A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Acronyms
A
Access Management Service: provides authentication, authorization, control, and enforcement services that enable users to access corporate resources.
Active Directory - Active Directory (AD) is a Microsoft directory service that uses LDAP for Windows domain networks.
Active Directory Federation Services (ADFS) – A federated authentication system for Microsoft-centric networks that use Microsoft Active Directory as their directory services system. ADFS aims to provide seamless authentication and single sign-on functionality across a very large organization, while supporting autonomy for each organizational group to manage their own access control needs.
Access Management – Access management is the process of managing a user’s login and access across a wide range of applications, systems, and resources belonging to an organization. Most IAM solutions manage user access to resources but leave access authorization decisions to the application owners.
Adaptive Authentication – Adaptive authentication refers to authentication policies that are triggered based on device, user, or location context. Authentication requirements may be determined by static parameters, such as the type of user, their current location, type of device, and so on.
It may also be determined using dynamic parameters, in which the system continually analyzes access patterns, and adjusts authentication policies accordingly. For example, a user who only ever logs in from a single location may be blocked if they attempt to log in from a different location.
Adaptive Multi-Factor Authentication – Adaptive authentication is all about dynamically adjusting login parameters based on unique scenarios. One of the parameters that adaptive authentication can adjust is the requirement for an additional factor of authentication, or step-up authentication. For example, if the system detects an unusual access pattern, it challenges the user for an additional authentication factor (e.g. a code sent via SMS) to establish identity assurance rather than blocking the user altogether.
Affiliation – Affiliation is the combination of one’s relationship with an organization and some form of trusted identity (which may not be from within the organization).
API Access Management – Application programming interfaces (APIs) have unique authentication challenges because the user is typically another software system rather than a person. Okta’s API Access Management system provides functionality to assist with this challenge by ensuring that API services are well-integrated with the rest of the user management system.
Application Network – The current trend of moving away from monolithic enterprise IT systems toward a system of smaller applications from multiple vendors, which are integrated using open APIs and standards. This allows vendors to focus on a specialized niche, and enterprise customers to have more flexibility in choosing their functionality à la carte.
Application owner - The users responsible for deciding the business needs of applications with respect to IAM. They work with the IAM program team on how best to integrate their applications with IAM services, as well as directing the configuration of their applications.
Assertion - Assertions are statements from an Identity Provider (IdP) to a relying party (RP) that contain information about a subscriber. Federation technology is generally used when the IdP and the RP are not a single entity or are not under common administration. The RP uses the information in the assertion to identify the subscriber and make authorization decisions about their access to resources controlled by the RP. An assertion typically includes an identifier for the subscriber, allowing the association of the subscriber with their previous interactions with the RP. Assertions may additionally include attribute values or attribute references that further characterize the subscriber and support the authorization decision at the RP. Additional attributes may also be available outside of the assertion as part of the larger federation protocol. These attribute values and attribute references are often used in determining access privileges for Attribute Based Access Control (ABAC) or facilitating a transaction (e.g., shipping address).
Attack Surface – The sum total of an enterprise’s abstract “surface area” that can be targeted by attackers. Bugs, vulnerabilities, and insecure policies can all comprise part of the attack surface. The goal of strong identity access management is to limit the attack surface to reduce overall risk through security best practices such as automated user provisioning and de-provisioning, patching, and least privileged access control.
Attestation: The process of confirming a user's identity. Single-factor authentication uses a password or other single method to verify a user's identity. Multi-factor authentication requires the use of at least two different methods to verify a user's identity (most commonly a password along with a card/PIN, authentication token, or one-time password sent via SMS).
Attribute – An attribute or set of attributes that uniquely describe a subject within a given context. The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
OR Small pieces of information that make up a digital identity. Attributes may include name, phone number, group affiliation, etc.
Audit – See security entitlement audit
Authentication (AuthN) – Authentication is the process of validating an identity, whether it be the identity of a user or, as in the Identity of Things, a device. The classic method of validation is the username/password combination.
Authorization (AuthZ) – Authorization is the process of determining if a user has the right to access a service or resource, or perform an action.
Authorization Audit – An authorization audit is a process that gives a detailed overview of the access capabilities of an entire organization.
Authentication Factors – This refers to three mutually reinforcing categories of authentication schemes:
1. Something you are (e.g. your retina, thumbprint, voice characteristics)
2. Something you have (e.g. a specific device, a fob)
3. Something you know (e.g. a password, a secret code)
Authorizer – An individual responsible for approving changes in user authorizations and privileges.
