This glossary is to help organizations seeking to thrive amidst rapid technological advancements. From the fundamental role of Active Directory in user authentication and access control to cutting-edge concepts like Zero Trust Network Access (ZTNA), familiarity with IAM terminology is essential for driving digital transformation initiatives. By grasping key IAM concepts such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Identity as a Service (IDaaS), companies can fortify their security posture, streamline user access, and ensure compliance with stringent regulatory requirements. Moreover, as businesses embrace innovative approaches like Zero Trust to mitigate cybersecurity risks, a comprehensive understanding of IAM becomes indispensable for safeguarding digital assets and enabling seamless, secure access to resources across diverse environments. This glossary aims to be a starting point for everybody who wants to dive into this wide topic.
Access Management, or Gestion des Accès, is the process of identifying, tracking, and controlling user access to information systems, applications, or any IT resource. It encompasses strong authentication, logical access control, Single Sign-On (SSO), identity federation, and access traceability, addressing security concerns and ensuring compliance within an organization's information system.
Authorization is the process that ensures properly authenticated users can access only the resources they are permitted to, as defined by the resource owner or administrator. In the consumer world, authorization may also refer to the process where a user ensures that a cloud-based application (such as a social network) accesses only specific information from a non-affiliated website (such as the user’s webmail account).
Authentication is the process of validating or verifying a user’s identity based on the credentials provided during login to an application, service, computer, or digital environment. Most authentication credentials include something the user has (e.g., a username) and something the user knows (e.g., a password). If the credentials provided by the user match those stored by the underlying application or Identity Provider, the user is successfully authenticated and granted access.
Not to be mistaken with the party request "bring your own beer". In the identity management space, vendors and organizations aim to allow employees and partners to use their own identities to access corporate resources. This identity could be any that provides a sufficient level of identity assurance, such as government-issued identity cards, healthcare smart cards, or online identities like social media profiles, professional network accounts, and commercially-available identities like FIDO. The enterprise and consumer worlds are converging, and enterprise security teams are under increasing pressure to implement authentication methods commonly seen in consumer services.
Customer Identity and Access Management refers to the management of identities and access for a company's customers. It enables businesses to manage customer identities, control their access to services and applications based on context, and apply security and privacy policies to safeguard sensitive data. CIAM enhances user experience with streamlined registration and secure access pathways while providing businesses with insights into customer access for marketing opportunities and compliance with regulations like GDPR.
A Card Management System is software that allows organizations to administer their authentication token inventory centrally. It facilitates the lifecycle management and deployment of various authentication tokens, including smart cards, FIDO2 tokens, digital certificates, and access control badges. CMS ensures efficient management of authentication tokens throughout their lifecycle, from issuance to revocation, providing user-friendly interfaces for requesting and retrieving personalized physical tokens and digital certificates. It also includes comprehensive dashboards for tracking token operations, addressing traceability and compliance requirements.
Data Access Governance, or Gouvernance des Accès aux Données Non Structurées, focuses on controlling and securing access rights to unstructured data, such as documents, spreadsheets, presentations, or emails, to protect sensitive information. DAG works in conjunction with document management solutions, including Document Management Systems (DMS), file servers, and SharePoint portals, considering the dynamic nature of data sharing and the importance of mitigating data leakage risks.
Fast Identity Online (FIDO) Alliance, established in 2013, is a consortium aiming to develop open standards for online authentication, reducing reliance on passwords while ensuring high authentication levels across devices. FIDO protocols, including CTAP (Client to Authenticator Protocol), enable passwordless authentication using security keys, biometrics, or one-time PINs, enhancing security and user experience. FIDO2, endorsed by the World Wide Web Consortium (W3C), is widely supported by major browsers and operating systems, offering robust authentication methods.
IDaaS stands for IAM-as-a-Service, also called identity-as-a-service. Itdescribes Identity and Access Management (IAM) solutions that offer a cloud-based as-a-service delivery model for Access Management and Authentication. IDaaS has been seen as a separate market in the last years. But given recent market developments and technological shifts, going forward it will be rather treated as two separate disciplines. The two disciplines are that of Access Management and IGA, whose delivery methods include onpremises installations, software or cloud-based platforms.
