Editor's Message

Welcome to Identoday, a side-project from Data Breaches Digest that focuses on the world of Identity Management. Any feedback, positive or negative, would be gratefully received to enable us to give you the best experience on any device. Thank you for your support. Stay safe :)



Glossary

Please find below a helpful list of definitions for most common Identity Management terms.

If you are looking for a particular term that isn't in this list, please let us know and we will endeavour to add it for you.


Access Management
The process of configuring the level of access for each user and group within a software system. Through this process, system administrators grant access to authorized users and restrict access to unauthorized users. This may be done hierarchically through the use of user groups. Access management requires periodic auditing and maintenance to keep up with evolving business needs and employee roles.

Active Directory (AD)
Active Directory is a Windows OS directory service that facilitates working with interconnected, complex and different network resources in a unified manner. Active Directory provides a common interface for organizing and maintaining information related to resources connected to a variety of network directories. The directories may be systems-based (like Windows OS), application-specific or network resources, like printers. Active Directory serves as a single data store for quick data access to all users and controls access for users based on the directory's security policy.

Active Directory Federation Services (ADFS)
A federated authentication system for Microsoft-centric networks that use Microsoft Active Directory as their directory services system. ADFS aims to provide seamless authentication and single sign-on functionality across a very large organization, while supporting autonomy for each organizational group to manage their own access control needs.

Adaptive Authentication
Adaptive authentication refers to authentication policies that are triggered based on device, user, or location context. Authentication requirements may be determined by static parameters, such as the type of user, their current location, type of device, and so on. It may also be determined using dynamic parameters, in which the system continually analyzes access patterns, and adjusts authentication policies accordingly. For example, a user who only ever logs in from a single location may be blocked if they attempt to log in from a different location.

Adaptive Multi-Factor Authentication
Adaptive authentication is all about dynamically adjusting login parameters based on unique scenarios. One of the parameters that adaptive authentication can adjust is the requirement for an additional factor of authentication, or step-up authentication. For example, if the system detects an unusual access pattern, it challenges the user for an additional authentication factor (e.g. a code sent via SMS) to establish identity assurance rather than blocking the user altogether.

Application Network
The current trend of moving away from monolithic enterprise IT systems toward a system of of smaller applications from multiple vendors, which are integrated using open APIs and standards. This allows vendors to focus on a specialized niche, and enterprise customers to have more flexibility in choosing their functionality à la carte.

Attack Surface
The sum total of an enterprise’s abstract “surface area” that can be targeted by attackers. Bugs, vulnerabilities, and insecure policies can all comprise part of the attack surface. The goal of strong identity access management is to limit the attack surface to reduce overall risk through security best practices such as automated user provisioning and deprovisioning, patching, and least privileged access control.

Authentication
The process of determining that the party with which you are communicating is indeed who they claim to be. In other words, the process of determining a user’s identity.

Authentication Factors
This refers to three mutually reinforcing categories of authentication schemes;
  • Something you are (e.g. your retina, thumbprint, voice characteristics).
  • Something you have (e.g. a specific device, a fob).
  • Something you know (e.g. a password, a secret code).

BeyondCorp
Refers to type of a zero trust security model that focuses on individual users and devices instead of network perimeters. BeyondCorp is guided by the principles of perimeterless design, context-awareness, and contextual access management.

Brute Force
A method of attack whereby an attacker systematically attempts all possible combinations of inputs, usually by automating the process with a script.

Cloud Identity Management
A service that is hosted in the cloud, offering identity, authentication, and authorization functions for other cloud-hosted software services. A cloud identity management system is an alternative to traditional directory service systems, which typically manage identity for on-premises monolithic enterprise applications. These often leave cloud services with siloed identity services that must be managed individually, thus complicating lifecycle management.

Continuous Authentication
Continuous authentication is a process that continually monitors a user’s session with an eye for authentication, and raises authentication challenges whenever there are signals that a user may have changed. Signals can be based on subtle usage patterns, including unique behavioral biometrics such as typing speed, language fingerprints, and mouse movement patterns. Continuous authentication can mitigate risks such as impersonation, if someone else accesses a user’s unmonitored session, and inconvenient timeouts that require users to log in again.

Customer Identity Access Management (CIAM)
Customer Identity Access Management is a software solution that allows an organization to control customer access to applications; determine customer identity by linking with databases, online profiles, and other available information; and securely capture and manage customer profile information. CIAM supports organizations in conducting targeted marketing, providing seamless authentication for customer support, and gathering business intelligence analytics to better serve customers with new product features and updates.

Data Breach
Refers to an incident whereby data is accessed by an unauthorized individual or software system.

Data Breach Prevention
Includes technology, people, and process considerations — all of which work together to protect an organization. From a technology perspective, this includes well-maintained user authentication and authorization configuration, systems that scan and block network activity in real time based on content filtering policies, or “circuit breakers” that detect potential exfiltration based on an abnormally high outbound data rate.