B
BeyondCorp – Refers to type of a zero trust security model that focuses on individual users and devices instead of network perimeters. BeyondCorp is guided by the principles of perimeterless design, context-awareness, and contextual access management.
Binding - Bind operations are used to authenticate clients to the directory server. Binding usually requires account and password credentials, but some servers allow for anonymous bind operations.
Brute Force – A method of attack whereby an attacker systematically attempts all possible combinations of inputs, usually by automating the process with a script.
C
CA - A certificate authority (CA) is a trusted entity that issues electronic documents, called digital certificates, for Internet security. These certificates identify website owners, which allows for secure connections between clients and servers.
Central Authentication Service (CAS) – A single sign-on web protocol which allows a user to access multiple services while providing login credentials only once.
Certificate - A certificate identifies the owner of a site for security purposes, which prevents attackers from impersonating the site. The certificate contains information about the site owner and the identity of the trusted entity who certifies (signs) this information.
Chief Information Officer (CIO) – A senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals.
Chief Information Security Officer (CISO) – A senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure that information assets and technology are protected.
Cloud Identity Management – Cloud identity management is the management of user identities and their access to resources that are stored and accessed in the cloud. It enables organizations to control user access to cloud-based applications and data through a central console. Cloud identity management provides authentication, authorization, and access management to cloud-based resources. It can be used to manage both employee and customer identities, with the aim of improving security, reducing administrative costs, and enhancing user experience. For example, an organization may use cloud identity management to manage access to cloud-based applications like Salesforce, Google Workspace, or Microsoft 365, ensuring that only authorized users have access to these applications. A service such as Okta which is hosted in the cloud, offers identity, authentication, and authorization functions for other cloud-hosted software services. A cloud identity management system is an alternative to traditional directory service systems, which typically manage identity for on-premises monolithic enterprise applications. These often leave cloud services with siloed identity services that must be managed individually, thus complicating lifecycle management.
Cloud Service Provider (CSP)- A service provider that offers storage or software-based services available as an on-premise (private cloud) or hosted solution.
Continuous Authentication – Continuous authentication is a process that continually monitors a user’s session with an eye for authentication, and raises authentication challenges whenever there are signals that a user may have changed. Signals can be based on subtle usage patterns, including unique behavioral biometrics such as typing speed, language fingerprints, and mouse movement patterns.
Continuous authentication can mitigate risks such as impersonation if someone else accesses a user’s unmonitored session and inconvenient timeouts that require users to log in again.
Compliance – In IT and data storage terminology, compliance refers to organizational compliance with government regulations regarding data storage and management and other IT processes.
Credential – A credential is an item, such as an ID card, or a username/password combination, used by persons or entities to prove themselves. A credential is a set of login credentials, such as a username and password, that a user provides to authenticate themselves to access a system or application. Credentials are used to verify a user’s identity and ensure that only authorized individuals can access resources. The security of credentials is critical in protecting against unauthorized access to systems and data. For example, a user’s credentials may include a username and password that they use to log in to their email account.
Customer Identity and Access Management (CIAM) – Customer, or Consumer Identity and Access Management (CIAM) is an IAM solution that is specifically tailored to meet the needs of organizations handling large volumes of consumer identity information. Though superficially similar to traditional IAM, CIAM solutions must provide a smooth, yet secure customer experience, with the ability to scale quickly to handle large volumes of customer data.
Customer Identity Access Management (CIAM) is a subcategory of Identity Access Management (IAM) that focuses on managing and securing customer identities and their access to resources. CIAM solutions enable organizations to provide customers with seamless and secure access to digital services and applications, such as online shopping or banking, across multiple channels and devices. CIAM solutions typically include features such as identity verification, registration, authentication, authorization, and consent management. For example, a retailer may use CIAM to manage customer identities and access to their online store, ensuring that only authorized customers can make purchases.
D
Data – Any information stored by a computer.
Data Breach – Refers to an incident whereby data is accessed by an unauthorized individual or software system.
Data Breach Prevention – Includes technology, people, and process considerations — all of which work together to protect an organization. From a technology perspective, this includes well-maintained user authentication and authorization configuration, systems that scan and block network activity in real-time based on content filtering policies, or “circuit breakers” that detect potential exfiltration based on an abnormally high outbound data rate.
