As cyber security awareness evolves, large-scale breaches including thefts of personal identifiable information (PII) tends to hit the news. Identity and access management (IAM) solutions play a key role in preventing data breaches by securing apps and services at the access point.
To help you better understand the definition and purposes of IAM, we’ve summarized its key terms. Read on to grasp the glossary of Identity Management, Access Management (AM), Multi-factor Authentication (MFA), Adaptive Authentication, Authorization and more. It’s our take on Identity and Access Management for Dummies.
IAM solutions are composed of various sub areas, including Identity Governance and Administration (IGA), Privileged Access Management (PAM) and Access Management (AM). IAM solutions provide a methodic framework for granting and requesting access to applications, enforcing access controls and ensuring visibility into access events. Gartner defines IAM as the discipline that enables the right individuals to access the right resources at the right times for the right reason.
Access management solutions enforce access controls, provide centralized authentication, single sign on (SSO), session management and authorization enforcement for on-premises and cloud-based applications.
Stands for IAM-as-a-Service, also called identity-as-a-service, to describe IAM solutions that offer a cloud-based delivery model.
IGA solutions manage and monitor digital identities and automate provisioning, assignment of access rights, entitlements and permissions to applications.
Involves the process of delegating the responsibility of authenticating a user to a trusted external party. Identity federation solves the challenges of managing credentials for numerous apps separately, whether internal or external to an organization. Identity federation relies on federation protocols such as SAML and Open ID Connect, as well as proprietary protocols such as Microsoft’s WS-Federation.
SAML and other identity federation protocols, which enable the safe exchange of identity data between unaffiliated websites, are based on an Identity Provider (IdP) and service provider model. When users access a service provider (cloud-based service), they are redirected to the trusted IdP for authentication and/or authorization data.
Single Sign-On (SSO)
Provides the capability to authenticate once and be subsequently and automatically authenticated when accessing various resources. It eliminates the need to separately log in and authenticate to individual applications and systems, essentially serving as an intermediary between the user and target applications. Behind the scenes, target applications and systems still maintain their own credential stores and present sign-on prompts to the user’s system. Single Sign-On (SSO) responds to those prompts and maps the credentials to a single login/password pair. (Source: Gartner)
A process that ensures that properly authenticated users can access only the resources that they are allowed to access, as defined by the owner or administrator of that resource.
A process in which a user’s identity is validated or verified based on the credentials that the user provides when logging in to an application, service, computer or digital environment. Most authentication credentials consist of something the user has, for example, a username, and something the user knows, such as a password. If the credentials provided by the user match those that are stored by the underlying application or IdP, the user is successfully authenticated and granted access.
Context-based Authentication / Adaptive authentication
Verifies the identity of users by assessing a range of supplemental information at the time a person logs into an application. The most common type of contextual information may include a user’s location, time of day, IP address, type of device, URL and application reputation. Also known as risk-based or adaptive authentication, context-based authentication is central to the world of SSO and access management where the objective is to make the authentication journey as transparent and painless as possible.
With a token, a password, fingerprint, or facial recognition – authentication is basically a yes / no decision: The system validates a user’s identity and either allows or denies them access to an application. By assessing a range of attributes such as IP address, mobile parameters, known device, operating system etcetera, contextual or risk based authentication can continuously verify a person’s identity each time they log into an application. In fact, it can do so without the user even knowing.
Multifactor Authentication (MFA)
MFA ensures the authenticity of a person’s identity. When users present more than one factor to determine their identity, they will achieve a greater level of trust. Multiple factors can include a combination of something you know, like a password, something you have like a USB token or smart card, or biometric factors including fingerprints or facial recognition. Because MFA security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.
Also called password managers, password vaults are a simple way to create a single sign on (SSO) experience when a target application does not support identity federation protocols, for example, a legacy or custom application. Password vault systems store and encrypt passwords used for different websites. Users can authenticate with a master password to decrypt the password vault, eliminating the need to maintain separate passwords.
Privileged Access Management (PAM)
Privileged access management solutions manage and govern privileged accounts. While functionality of PAM solutions may vary, at minimum they offer the ability to control access to privileged accounts, monitor and record the activity of privileged users, and vault credentials of privileged users.
Thales’s “Access Management Handbook” provides more insights on access management.