Deprovisioning
The process of removing access for a particular user from software systems. For example, when an employee leaves the organization, their user profile must be deprovisioned. Deprovisioning is generally more complicated than simply deleting the account, because it’s often desirable to retain and accurately attribute the user’s previous contributions, so the account must remain in some type of disabled state.

Employee Identity Management
The process of cataloguing employees in a software system. Employee identity management often includes representing the organizational structure of functional groups. Employee identity management requires ongoing maintenance, such as when employees are hired or leave the organization. It also often includes an authentication scheme, such as having the employee set their account password.

Federated Identity
In a federated identity system, multiple software systems can share identity data from a larger centralized system. For example, an application for consumers may allow its users to log in using a Google or Facebook account. An enterprise network may use a federated system so that branch offices can manage their own identity system, while connecting systems from each branch through a system at head office. This would allow employees traveling to a different branch office to use the computer systems, but different access policies would likely still apply.

Identity as a Service (IDaaS)
This is a variant on the concept of Software as a Service (SaaS), indicating that identity management can be outsourced and purchased as a cloud-based service instead of either purchasing the software and operating it in-house or building the functionality from scratch in-house.

Identity and Access Management (IAM)
The process of codifying not only users and groups in a software system, but also what resources they are each able to access and what functions they are each able to perform. IAM addresses authentication, authorization, and access control.

Identity Management (IDM)
The process of codifying users and groups, as well as the metadata related to each of these entities, such as contact details, location, photo, etc. Includes mechanisms for authentication of these entities.

Incident Response Planning
The practice of documenting a planned reaction to a security incident. This is not necessarily a breach, rather the investigation is part of the process of determining whether there was an attack, who/what was involved, and if there was any data exfiltration. Having an incident response plan in place allows companies to react quickly and decisively if a security incident occurs. Elements of the plan may involve revoking widespread access temporarily, shutting down systems, notifying stakeholders, and establishing processes for re-establishing access, re-evaluating policy and process, remediation, backup, and recovery.

JSON Web Token (JWT)
A token representing some number of claims, most typically the claim that the holder is authenticated and authorized to access a resource. These tokens are stored in a JSON format with standardized fields for issuer, subject, and expiry. Web applications often employ a refresh token to automatically generate new access tokens indefinitely. JSON web tokens are standardized as RFC 7519.

Lightweight Directory Access Protocol (LDAP)
Lightweight Directory Access Protocol refers to a protocol for interacting with a hierarchical directory service database, particularly for authentication and authorization. However, the term LDAP has also come to represent a wide range of directory system implementations, including OpenLDAP, Apache Directory, and FreeIPA.

Least Privilege
The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets.

Least Privileged Access Control
The process of codifying not only users and groups in a software system, but also what resources they are each able to access and what functions they are each able to perform. IAM addresses authentication, authorization, and access control.

Lifecycle Management
This term recognizes that many entities represented in a software system will be at a certain stage in a lifecycle, and their access needs to be managed accordingly. For instance, an employee may start off as a “candidate,” then become a “full employee” with one or more positions over their tenure, and ultimately cease to be an employee and be deprovisioned entirely. Lifecycle management can also apply to other things. For instance, devices may be purchased, provisioned for a particular user, reprovisioned for a different user, and ultimately deprovisioned and sold or discarded.

Mobility Management
The practice of configuring security policies, monitoring usage and location, and enabling the functionality for provisioning and deprovisioning. This includes remotely wiping data from devices, whether company-owned or employee-owned.

Multi-Factor Authentication (MFA)
A combination of at least two of the three authentication factor categories. MFA is a more general form of two-factor authentication. It often refers to a system that combines two or more authentication requirements in different circumstances. MFA significantly increases system security, especially in the case of credential compromise, because each additional authentication factor requires additional effort to compromise. For instance, phishing for passwords has a relatively high success rate and can be done at scale remotely, but stealing the corresponding physical token from a user’s keychain would be quite difficult.

OAuth 2.0
OAuth is an open standard for allowing delegated access to user information in web applications. OAuth 2.0 is the second major revision to the standard, which completely overhauls the specification. As a result, it is not backwards compatible with OAuth 1.0.

OpenID Connect (OIDC)
OpenID Connect is a RESTful authentication system that uses OAuth 2.0 for authorization. It uses JSON web tokens (JWTs) and effectively provides single sign-on across multiple applications.

Password Spray
A type of brute force password attack whereby a single common password (e.g.: password1) is tried in combination with many usernames, rather than the other way around. Many systems can detect a brute force attack against a single user and will lock the account after a number of failed attempts. By executing a brute force attack along a different axis, the attacker often goes unnoticed.