De-provisioning – The removal of an individual’s organizational digital identity, access, and privileges. Deprovisioning refers to the process of revoking access to resources when an employee or contractor leaves an organization or their role changes. This is a critical component of the IAM domain, as it ensures that former employees do not have access to sensitive information. Deprovisioning may involve disabling accounts, revoking permissions, and removing any associated digital certificates or keys. For instance, when an employee leaves an organization, their account should be deactivated, and access to their credentials should be revoked to prevent unauthorized access.
Digital Certificate - A Digital Certificate is an electronic document that verifies the identity of an entity and is used to establish secure communication between parties. In the IAM domain, digital certificates are commonly used for authentication and encryption purposes. They are issued by a trusted third party called a Certificate Authority (CA). For example, an organization may use digital certificates to authenticate the identity of employees accessing the network remotely or to encrypt sensitive data transmitted over the Internet.
Directory service The software system that stores, organizes, and provides access to information in a directory for entities such as people, groups, devices, resources, etc.
Digital Identity – A digital identity is a set of information (attributes and credentials) about an individual that is maintained in order to associate them with an organization.
E
Employee Identity Management – The process of cataloging employees in a software system. Employee identity management often includes representing the organizational structure of functional groups.
Employee identity management requires ongoing maintenance, such as when employees are hired or leave the organization. It also often includes an authentication scheme, such as having the employee set their account password.
Encryption - Encryption is the process of converting plain text into an unreadable format using a cryptographic algorithm to protect the confidentiality, integrity and availability of data. In the context of IAM within Information Security, encryption is commonly used to protect sensitive data such as passwords, authentication tokens, and personal information stored in databases or transmitted over networks. Encryption helps to prevent unauthorized access, interception, or modification of the data by attackers or eavesdroppers. There are various encryption techniques and algorithms available, such as symmetric key encryption, asymmetric key encryption, and hashing.
An example of encryption in IAM is the use of encrypted passwords. When users create an account, they are prompted to create a password. The password is then encrypted and stored in a database in an unreadable format using a strong encryption algorithm. When the user logs in, the password they enter is also encrypted and compared to the stored encrypted password. If the two encrypted values match, the user is granted access. This way, even if an attacker gains access to the database, they will not be able to read the passwords in plain text and use them to gain unauthorized access to the system
Entitlement - the ability to access a business service. A new employee is entitled to access a company email. However, he will be granted access only after he has been provisioned and access privileges have been provided.
Entity - An entity refers to a unique, identifiable actor in a computer system. In the
context of cybersecurity, an entity can be a user, a device, an application, or a system that is identified and authenticated by an IAM system. Entities can have different roles and permissions within the system, and their actions and access to resources are typically logged for auditing and security purposes.
An individual (person), organization, device, or process. Used interchangeably with “party”.
A person, device, service, network, domain, manufacturer, or other party who might interact with an IoT device.
Event – An action or the result of an action. Events are often logged and monitored for security purposes.
F
Federated Identity – A federated identity is the product of linking all of an individual’s disparate electronic identities and attributes, which may be stored across multiple identity management solutions.
Federated Identity Management – A Federated Identity Management (FIM) Solution is a technical implementation that allows identity information to be developed and shared among multiple identity management entities, and across trust domains.
Federation- Also known as federated identity management, this is a technical implementation that enables identity information to be developed and shared among several entities and across trust domains.
FIDO Alliance – The FIDO (Fast IDentity Online) Alliance is a non-profit group formed to address a lack of interoperability between authentication devices, and the challenges that users face in maintaining multiple usernames, passwords, and authentication methods.
G
Group – In identity management, a group allows the management of multiple entities (I.e. employees or customers) within a single category. Groups are used to define roles and simplify access control.
H
I
IAAS (Infrastructure-as-a-Service)- A provision model in which a company outsources pieces of its IT infrastructure (or the entire infrastructure) to a service provider that maintains it. Aspects of IT infrastructure frequently outsourced include utility computing & billing, administrative tasks, desktop virtualization, and Internet connectivity.
Identity - An attribute or set of attributes that uniquely describe a subject within a
given context.
Identity as a Service (IDaaS) – This is a variant on the concept of Software as a Service (SaaS), indicating that identity management can be outsourced and purchased as a cloud-based service instead of either purchasing the software and operating it in-house or building the functionality from scratch in-house.
Identification – Identification is the process by which an entity’s information is gathered and verified for accuracy.
