
D.
Explanations
An organization needs to implement more stringent controls over administrator/root credentials and service accounts.
Requirements for the project include: -> Check-in/checkout of credentials -> The ability to use but not know the password -> Automated password changes -> Logging of access to credentials Which of the following solutions would meet the requirements?
A.
OAuth 2.0
B.
Secure Enclave
C.
A privileged access management system
D.
An OpenID Connect authentication system.
D.
The solution that would meet the requirements outlined in the question is C. A privileged access management (PAM) system.
A privileged access management (PAM) system is designed to manage and monitor access to privileged accounts, such as administrator/root credentials and service accounts. It provides an extra layer of security by allowing organizations to enforce policies and controls over these accounts, including password management, access monitoring, and credential check-in/check-out.
Here's how each of the requirements can be met by a PAM system:
-> Check-in/checkout of credentials: With a PAM system, privileged credentials can be stored in a secure vault and checked out only when needed. This ensures that credentials are not left lying around on systems where they could be compromised.
-> The ability to use but not know the password: A PAM system can provide the ability to use privileged accounts without revealing the actual password. This is done through a feature called session management, which creates a temporary login session with the necessary privileges, without revealing the actual password.
-> Automated password changes: PAM systems can automate password changes for privileged accounts, ensuring that passwords are changed regularly and that old passwords are not reused.
-> Logging of access to credentials: PAM systems provide detailed logging of all privileged account access, including who accessed the account, when, and what was done with it. This provides an audit trail for compliance purposes and helps organizations identify and investigate any suspicious activity.
OAuth 2.0 is an authorization protocol used for granting third-party applications access to user data. It is not designed to manage privileged accounts.
Secure Enclave is a hardware-based security feature on Apple devices that provides a secure environment for storing and processing sensitive data. It is not designed to manage privileged accounts.
OpenID Connect is an authentication protocol used for single sign-on (SSO) and identity federation. It is not designed to manage privileged accounts.
Therefore, the best solution to meet the requirements outlined in the question is a privileged access management (PAM) system.