Passwordless Authentication
Describes a range of approaches to authenticate users by means other than a password. This could be one of the two other authentication factor categories (something you are, or something you have) or it may refer to a process by which an email or text containing a secret single-use code authenticates you with no other password required. Some applications offers this option for users, who can request a single-use code or link by email that authenticates them to access the application.

Phishing
A type of socially engineered attack whereby a user is presented with a seemingly plausible and often mundane request, and is tricked into divulging their authentication credentials to a facade. One common phishing attempt is an email that appears to be from the user’s IT department, claiming their account requires verification, with a link directing them to a lookalike website. When they log in to the fake website, their credentials are sent to the attacker, which the attacker can then use to impersonate the user on the real site.

Privileged Access Management (PAM)
Privileged Access Management refers to a comprehensive cybersecurity strategy – comprising people, processes and technology – to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. Organizations implement privileged access management to protect against the threats posed by credential theft and privilege misuse.

Privileged Identity Management (PIM)
Privileged Identity Management is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

Provisioning
The process of establishing an identity and associated access configuration in a software system. An example is when a new user signs up for a service, or a new employee begins at an organization. Provisioning requires establishing a method for subsequent authentication (e.g. receiving user login credentials, choosing a password, etc.).

Public-Key Cryptography
An application of asymmetric cryptography, where one key is private and the other is public. Asymmetric cryptography means a message encrypted with one key can only be decrypted by the other. The public one is widely distributed, so that anyone wishing to send the owner of the private key a message can do so knowing that only the intended recipient will be able to decrypt it.

Security Assertion Markup Language (SAML)
This is a standardized protocol used to integrate authentication and authorization functions between multiple systems. It is most often used to gain single sign-on functionality between multiple applications from different vendors. SAML implementations act as an “identity provider,” which handle authentication and authorization on behalf of one or more applications.

System for Cross-Domain Identity Management (SCIM)
SCIM is a standard for modeling identity data through resources such as users and groups. It defines standard operations through a REST-based system for manipulating the resources as JSON objects.

Single Sign-On (SSO)
Single Sign-On enables a user to authenticate to multiple software systems with a single authentication session. A common business application of this is an employee enters their credentials once into a company SSO product and gains access to all their business apps without logging into each app separately. This is particularly helpful if the software systems are within the same organization and managed by the same authority. From the end user perspective, SSO removes the fatigue of logging in to multiple systems or remembering multiple account passwords. From the IT perspective, this enables faster, more secure deployment of business apps, while reducing help desk calls from tasks such as password resets.

Time-Based One-Time Password (TOTP)
An algorithmically-generated code that is deterministic based on the current date and time and a secret “seed” value. The server knows the seed, and can easily verify that a given code is valid for the current time period. TOTP can significantly increase security because even if a code is intercepted, it is worthless after the time window has passed (usually less than a minute). This makes the logistics of an attack much more difficult. TOTP can be implemented on a simple and inexpensive hardware device or on a smartphone. The seed is installed and is made difficult or impossible to recover or duplicate.

Token Authentication
A method of authenticating to an application using a signed cookie containing session state information. A more traditional authentication method is usually used to initially establish user identity, and then a token is generated for re-authentication when the user returns.

Two-Factor Authentication (2FA)
The combination of two out of the three authentication factor categories. Two-factor authentication is a subset of multi-factor authentication, and significantly increases security, because each authentication factor requires a different style of attack to compromise.

Universal Authentication Frameworks (UAF)
UAF is an open standard developed by the FIDO Alliance with the goal of enabling a secure passwordless experience for primary authentication, as opposed to a second factor as described in U2F. Under the spec, the user presents a local biometric or PIN and is authenticated into the service. This protocol is not yet embedded in the major browsers, which has limited its adoption.

Universal 2nd Factor (U2F)
U2F is an open standard, whereby a hardware token device can attest the holder’s identity through a challenge and response protocol. The token device is connected via USB or NFC (near-field communication). It is the standard maintained by the FIDO Alliance and is supported by Chrome, Firefox, and Opera.

WebAuthn
An evolution of the FIDO U2F and UAF protocols. WebAuthn continues in the FIDO tradition of allowing for using credentials for step up authentication. However, it's biggest innovation is in enabling users to authenticate to services without necessarily needing the user to identify themselves first (through the use of a username and password combination).

Zero Trust
Zero Trust is a security framework developed by Forrester Research in 2009 that throws away the idea that we should have a trusted internal network versus an untrusted external network. Rather we should consider all network traffic untrusted. This research has evolved to discuss a Zero Trust Extended Ecosystem that includes the need to secure the workforce through strong identity and access management, along with multi-factor authentication. Forrester has coined the term “next-generation access” to describe this critical component.

Data Sources: CyberArk, Microsoft, Okta, Techopedia