Identity and access governance- Identity and access governance tools establish a lifecycle process that allows business owners of identities to have comprehensive governance of identities and access requests. It allows organizations to identify access risks and make sure access meets organization policies.
Identity and Access Management – Identity and Access Management (IAM) is a system, solution, or service that addresses an organizational need for a system-wide solution that manages user’s access and authentication into external and internal applications, databases, or networks.
Identity Attribute – See attribute.
Identity Governance and Administration (IGA) – Similar to IAM, IGA is a set of processes used to manage identity and access controls across systems. IGA differs from IAM in that it allows organizations to not only define and enforce IAM policy but also connect IAM functions to meet audit and compliance requirements.
Identification- The process in which a person's information is gathered and verified for accuracy. Usually, identity verification happens in a human resources or student services office. This office then creates a record within an archive after meeting with the individual.
Identifier (ID) - A label (such as a name or some other text) that gives an entity a name. Such a name makes it easier to determine who is using what. Many entities have multiple identifiers which can prove useful. The name "Andrew" can be attached as an identifier to the email "user@smartsignin.com"
[Digital] Identity - A set of identity attributes (see "Identity Attribute") that are kept by an identity provider in order to properly associate them to an entity.
Identity Attribute - A property tied to an entity. This could be the entity's phone number, home address, or other details. The policies behind the handling of such attributes are usually governed by laws or standards in privacy and common business practices. These entities could be customers as well as employees.
Identity Proofing - The process by which a physical person is associated with his/her digital identity. This is often done in the registration phase, when a person submits a copy of a passport or driver's license.
Identity lifecycle management - Refers to the entire spectrum of technologies that create and maintain digital identities. Identity lifecycle management is usually composed of synchronization, provisioning, de-provisioning, and management technologies that deal with all user data within an identity.
Identity synchronization - The process by which an identity repository is synchronized with a current database to ensure that all the data within any particular identity is consistent and up-to-date.
Identity management(IdM) – Identity Management (IdM) is the act of using processes and solutions for the creation and management of user or connected device information.
Identity Management as a Service – Identity and access management as service, or IDaaS, is an IAM solution delivered as a service. IDaaS solutions are predominately cloud-based and are hosted and sometimes managed by the service provider.
Identity provider (IdP)- A system that validates the identity of a user in a federated system. The service provider (or SP; see below) uses the IdP to get the identity of the current user.
An Identity Provider (IdP) is a service that manages and controls user identities and authentication in a federated identity environment. An IdP is responsible for verifying the identity of users and providing authentication tokens that enable users to access resources on behalf of an identity provider. IdPs are commonly used in single sign-on (SSO) scenarios, where users can access multiple applications and services using a single set of credentials. For example, Google provides an IdP service that enables users to use their Google accounts to access a range of third-party applications and services.
Identity stores- User information is stored across a variety of technologies, including databases, LDAP, Active Directory, etc.
Identity stores refer to databases or directories that store information about user identities and attributes. Identity stores are a critical component of IAM systems and enable organizations to manage user identities and access to systems and applications. Identity stores typically include information such as user names, passwords, email addresses, and access privileges. For example, Microsoft Active Directory is a popular identity store that is used by many organizations to manage user identities and access resources.
Incident Response Planning – The practice of documenting a planned reaction to a security incident. This is not necessarily a breach, rather the investigation is part of the process of determining whether there was an attack, who/what was involved, and if there was any data exfiltration. Having an incident response plan in place allows companies to react quickly and decisively if a security incident occurs. Elements of the plan may involve revoking widespread access temporarily, shutting down systems, notifying stakeholders, and establishing processes for re-establishing access, re-evaluating policy and process, remediation, backup, and recovery.
J
JSON Web Token (JWT) – A token representing some number of claims, most typically the claim that the holder is authenticated and authorized to access a resource. These tokens are stored in a JSON format with standardized fields for issuer, subject, and expiry. Web applications often employ a refresh token to automatically generate new access tokens indefinitely.
JSON web tokens are standardized as RFC 7519.
Just in Time Access (JIT) - JIT access is a process of granting a level of access as fast as possible, at the time it is needed, and removed as soon as possible, after the access is no longer needed
K
L
Level of Assurance (LoA) – The Level of Assurance (LoA) is the degree of confidence achieved by the vetting and proofing process used to establish the identity of a user. There are four levels of assurance, ranking from zero (no confidence existing in the asserted identity) to four (very high confidence in the asserted identity’s accuracy).
