Episode 56 — A.8.5–8.6 — Secure authentication; Capacity management

A.8.5 requires secure authentication mechanisms that match the sensitivity of systems and data, making this control central to exam questions about assurance levels, factor strength, and attack resistance. Candidates should distinguish between multi-factor authentication methods (knowledge, possession, inherence), the protocols that carry them (FIDO2/WebAuthn, OTP, certificate-based), and lifecycle governance for enrollment, recovery, and revocation. The objective is to reduce credential replay, phishing, and brute-force risk through phishing-resistant factors where feasible, rate limiting, contextual checks, and secure session handling. Authentication must be paired with transport security, device posture checks, and monitoring so that elevation events are recorded, anomalous patterns trigger controls, and break-glass access is tightly bounded and auditable. The control also emphasizes protection of secrets—salted hashing for passwords, hardware security modules for keys, and zero-knowledge approaches where practical—so that compromise of one component does not cascade into systemic failure.

A.8.6 addresses capacity management, ensuring that processing, storage, and network resources are planned and monitored to meet availability and performance objectives. For the exam, link capacity to business commitments—SLAs, RTO/RPO, and peak demand patterns—and to architectural safeguards such as autoscaling, queuing, caching, and rate controls that prevent resource starvation and denial-of-service amplification. Evidence includes baselines, thresholds, alerts, and trend analyses that trigger scale-up or optimization before user impact. Common pitfalls are unmanaged “noisy neighbor” effects in multi-tenant or cloud environments, forgotten limits (file descriptors, connection pools), and cost-driven cuts that undermine resilience. Strong programs pair forecasting with game-days and load tests, verify headroom during change windows, and document contingency actions when upstream services degrade. Candidates should be prepared to explain how secure authentication protects the front door while capacity management keeps the lights on—together delivering predictable, defendable service under both normal and adverse conditions. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.