Access Management: The process of managing a user’s accesses across a wide range of applications, systems, and resources with an organization either as a customer or as an employee.
Attestation: The process by which accesses are reviewed and certified effective (valid and still required).
Attribute: Data points about a user that can be used to create a digital identity. First Name, Last Name, Phone number, email, are all examples of attributes.
Attribute Based Access Control (ABAC): The process of using individual attributes to translate into some level of access to or within a system. For example, given your first name and last name combo, you are able to access only YOUR personal health information at your doctor’s office in a system with the information of thousands of others in that system.
Audit: In the context of IAM, an Audit typically reviews User Accesses, Roles, Provisioning/Deprovisioning processes, and overall User lifecycle. This is done to fully understand attack surfaces and the risk score determinable by user type and privilege assigned to a user per attack surface.
Authentication (AuthN): Authentication is the process of verifying that a person or thing is who they claim to be. AuthN doesn’t provide users the rights to access ANYTHING, it simply provides mechanisms to verify authenticity of the entity trying to access a system.
Authorization (AuthZ): Authorization is the next step to Authentication, where either an Application or Service makes determinations on a user’s privilege in a system based on attributes, roles, or other classifications about the user that serve as qualifying conditions.
Blockchain: A Blockchain is a shared, immutable ledger that can be used for decentralized storage and use of data just like a centralized data store, but without any central administrative body to control it. Current uses of this technology include recording transactions (Think BTC) , tracking assets (Think NFTs) and building trust (Think Proofing Technologies for Identity Verification).
Blockchain IAM: The application of Blockchain technology to verify, store, and utilize user data to create fully permissioned user/entity identity datastores across a Distributed Ledger.
Centralized Authentication Service (CAS): An SSO based web service that allows users to authenticate once to access a variety of services offered by an entitiy. An example of this is logging into a global site, but still being able to browse the business’ other sites as a logged in user as a result of that initial login.
Compliance: In the context of IAM, compliance can be in reference to compliance with Data Privacy laws for Consumer Data storage, use, and transmission. It can also be in reference to corporate policy on data retention, legal requirements, and other regulations that are either self-imposed or industry mandated.
Credential: A credential is data that can be trusted to provide AuthN for a person or thing. Examples include driver’s licenses, passports, or username/password combinations to access a service.
Customer Identity and Access Management (CIAM): CIAM is the application of Identity And Access Management principles to managing the accesses of large quantities of users who patronize/use a business service digitally. CIAM includes user management, federation, and overall compliance with Data standards to provide rich customer experiences with security and controls built into every step.
Digital Identity: A digital identity is a compilation of attributes and data points that are stored about a user/account that constitute a digital representation thereof. This digital representation can be used to access services, make requests, and much more.
Distributed Ledger Technology (DLT): Typically associated with Blockchain, DLT is a consensus of replicated, shared, and synchronized digital data geographically spread across multiple sites, countries, or institutions with no central controlling entity.
De-provisioning: The process of removing a user’s/ account’s accesses within target systems. This is either done manually or in an automated fashion.
Event: Typically called a security event in IAM. These events are logged, monitored, and reviewed to predict behavior and prevent future threats.
Entitlement: Sometimes used interchangeably with Roles, Entitlements are classifications that can be given to users or devices that enable access/authorization to systems or modules of a system.
Federated Identity: A federated identity is formed when the sum of a user’s accesses within a domain (or sometimes across multiple domains) is accumulated into one identity that can be extended and used across those systems.
Federated Identity Management: A solution developed for use in creating, managing, and administering federated identities. Providers like Okta, Auth0, Forgerock, and others provide this service as part of their offering.
Group: In IAM, a group is a collection of digital identity records for users (people), accounts (service, script running, etc), or devices (printers, computers) that can be used to apply provisioning rules, access separation, and other logical separations and clubbing togethers that constitute AuthZ in a system, or lack thereof.
Human Resources Information System (HRIS/HRMS): In IAM, an HRMS/HRIS is a system of record that captures data on users at an organization. This is generally a source of truth for identities, as it is usually the first place that user records are created at an organization. This data is then sent to Identity Systems downstream that utilize it to create identities for use in target systems.
Identity Governance and Administration (IGA): Identity Governance and Administration (IGA) solutions power the lifecycle of user identities across target systems, and within an organization as a whole. An IGA system is the backbone of an Identity Practice, and performs the automated/manual processes that go into provisioning, de-provisioning, privilege control, rule workflows, and much more.
Identity and Access Management: Identity and Access Management (IAM) is the management of user, service/admin accounts, and device identities as well as their authentication (AuthN) (and sometimes AuthZ) with target systems.