Lightweight Directory Access Protocol (LDAP) – Lightweight Directory Access Protocol refers to a protocol for interacting with a hierarchical directory service database, particularly for authentication and authorization.
However, the term LDAP has also come to represent a wide range of directory system implementations, including OpenLDAP, Apache Directory, and FreeIPA.
Least Privileged Access Control – The process of codifying not only users and groups in a software system, but also what resources they are each able to access and what functions they are each able to perform. IAM addresses authentication, authorization, and access control.
Lifecycle Management – This term recognizes that many entities represented in a software system will be at a certain stage in a lifecycle, and their access needs to be managed accordingly. For instance, an employee may start off as a “candidate,” then become a “full employee” with one or more positions over their tenure, and ultimately cease to be an employee and be deprovisioned entirely.
Lifecycle management can also apply to other things. For instance, devices may be purchased, provisioned for a particular user, reprovisioned for a different user, and ultimately deprovisioned and sold or discarded.
Log Files – Log files are files that record either events that occur in an operating system or software, or messages occurring on communication software. For example, when a failed login to an E-mail system occurs, a log file is created to record that event.
Logging – the act of keeping a log for an extended period of time.
M
Machine Identity - A machine identity is a digital identity associated with a device or machine, such as a server, a computer, or a mobile device. Machine identities are used to authenticate and authorize devices and systems that access network resources. Examples of machine identities include a digital certificate or a security token that is used to establish trust between the device and the network
Management Chain – In an organization, users usually have managers, who in turn may have their own managers. This sequence of managers, which starts with the user and ends with the highest manager in that organization, is known as the management chain. In the context of identity management, management chains are often used to authorized security changes.
Mobility Management – The practice of configuring security policies, monitoring usage and location, and enabling the functionality for provisioning and deprovisioning. This includes remotely wiping data from devices, whether company-owned or employee-owned.
Multifactor Authentication – Multifactor authentication adds an additional step (or factor) to the authentication process, typically by pairing something the user knows, such as username and password, with an action, or something the user has, such as an SMS message to their phone, an email, or a token.
N
NetID – An electronic identifier created specifically for use with online applications.
Non-Human Identity - A non-human identity refers to an identity that is not associated with a human user. This could include an identity associated with an automated process or service, such as a script or an application. Non-human identities are often used to perform tasks that are not performed by human users, such as running a scheduled task or accessing a web service. They also can be used in cases like Internet of Things devices or other machines that can interact with systems with certain permissions.
Non-Person Entity - An entity with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware devices, software applications, and information artifacts
O
OAuth – OAuth is an open authorization standard that allows applications to autonomously access resources on behalf of a user. iOS and Android, for example, use this kind of authorization to let users choose whether or not an app can have access to certain functions and parts of the phone.
OAuth 2.0 – OAuth is an open standard for allowing delegated access to user information in web applications. OAuth 2.0 is the second major revision to the standard, which completely overhauls the specification. As a result, it is not backwards compatible with OAuth 1.0.
Offboarding – The process by which a user is removed (with access revoked) from an organization’s IAM system.
OpenID – A standardized, open method of decentralized authentication.
OpenID Connect (OIDC) – OpenID Connect is a RESTful authentication system that uses OAuth 2.0 for authorization. It uses JSON web tokens (JWTs) and effectively provides single sign-on across multiple applications.
Onboarding - the process of introducing a new employee into a company's identity and access management (IAM) system.
Offboarding - refers to the process of removing a user from a company's identity and access management (IAM) system. This term may also refer to the process by which new restrictions are applied to a user's access to company resources.
One Time Password (OTP) – A password that is valid for use one use or session.
P
Password – A word or string of characters used to prove one’s identity, or authorize access to a resource. Usually, but not always, paired with a username.
Password Reset – The process by which a user changes their own password.
Password Spray – A type of brute force password attack whereby a single common password (e.g.: password1) is tried in combination with many usernames, rather than the other way around. Many systems can detect a brute force attack against a single user and will lock the account after a number of failed attempts. By executing a brute force attack along a different axis, the attacker often goes unnoticed.
Passwordless Authentication – Describes a range of approaches to authenticate users by means other than a password. This could be one of the two other authentication factor categories (something you are, or something you have) or it may refer to a process by which an email or text containing a secret single-use code authenticates you with no other password required.
Some applications offer this option for users, who can request a single-use code or link by email that authenticates them to access the application.
