Identity & Access Management Glossary.

Identity and Access Management (IAM) are policies and technologies that ensure the right individuals (employees, contractors, customers, etc.) have access to the appropriate resources in an organization. IAM is a crucial aspect of any organization's IT strategy.
There is Workforce IAM and customer-facing IAM.
In this glossary, we break down the most relevant concepts related to IAM.

Managing Access

• Access Control: The selective restriction of access to a particular resource, system, or data.
• Access review: Periodic audit process within an organization. It checks whether the access privileges granted to each user (including employees, contractors, and partners) are appropriate and necessary for their job role. Alternative terms are User Access Review or Entitlement Review.
• Active Directory (AD): A Microsoft product that consists of several services to administer permissions and access to networked resources.
• API Access Management: The process of defining and enforcing policies for APIs, managing who and what can access them.
• Authorization: The process of giving someone permission to access certain resources like applications.
• CASB (Cloud Access Security Broker): A policy enforcement point that sits between enterprise users and cloud service providers, implementing a variety of security measures, including authentication, encryption, and malware detection, to ensure cloud application security across all devices and applications.
• CIEM (Cloud Infrastructure Entitlement Management): The process of managing identities and privileges in cloud environments. CIEM aims to understand which access entitlements exist across cloud and multicloud environments, and then identify and mitigate risks resulting from entitlements that grant a higher level of access than they should.
• Cloud Data Loss Prevention (DLP): A security approach involving technologies that monitor and control data flows, aimed at preventing sensitive information from leaving an organization's network and systems, both in on-premises and cloud environments.
• Customer Identity & Access Management (CIAM): A system for managing customer identities, profile data, and access controls, often on a large scale, while maintaining security and privacy compliance for customer data.
• Deprovisioning: The process of removing an identity from an identity management system, including revoking all access rights and privileges.
• Employee Identity Management: A system used to securely manage the end-to-end lifecycle of employee identities across all enterprise resources.
• Identity governance: An organizational framework that ensures precise control and oversight over user access rights, enhancing security, enabling regulatory compliance, and minimizing insider threats. Identity governance can be seen as a framework, Access Management and Access reviews as activities within this framework.
• Least Privileged Access Control: A strategy in which only the minimum necessary access is granted to users based on their job responsibilities.
• Lifecycle Management: The process of managing the entire lifecycle of a particular entity, such as a user account or a hardware/software component, from its creation to its end of life.
• Network Access Control (NAC): A method used to enhance the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with the organization's security policy.
• OAuth: An open-standard authorization framework or protocol that describes how unrelated servers and services can safely allow authenticated access to their assets.
• OAuth 2.0: The second version of OAuth, a protocol that lets external apps request authorization to private details in a user's account without getting their password.
• Principle of Least Privilege: The practice of limiting access to the minimal level that will allow normal functioning.
• Privileged Access Management (PAM): A sub-discipline within IAM that focuses on the special requirements of powerful accounts within the IT infrastructure of an enterprise. PAM targets those with the highest access levels, often exceeding what a normal role grants.
• Provisioning: The process of creating, managing, and maintaining user objects and attributes in relation to accessing resources available in one or more systems or applications.
• RBAC (Role-Based Access Control): A method of regulating access to resources based on the roles of individual users within an organization.
• User Provisioning: The creation, management, and maintenance of user objects and attributes in relation to accessing resources available in one or more systems or applications.
• Zero Trust: A security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and must verify anything and everything trying to connect to its systems before granting access.
• ZTNA (Zero Trust Network Access): A security model that requires strict identity verification for every person and device trying to access resources on a private network.

Identity Management

• Authentication: The process of verifying the identity of a user, device, or system.
• Biometrics: Physical or behavioral human characteristics that can be used to digitally identify a person.
• Cloud Identity Governance: An identity governance approach that applies specifically to cloud-based applications and services. See Identity Governance.
• Credential: Information that includes identification and proof of identification used to gain access to resources.
• Federated Identity: A method of linking and using identity data across multiple distinct identity management systems.
• Identity as a Service (IDaaS): Cloud-based services that provide identity and access management functionality to an organization's systems that are on-premises and/or cloud-based.
• Identity Management: The task of controlling information about users on computers and the administration of user rights and restrictions with IT systems.
• Identity Provider (IdP): A system entity that creates, maintains, and manages identity information and provides authentication services.
• Multi-Factor Authentication (MFA): An authentication method that requires the user to provide two or more verification factors to gain access to a resource.
• Passwordless Authentication: A type of authentication where users do not need to log in with passwords. This can include biometric data, SMS messages, or security tokens.
• Passkeys: A sequence of symbols that unlocks access to a digital resource, similar to a password but often temporary or one-time-use.
• Single Sign-On (SSO): A user authentication service that allows a user to use one set of login credentials (like a name and password) to access multiple applications, streamlining the authentication process and improving user convenience.
• Two-Factor Authentication: A method of confirming users' claimed identities by using a combination of two different factors, often something they know (a password) and something they possess (a token or SMS code).

Beyond IAM

• Account Takeover: An act where a third party gains access to a user’s accounts and credentials.
• Attack Surface: The total number of vulnerabilities through which an unauthorized user can enter data to or extract data from an environment.
• Cloud Security Posture Management (CSPM): A category of security products that point out misconfiguration and compliance issues within cloud computing systems.
• Data Detection and Response (DDR): Security tools that monitor and control data access, usage, and movement.
• Data Security Posture Management: The process of continually assessing and managing the security measures in place to protect an organization's data. DSPM involves understanding the types and locations of data, the risks associated to them, and ensuring appropriate controls are in place to mitigate these risks.
• Phishing: A type of cyber attack that involves sending fraudulent communications that appear to come from a reputable source, usually through email, to steal sensitive data like login information or credit card numbers.
• SaaS Security Posture Management (SSPM): Practices and solutions that centralize control and visibility of an organization's security posture across its Software-as-a-Service (SaaS) applications. A crucial aspect of SSPM is configuration management, which involves ensuring security settings in 3rd party tools.

Protocols

• SAML (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
• SCIM (System for Cross-domain Identity Management): An open standard protocol for automating the exchange of user identity information between identity domains, or IT systems.