Identity and Access Governance (IAG) orchestrates user identity and access management within an organization, complementing IAM by overseeing identity legitimacy, preventing orphan accounts, enforcing separation of duties (SoD), and monitoring activities for compliance purposes. IAG solutions integrate supervision tools, role mining, entitlement reviews, and SoD enforcement, enhancing regulatory compliance and security posture.
Identity and Access Management, ensures secure access to organizational resources by managing digital identities and their associated permissions. IAM encompasses various components and technologies, including strong authentication, identity federation, Single Sign-On (SSO), lifecycle management, and provisioning, delivering benefits across industries. A robust IAM strategy requires a comprehensive platform capable of accommodating diverse IAM services and addressing future organizational needs.
Identity federation involves a centralized system known as a trusted Identity Provider ("IdP") that manages user authentication. When users attempt to access cloud applications, these apps delegate the authentication process to the Identity Provider each time. Federated identity addresses the complexities of managing credentials across multiple web applications, whether they are within an organization or external to it. Identity federation utilizes standards like SAML and OpenID Connect, along with specific protocols such as Microsoft's WS-Federation.
Identity as a Service (IDaaS) provides IAM functionalities as a cloud-based service, offering scalability, flexibility, and cost-effectiveness compared to traditional on-premise solutions. IDaaS solutions include directory services, SSO, multi-factor authentication (MFA), provisioning, and workflows, enabling organizations to streamline identity management processes and accelerate solution deployment while reducing operational overhead.
An Identity Provider (IdP), also known as Identity Provider, creates, maintains, and manages digital user identities and authentication factors. IdPs rely on authentication servers to verify and manage user identities, including usernames, passwords, or biometric data. Popular IdPs include Google, Facebook, Amazon Web Services (AWS), Microsoft Active Directory, and OpenLDAP, facilitating Single Sign-On (SSO) and identity federation for seamless access across multiple applications.
Identity Management (IM) involves centrally managing user identity data, profiles, and roles within a network. It encompasses user lifecycle management, account provisioning, and entitlement management to efficiently handle user identities amidst the complexity of modern IT environments. IM ensures compliance, enhances security, and streamlines access management processes, catering to diverse user populations and addressing regulatory requirements.
Multi Factor Authentication (MFA) verifies user identity by requiring at least two distinct factors from the following categories: possession (something the user has), inherence (something the user is), and knowledge (something the user knows). By combining multiple authentication factors, such as passwords, biometrics, or security keys, MFA significantly reduces the risk of unauthorized access and enhances security posture within IAM strategies.
OAuth2 is an open protocol for authorization delegation, allowing limited access to applications or resources with user consent. It enables websites, software, or applications (consumers) to utilize another site's secure API (provider) on behalf of a user. OAuth2 does not handle authentication directly but focuses on authorization delegation. It facilitates obtaining authorization tokens and calling APIs to access user information securely, contributing to secure API access and enhanced user privacy.
OpenID Connect (OIDC) is a standard used in identity federation, representing the third generation of the protocol established by the OpenID Foundation. OIDC builds upon OAuth2 capabilities by adding a layer of identification, allowing for user identity verification with an authorization server to obtain user information securely. It addresses OAuth2 limitations in strong authentication, enabling third-party sites to obtain identities more securely than OAuth2 alone. OIDC is commonly used for user authentication in mobile applications or commercial websites.
Privileged Access Management (PAM) enables organizations to manage access and authentication for users with privileges on critical resources or administrative applications. It encompasses both internal users, such as system administrators or users handling sensitive data, and external users like managed service providers. PAM solutions not only control user identity and access but also monitor user activity in real-time to detect and prevent unauthorized access attempts. By enforcing strong authentication measures like multi-factor authentication, PAM ensures secure privileged access management and compliance with governance requirements.
Security Assertion Markup Language (SAML) is a standard used in identity federation, developed by the non-profit consortium OASIS. SAML facilitates identity verification and authorization procedures between a user's identity provider (IdP) and service provider (SP) by transferring authentication data in XML format. Enterprises benefit from SAML's security enhancements, standardization, and user experience optimization. It is commonly utilized to enable enterprise users to access multiple applications with a single sign-on.