Persona - a digital identity (like a group of attributes) that a user can select to represent oneself in a certain context. For example, a staff member may be labeled both "user" and "administrator." One may choose to give this staff member the ability to act as an administrator in some contexts and have the mere power of the user in others.
People administrator- A person who assigns roles, group memberships, and/or other attributes to a user.
Phishing – A type of socially engineered attack whereby a user is presented with a seemingly plausible and often mundane request and is tricked into divulging their authentication credentials to a facade.
One common phishing attempt is an email that appears to be from the user’s IT department, claiming their account requires verification, with a link directing them to a lookalike website. When they log in to the fake website, their credentials are sent to the attacker, which the attacker can then use to impersonate the user on the real site.
Privilege – A privilege is a construct that allows certain users within an organization to have a number of powers based on their credentials and identity attributes.
Privileged Account Management (PAM) – See privileged identity management.
Privileged Identity Management (PIM) – Privileged identity management is a process or technology focused on managing, monitoring, and protecting powerful privileged user accounts within the IT infrastructure of an enterprise.
Privilege Management – Privilege Management is the process by which the owner of a network can modify or assign privileges for applications and resources.
Privileged User – A user possessing specific security privileges and entitlements.
Provisioning – A process that enables users to use their privileges to access applications and services.
Public-Key Cryptography – An application of asymmetric cryptography, where one key is private and the other is public. Asymmetric cryptography means a message encrypted with one key can only be decrypted by the other. The public one is widely distributed, so that anyone wishing to send the owner of the private key a message can do so knowing that only the intended recipient will be able to decrypt it.
Public-Key Infrastructure - The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.
Q
R
Registration (credentialing) - the process that gives users their electronic credentials and ties their identity to a particular service. This process ensures that users are tied to the right identity.
Since multiple registrations can use one identification process, the two ("Identification" and "Registration") are defined separately.
Requester – A person who requests a change in user profiles, privileges, or entitlements, either by an automated or manual process.
Role – An identity attribute that gives users automatic privileges when assigned. Roles make take the form of groups wherein all members of a group have the same set of privileges.
Role-Based Access Control (RBAC) – A model in which users are assigned “roles” that give them a certain level of access to resources and systems. Assigning a role to a user grants that user a certain set of privileges and entitlements
S
SCIM (System for Cross-domain Identity Management)- a specification designed to make user identity management in cloud-based applications easier.
Secure Socket Layer (SSL)- A popular implementation of public-key encryption, is an internet security protocol used by web browsers and servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS). You can look in your browser to determine when a website is using a secure protocol such as TLS; locations of websites that use SSL begin with the prefix “https” rather than “http,” and you will often see the icon of a closed padlock or a solid, unbroken key in your browser’s address bar to indicate that SSL is enabled.
Secure Token Service (STS) - A Secure Token Service (STS) is a component that issues, validates, renews, and cancels security tokens for trusted systems, users, and resources requesting access within a federation.
Secure Web Authentication (SWA) - A compatibility layer provided by Sign-On product, allowing the integration of legacy applications that don’t support federated authentication and would not otherwise be able to take advantage of organization-wide single sign-on. The feature stores a unique password for each application, and securely posts the credentials directly to the application’s authentication handler, resulting in a near-seamless SSO user experience
Security Administrator – A person responsible for maintaining a list of users, their identity attributes, their passwords, security privileges, or other authentication factors.
Security Assertion Markup Language (SAML)- Originally developed by the OASIS Security Services Technical Committee, SAML is an XML-based framework for communicating user authentication and attribute information. Harvard’s authentication system supports version 2.0 of the SAML protocol.
Security Entitlement Audit – An official organizational review of security entitlements and user privileges. A periodical entitlement audit is a reliable method for finding and removing old, unneeded entitlements.
Security principal- an entity that can be authenticated by a computer or a network.
Self-Service Password Resets – A self-service password reset is a process that allows users that have forgotten their password to use an alternate process to authenticate themselves and thus reset their password without the assistance of help desk personnel.
Service provider (SP) A system that provides a generic service to the user in a federated system. To users, a service provider is the same thing as the application they are trying to use.
Session – A session is an interaction between two or more entities on a network, generally consisting of an exchange of information. In the context of identity management, the most important information exchanged is the credentials of each entity and the time-out information for the session.