Identity as a Service (IDaaS): Identity and access management as service, or IDaaS, are IAM solutions who’s source code and core processes do not reside in a local stack, but instead are consumed as a service from a provider. Generally, these services are cloud based, and come with certain SLAs and hosting guarantees that make them a healthy alternative to traditional on-premise IAM solutions. Okta, Auth0, and Forgerock are all great examples of Cloud Identity providers.
Just In Time Provisioning (JIT): JIT provisioning is done at creation/login into a system. This process adheres to the least privilege principle, in that rights and privileges are assigned if, and only if, a user/account actually accesses/registers for access in a system, and not a moment before.
Know Your Customer (KYC): Typically, a marketing term, but KYC applies to CIAM in that CIAM puts controls around getting to know your customers in a way that is safe, and compliant with global regulations as they pertain to user data and its storage, transmission, and usage in downstream systems. KYC also seeks to capture user consent in a way that is transparent to end users, thereby adding trust and value to customer interactions.
Multi-factor Authentication: Multi-factor authentication utilizes known, owned, and inherent factors about users to add an additional layer of security to an app/service over your traditional Username and Password logins. This can be a security question, an SMS to a user owned and registered device, or a biometric validation like a fingerprint.
OAuth/Oauth2.0: OAuth is an open standard for access delegation, commonly used as a way for users to grant websites or applications access to their information on other websites but without giving them the passwords. Oauth utilizes trust frameworks to draw user identities from trusted sources to grant access to data based entirely on the veracity of a user identities referring organization/data store. An easy example of this is using your Facebook or Twitter account to login to external sites without entering a password.
Off-boarding: The process by which a user is booted from an organization’s IAM system, and thereby the target systems that IAM system is tasked with managing user identities for.
OpenID: OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. Check out documentation for the OpenID standard here: https://openid.net/connect/
Onboarding: The process of bringing new users into target systems using an Identity Governance and Administration tool/process. This typically doesn’t also include adding privileges to accounts, simply pushing accounts into Identity and Target Systems without privilege included.
One Time Password (OTP): A single use password that expires after usage.
Password Reset: The process by which a password is changed.
Privilege: A privilege is basically rights to perform an action. Different privileges assigned to users or devices enable those entities to perform tasks central to their daily functioning.
Privileged Access Management (PAM/PIAM): PAM is a focus of IAM that centers around the management of accounts with high privileges. Service Accounts, Master Admin Accounts, and other high-risk accounts require strong solutions that are built to secure them.
Privilege Management: Privilege Management is the process by which administrators can review, attest, or modify privileges for applications, devices, and users.
Privileged User: A privileged user is a user with multiple high-risk rights/privileges assigned to their account.
Provisioning – A process that assigns privileges to user accounts in target systems in a way that allows for users to perform tasks within those systems.
Requester – A person who requests a change to some aspect of their user identity, or for access/elevated access in a system.
Role – A clubbing of identity attributes that are represented by a singular classification. Users with certain roles have certain access to systems.
Role-Based Access Control (RBAC) – The process of using roles created by clubbing attributes together to control access or authorization within a system.
Security Assertion Markup Language (SAML/SAML 2.0): Security Assertion Markup Language is an open standard for exchanging authentication and authorization data with scopes and claims between Identity providers and Service Providers in XML format.
System for Cross-Domain Identity Management (SCIM): SCIM is an open standard for automating the exchange of user identity information between identity domains, or IT systems, which eases the task of extending on-premise/ cloud identities across systems and disparate domains. This standard is frequently used in creating experiences for firms who recently underwent an M&A.
Security Audit: An organizational review of entitlements and user privileges that prevents privilege creep and other malfeasance associated with accounts accruing far too much power.
Self-Service Password Resets (SSPR): A self-service password reset is a process that allows users to reset their passwords by themselves without any help form a service desk or other help-desk authority.
Single-Factor Authentication: Your traditional authentication method that typically uses a single credential pair like a username and password to verify a user’s identity.
Single Sign-On (SSO): SSO allows users the ability to access multiple applications for a particular period of time using a single login. This promotes remembering only one credential pair, versus multiple for each system a used must access.
Source of Truth (SoT) – An SOT is a system that serves as the source of identity data (attributes or whole identities) that are used to populate user identities. Multiple attributes can each have their own Source of truth, but each attribute can only have one penultimate SOT.
Termination – Generally, this is the firing process. In terms of identity, it is what an IGA system does when it receives the status code marking termination of a user to off-board and deprovision that user.
User – Users are people whose access to systems and identity information must be managed. These can be users who are internal to an organization, or external users (customers, vendors, etc).