When a user tries to log in to a cloud-based application, they are redirected to a trusted Identity Provider for authentication. The Identity Provider collects the user’s credentials, such as their username and one-time password, and sends a response back to the cloud application being accessed. This response is called a SAML assertion, which contains either an accept or reject decision. Based on this response, the Service Provider—such as Salesforce, Office 365, or Dropbox—either grants or denies access to the application.
Identity Provider models are also known as Token-based Authentication or Security Token Services (STS). An STS functions similarly to an Identity Provider, while a Relying Party (RP) is akin to a Service Provider. Instead of exchanging SAML assertions, these systems use Security Tokens. Despite the different terminology, the underlying concept remains the same.
Single Logout (SLO) is a process that allows simultaneous termination of user sessions across all connected applications and web services within a Single Sign-On (SSO) environment. By ensuring all sessions are terminated, SLO enhances security and mitigates risks associated with active session exploitation. SLO implementations may use communication protocols like SAML to exchange security information between the resource and Identity Provider or utilize authentication tokens to centrally manage user sessions.
A Service Provider (SP) delivers application services to clients over a network, typically the Internet. Examples include government services, healthcare providers, banks, and e-commerce platforms. SPs rely on Identity Providers (IdPs) to verify user identity and certain user attributes. Through identity federation, SPs establish trust relationships with IdPs, allowing users to access services using verified identity information provided by the IdP. SPs simplify user access to services and resources while offloading the responsibility of access management.
Single Sign-On (SSO) enables users to access multiple applications with a single authentication process. It streamlines authentication across various environments, including web, enterprise, and mobile. SSO improves password policies, enhances security with multi-factor authentication, and reduces helpdesk support costs associated with password management. Users benefit from a seamless browsing experience and convenience by eliminating the need to remember multiple passwords.
Self-Service Reset Password Management (SSRPM) empowers users to reset their passwords independently in case of forgotten or locked accounts. SSRPM solutions reduce helpdesk burden and enhance user autonomy by enabling password reset from both user devices and web portals. They incorporate various authentication methods, including multi-factor authentication, to ensure secure password management and user access.
WebAuthn, developed by the W3C and based on FIDO 2 specifications, provides a web authentication standard using asymmetric keys. It allows users to authenticate to web applications from registered devices, such as smartphones, laptops, or hardware security keys. By replacing traditional authentication methods like passwords and SMS codes, WebAuthn enhances security against phishing attacks and offers a passwordless authentication experience. Widely supported by major browsers and platforms, WebAuthn sets a new standard for secure and convenient user authentication.
WS-Federation (sometimes referred to as "Web Services Federation Language" or "WS-Fed") is a standard used in identity federation. It facilitates the exchange of identity information between applications with different security specifications. WS-Federation employs a language for describing trust rules based on WS-Trust (Web Services Trust Language), which is also a security protocol, to communicate with heterogeneous environments. Users can use their credentials to access resources in different systems, ensuring that identification information is managed securely. WS-Federation can be used to implement Single Sign-On (SSO) and streamline access to various resources for users. Like SAML and OAuth, WS-Federation is a mature technology.
Zero Trust is a strategic cybersecurity model based on the principle that there is no inherent trust within the network and that access should not be granted by default to any user. Zero Trust Network Access extends this concept, focusing on systematically verifying and continuously monitoring access to applications based on various factors such as user authentication, context, and access control policies. By leveraging technologies like multi-factor and contextual authentication, access control, and privilege management, organizations can implement a Zero Trust security posture tailored to the current digital landscape. ZTNA enhances user experience and agility while aligning cybersecurity strategies with business needs.
Conclusion
As organizations navigate the complexities of the digital era, mastering IAM concepts emerges as a strategic imperative for achieving resilience, agility, and competitive advantage. By embracing IAM best practices and staying abreast of emerging trends, businesses can position themselves for success in an ever-evolving technological landscape, driving sustainable growth and innovation.
Experience the benefits of digital transformation. Cut you software spend by 30% through managing the contract lifecycle of your SaaS, secure your business through automated provisioning in identity and access management, all while boosting software stack with our vendor management system.