Shadow Access - Shadow Access is unauthorized, invisible, unsafe, and generally over permissioned access that has grown along with cloud identities, apps, and data. Today, identities, human, and nonhuman are automatically created, along with access pathways to cloud data. Current tools are blind to many cloud identities and access pathways, creating vulnerabilities that are exploited to breach cloud data.
Single-Factor Authentication – A method of authentication that relies on a single factor, such as username and password, to verify a user’s identity.
Single Sign-On (SSO) – In a single sign-on (SSO) service model users log onto a single platform which gives them automatic log-in access to multiple applications for a particular period of time. When utilizing SSO systems users only need to present one set of credentials, rather than learning or remembering separate credentials for each application.
SPML (Service Provisioning Markup Language)- an XML-based standard in which collaborating companies exchange user, service provisioning, and resource data. This service is complex, lacks conformant implementations, and is nearly unsupported by the vast majority of application vendors.
System of Record - a storage system that is designated as the "authoritative source" for a certain piece of data or identity attribute. The system of record is the direct line of access to the data elements it controls, meaning that all modifications to data elements should be brokered via the system of record. Different identity attributes can be controlled by different SoRs, so every SoR must be online and available to respond to requests for the identity attributes under its control.
Support Analyst – A support analyst, in an identity management context, is a user with special privileges that allow him or her to help other users, often by resetting their forgotten passwords or provisioning new privileges.
System of Record (SoR) – A system of record (SoR) is a storage system designated as an authoritative source for a certain identity attribute. As the SoR is the direct line of access to the identity attribute that it controls, all modifications to those identity attributes should be brokered via the SoR.
System for Cross-Domain Identity Management (SCIM) – A system for cross-domain identity management (SCIM) is an open standard for automating the exchange of user identity information between identity domains, or IT systems, designed to make user identity management in cloud-based applications easier.
T
Termination – The process by which user or customer credentials or privileges are de-provisioned and removed.
Time-Based One-Time Password (TOTP) – An algorithmically generated code that is deterministic based on the current date and time and a secret “seed” value. The server knows the seed, and can easily verify that a given code is valid for the current time period. TOTP can significantly increase security because even if a code is intercepted, it is worthless after the time window has passed (usually less than a minute). This makes the logistics of an attack much more difficult.
TOTP can be implemented on a simple and inexpensive hardware device or on a smartphone. The seed is installed and is made difficult or impossible to recover or duplicate.
Token Authentication – A method of authenticating to an application using a signed cookie containing session state information. A more traditional authentication method is usually used to initially establish user identity, and then a token is generated for re-authentication when the user returns.
Trust fabric - a medium by which information (particularly in the healthcare industry) can be exchanged between two or more trustworthy sources. A trust fabric composes a framework that systems rely on to safely exchange sensitive data via secure channels.
Two-Factor Authentication (2FA) – The combination of two out of the three authentication factor categories. Two-factor authentication is a subset of multi-factor authentication, and significantly increases security, because each authentication factor requires a different style of attack to compromise.
Two-step verification- Sometimes called "multifactor authentication", two-step verification strengthens the security of a user's login by combining something the user knows (login name and password) with something the user has (in may cases, a text-message login code sent to their phone, or a smartphone push notification).
U
Universal Authentication Frameworks (UAF) – UAF is an open standard developed by the FIDO Alliance with the goal of enabling a secure passwordless experience for primary authentication, as opposed to a second factor as described in U2F. Under the spec, the user presents a local biometric or PIN and is authenticated into the service. This protocol is not yet embedded in the major browsers, which has limited its adoption.
Universal 2nd Factor (U2F) – U2F is an open standard, whereby a hardware token device can attest the holder’s identity through a challenge and response protocol. The token device is connected via USB or NFC (near-field communication).
It is the standard maintained by the FIDO Alliance and is supported by Chrome, Firefox, and Opera.
User – Users are people whose access to systems and identity information must me managed.
User Lifecycle Management (ULM) – User Lifecycle Management (ULM) is an Identity-based user management process library and framework designed to enable personalized digital user experiences across multiple services and devices.
User Provisioning – Technologies or processes that create, modify, and deactivate user accounts, privileges, and profiles across IT infrastructure and business apps.
V
Verifier - additional information that seals the bond between the entity and identifier. This is most often a password (bound to a username). Cryptographic signatures are also used for electronic verification of the attributes of online entities (as is seen in X.509 certificates).
Vetting – The process of thoroughly investigating and validating information collected from or about an individual for the purpose of issuing credentials or privileges.
