As cyber security awareness evolves, large-scale breaches, including thefts of personally identifiable information (PII), tend to hit the news. Identity and access management (IAM) solutions play a crucial role in preventing data breaches by securing apps and services at the access point.
To help you better understand the definition and purposes of IAM, we’ve summarized its key terms. Read on to grasp the glossary of Identity Management, Access Management (AM), Multi-factor Authentication (MFA), Adaptive Authentication, Authorization, and more. It’s our take on Identity and Access Management for Dummies.
AM –Access Management
Access management solutions enforce access controls, and provide centralized authentication, single sign-on (SSO), session management, and authorization enforcement for on-premises and cloud-based applications. Gartner defines Access Management as tools “that establish, enforce and manage journey-time access controls to cloud, modern standards-based web and legacy web applications. It can be used by workforce users, as well as external users.”
IAM - Identity and Access Management
Gartner defines IAM as the discipline that enables the right individuals to access the right resources at the right times for the right reason. IAM solutions are composed of various sub-areas, including Identity Governance and Administration (IGA), Privileged Access Management (PAM,) and Access Management (AM). IAM solutions provide a methodic framework for granting and requesting access to applications, enforcing access controls, and ensuring visibility into access events.
CIAM – Customer Identity and Access Management
Customer IAM (CIAM) enables external users to register to corporate online services – and authenticates and authorizes external users when logging on to these services. CIAM systems allow external individuals to associate devices and other digital identities to authenticate themselves and be authorized to access apps and data. Unlike traditional IAM systems that authenticate the internal workforce, information about consumer users often arrives from many unauthoritative sources. The Information collected about consumers can be used for many different purposes, such as authorization for resources or for a transaction, or for analysis to support marketing campaigns.
IDaaS – Identity-as-a-Service
Identity-as-a-Service also referred to as IAM-as-a-Service, describes IAM solutions that offer a cloud-based delivery model.
IGA - Identity Governance and Administration
IGA solutions manage and monitor digital identities and automate the provisioning, and assignment of access rights, entitlements, and permissions to applications.
Involves the process of delegating the responsibility of authenticating a user to a trusted external party. Identity federation solves the challenges of managing credentials for numerous apps separately, whether internal or external to an organization. Identity federation relies on federation protocols such as SAML and Open ID Connect, as well as proprietary protocols such as Microsoft’s WS-Federation.
SAML and other identity federation protocols, which enable the safe exchange of identity data between unaffiliated websites, are based on an Identity Provider (IdP) and service provider model. When users access a service provider (cloud-based service), they are redirected to the trusted IdP for authentication and/or authorization data.
SSO - Single Sign-On
Provides the capability to authenticate once and be subsequently and automatically authenticated when accessing various resources. It eliminates the need to separately log in and authenticate to individual applications and systems, essentially serving as an intermediary between the user and target applications. Behind the scenes, target applications and systems still maintain their own credential stores and present sign-on prompts to the user’s system. Single Sign-On (SSO) responds to those prompts and maps the credentials to a single login/password pair.
A process in which a user’s identity is validated or verified based on the credentials that the user provides when logging in to an application, service, computer, or digital environment. Most authentication credentials consist of something the user has, for example, a username, and something the user knows, such as a password. If the credentials provided by the user match those that are stored by the underlying application or IdP, the user is successfully authenticated and granted access.
A process that ensures that properly authenticated users can access only the resources that they are allowed to access, as defined by the owner or administrator of that resource.
Context-based or Adaptive authentication
Verifies the identity of users by assessing a range of supplemental information at the time a person logs into an application. The most common type of contextual information may include a user’s location, time of day, IP address, type of device, URL, and application reputation. Also known as risk-based or adaptive authentication, context-based authentication is central to the world of SSO and access management where the objective is to make the authentication journey as transparent and painless as possible.
With a token, a password, fingerprint, or facial recognition authentication is basically a yes/no decision: The system validates a user’s identity and either allows or denies them access to an application. By assessing a range of attributes such as IP address, mobile parameters, known device, operating system etcetera, contextual or risk-based authentication can continuously verify a person’s identity each time they log into an application. In fact, it can do so without the user even knowing.
MFA - Multi-factor Authentication
MFA ensures the authenticity of a person’s identity. When users present more than one factor to determine their identity, they will achieve a greater level of trust. Multiple factors can include a combination of something you know, like a password, something you have like a USB token or smart card, or biometric factors including fingerprints or facial recognition. Because MFA security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications. However, since many recent attacks have managed to bypass certain MFA methods, security agencies like CISA and ENISA are increasingly suggesting the adoption of phishing-resistant MFA, like FIDO.
Passwordless authentication replaces passwords with other methods of identity validation, improving the levels of assurance and convenience. This type of authentication has gained traction because of its significant benefits in easing the login experience for users and overcoming the inherent vulnerabilities of text-based passwords. These advantages include less friction, a greater level of security that’s offered for each application and—best of all—the elimination of the legacy password.
Also called password vaults, password managers are a simple way to create a single sign on (SSO) experience when a target application does not support identity federation protocols, for example, a legacy or custom application. Password vault systems store and encrypt passwords used for different websites. Users can authenticate with a master password to decrypt the password vault, eliminating the need to maintain separate passwords.
PAM - Privileged Access Management
Privileged access management solutions manage and govern privileged accounts. While the functionality of PAM solutions may vary, at a minimum they offer the ability to control access to privileged accounts, monitor and record the activity of privileged users, and vault credentials of privileged users.
To expand your knowledge further, you can download Thales’s “Access Management Handbook”, which provides more insights on access management.