W
WebAuthn – An evolution of the FIDO U2F and UAF protocols. WebAuthn continues in the FIDO tradition of allowing for using credentials for step up authentication. However, it's biggest innovation is in enabling users to authenticate to services without necessarily needing the user to identify themselves first (through the use of a username and password combination).
X
eXtensible Access Control Markup Language (XACML) - an XML-based standard of authorization that is used to enhance interoperability between multiple vendors.
Y
Z
Zero Trust – Zero Trust is a security framework developed by Forrester Research in 2009 that throws away the idea that we should have a trusted internal network vs. an untrusted external network. Rather we should consider all network traffic untrusted.
This research has evolved to discuss a Zero Trust Extended Ecosystem that includes the need to secure the workforce through strong identity and access management, along with multi-factor authentication. Forrester has coined the term “next-generation access” to describe this critical component.
Acronyms
|
Acronym |
Term |
|
ABAC |
Attribute-based Access Control |
|
ACM |
Access Control Mechanism |
|
AD |
Active Directory |
|
ADAM |
Active Directory Application Mode |
|
ADFS |
Active Directory Federation Services |
|
ADSI |
Active Directory Service Interface |
|
API |
Application Programming Interface |
|
AuthN |
Authentication |
|
AutZ |
Authorization |
|
Azure AD |
Azure Active Directory (Cloud) |
|
CA |
Certificate Authority |
|
CASB |
Cloud Access Security Broker |
|
CBAC |
Claims based Access Control |
|
CSV |
Comma separated Value (File) |
|
DAC |
Discretionary Access Control |
|
DB |
Database |
|
DDNS |
Dynamic DNS |
|
DLL |
Dynamic Link Library |
|
DNS |
Domain name Service |
|
ERP |
Enterprise Resource Planning |
|
FIDO2 |
Fast Identity Online |
|
GUID |
Global Unique Identifier |
|
GBAC |
Graph Based Access Control |
|
IA |
Identity Assurance |
|
IAM |
Identity and Access Management |
|
IGA |
Identity Governance and Administration |
|
IDaaS |
Identity as a Service |
|
IdM |
Identity Management |
|
IdP |
Identity Provider |
|
LDAP |
Lightweight Directory Access Protocol |
|
LDIF |
LDAP Directory Interface Format |
|
MAC |
Mandatory Access Control |
|
MFA |
Multifactor Authentication |
|
MSP |
Managed service Provider |
|
MX |
Record Mail eXchange Record |
|
OID |
Object Identifier |
|
OAuth |
Open Authorization |
|
OrBAC |
Organization Based Access Control |
|
OTP |
One time Password |
|
PACS |
Physical Access Control Systems |
|
PAM |
Privileged Access Management |
|
PAP |
Policy Administration Point |
|
PAT |
Port Address Translation |
|
PBAC |
Policy Based Access Control |
|
PDP |
Policy Decision Point |
|
PEP |
Policy Enforcement Point |
|
PIM |
Privileged Identity Management |
|
PIP |
Policy Inforcement Point |
|
PIV |
Personal Identity Verification |
|
PKI |
Public Key Infrastructure |
|
PUM |
Privileged User Management |
|
RBAC |
Role-Based Access Control |
|
REST |
Representational State Transfer |
|
RFID |
Radio-frequency Identification |
|
RSBAC |
Rule Set Based Access Control |
|
RSO |
Reduced Sign-On |
|
SaaS |
Software as a Service |
|
SAM |
Security Account Manager |
|
SAML |
Security Assertion Markup Language |
|
SCIM |
System for Cross-domain Identity Management |
|
SDK |
Software Development Kit |
|
SEM |
Security Event Management |
|
SIEM |
Security Information Event Management |
|
SIM |
Security Information Management |
|
SMTP |
Simple Mail Transfer Protocol |
|
SOAP |
Simple Object Access Protocol |
|
SoD |
Segregation/Separation of Duties |
|
SoR |
System of Record |
|
SQL |
Structured Query Language |
|
SSL |
Secure Sockets Layer |
|
SSO |
Single Sign-On |
|
SSPR |
Self-Service Password Reset |
|
STS |
Secure Token Service |
|
TLS |
Transport Layer Security |
|
UI |
User Interface |
|
VDS |
Virtual Directory Services |
|
XACML |
eXtensible Access Control Markup Language |
|
XML |
Extensible Markup Language |
