Identity and Access Management encompasses a wide range of technologies, policies, and models. With so many different things involved, it can be difficult to keep up with the ever-growing jargon. Initialisms, acronyms and buzzwords help professionals navigate the space and understand each other, but they can be intimidating to newcomers, outsiders, or simply those in need of a refresher. So if you don’t know your IdPs from your OTPs, we’ve prepared this guide to give you a brief tour through the lexicon, and demystify some of the more common terms you’ll come across.
The process of managing and monitoring secure access of appropriate users to an IT system. While IAM involves the creation of profiles, identities and how their privileges are determined, AM deals specifically with authorising those identities and monitoring them, ensuring that the system laid out by IAM is followed.
A Windows directory service, usually used to authenticate and authorise users on a Windows server network. AD uses the LDAP protocol, and usually exists on Domain Controllers, specialised computers to run Windows servers.
AES is a standard for encrypting data, based off the Rijndael block cipher. Adopted and developed by the US government, it is a symmetric-key algorithm, where the same key is used for both encryption and decryption.
Also by Microsoft, the Azure Active Directory also authenticates and authorises users, but also provides for SSO and MFA. Unlike Active Directory, Azure is cloud-based, and is run from Microsoft data centres.
A policy at businesses where employees use their own devices such as laptops and smartphones rather than them being provided by the company. With the shift towards remote and hybrid working, this is becoming increasingly popular.
Essentially a form of federated access, BYOI is where different apps or systems are accessed using an identity from a third party IdP. This is commonly seen with sites which accept a social media account to log in to access their services.
The management and authorisation of customer identities. It has many crossovers with IAM, but CIAM also includes other aspects that are not typically present, or otherwise less important, in IAM - such as branding, accessibility, and consent management.
A system whereby an enterprise allows its employees to manage their own passwords. The use of an Enterprise Password Manager allows users to easily create, manage, reset and forward passwords. It can be used to provide SSO where token-based authentication is not supported.
The linking of one identity to multiple systems, across different apps and even IT systems and organisations. For example, it is now possible to use just your Google or Facebook account to log into many different websites. This is not the same as SSO, which may still require lots of different identities per user.
The agreement between two systems to use one digital entity to access resources on both systems. For example, when a site trusts Google to allow users to log into their site using their Google account. This is not the case with My1Login signing into Dropbox, for example – there is no specific arrangement in place, and My1Login in this case is merely securing and managing a specific Dropbox identity.
A hash is a form of a password which is created when the original form of the password is entered into a hashing algorithm. It is stored in the internal system, against which the user’s credentials are checked when they begin the process of identification. Essentially, when the password is saved, it is stored as a series of characters, which must be matched by the hash created when the user enters those credentials again. The same password will always produce the same hash, even with different users, which causes security issues.
IAM is an umbrella term for all policies, methods, systems and technologies used in an enterprise to ensure that users have appropriate access and restrictions on the technology available to them.
Providing a cloud-based identity solution as a service, as the name implies. ‘As a service’ applies to cloud-based solutions, E.g. Software as a service provides cloud-based web apps. Identity as a service provides third-party authentication and/or authorisation services in the cloud for enterprises and individuals.
Identification – the user presents their claim to an identity.
Authentication – the user’s claim is verified using their credentials.
Authorisation – the identity is allowed to gain access appropriate for their security privileges.
The process of managing, creating and offboarding identities and their permissions within a system. Through this framework, users are able to have access to the resources they need at the right time, appropriate to their user privileges.
An identity provider is something on a system that is responsible for creating, maintaining identities. Other applications and parts of the system rely on the IdP to authenticate users requesting access.
IdP-initiated access is when the user gains access to the Identity Provider’s system first, before accessing a third-party website or app. At My1Login, this is usually seen when the user logs into the portal, which brings up a list of links.
A catch-all term that includes the non-technical side of identity management. Identity administration covers the distribution and issuing of passwords and control of access. Identity governance, meanwhile, also covers the process by which user privileges are decided and organised, as well as analytics and the segregation and management of roles within the enterprise.
Similar to IAM, ILM is a broad term encompassing both the technologies and processes used to create and manage identities and access within an enterprise. ILM also emphasises the need for restricting and removing identities as required, including provisioning and deprovisioning.
An authentication protocol that allows nodes to prove their identity to one another securely when communicating over a non-secure network.
An application protocol for distributing information across an IP network. Most commonly used as a central place to store usernames and passwords.
MFA is an authentication process which requires users to provide two or more factors to an authentication server (or other system.) As well as the pieces of evidence, the factors must also be different – for example, two separate passwords would not qualify. Instead, it must be at least two of something inherent (something the user is, e.g. a fingerprint scan), knowledge (something the user knows, e.g. a password), or a possession (something the user has, e.g. a physical smart card.) Location may also be considered a fourth factor in some contexts.
An open-access standard designed to work with HTML, which allows a separate authorisation server to grant access to resources to third parties. OAuth is an authorisation protocol, not an authentication one. It can be used as a standalone authentication model, although this is known as pseudo-authentication and is not entirely secure.
A true authentication layer to complement OAuth’s authorisation layer. This allows multiple apps to use the layer to allow SSO.
A single-use password only valid for one session, often sent by request to an email address.
Similar to PPM, PAM is the management of the whole infrastructure and methodology of granting access to users with additional security privileges, beyond just passwords. This encompasses the identification, authentication and authorisation of users, as well as their monitoring and auditing
A fraudulent attempt to obtain sensitive information in a digital communication, most commonly by email. Phishing scams often try to send users to a fake website designed to look like that of a well-known and trusted company to enter in information such as usernames, passwords, and credit card details.
The Principle of least privilege is a fundamental security standard which states that users should be given the minimum levels of privileges and access that requires them to do their job. By restricting the number of users with additional access beyond the norm to as low a number as possible, the whole system is made more secure, and any potential data breaches cause far less damage.
PPM is the management of passwords which provide security privileges beyond that of a normal user. This often requires extra layers of security, with passwords that are frequently and randomly changed. This also requires a secure method of distributing this password not only to individuals who require it, but also to any programs, servers, APIs and other systems that need to connect to other applications.
Push notifications are pop-up messages that display from either a mobile or web app. Push notifications are increasingly used in malware and data mining, and users choosing to allow them can present a significant security risk.
A networking protocol that provides Authentication, Authorisation and Accounting for users who use a service on the network. It is usually a background process running on a UNIX or Windows server.
RSA is a public-key encryption system developed in 1977. The acronym simply stands for the initials of its creators. As the algorithm is very slow, it is rarely used to encrypt user data directly, but is frequently used to transmit symmetric decryption keys.
A random string of data which is added to a hash to provide extra security. Hashes are the same for each input – the same password used twice will be stored as two identical hashes. This allows hackers to use lookup tables to cross-reference information and potentially find common words used as credentials. The addition of a salt makes this much harder to crack.
SAML is a language based on XML for allowing SSO, by communicating authentication and authorisation data between an identity provider and a service provider. Apps and systems that are SAML-compatible do not require a password, but instead a token, which can be given by a separate ID provider (such as My1Login.)
An open-source, single sign-on system. Shibboleth provides the architecture for federated access management between different apps and networks and is based on SAML.
The psychological aspect of a scam. Commonly a part of phishing and spoofing attacks, social engineering will also often be used to establish a premise requiring the user to give away sensitive information.
Contrasting with IdP-initiated access, SP-initiated access is a system in SSO solutions where the user is authenticated as soon as they access the Service Provider’s app, rather than having to navigate through the IdP portal.
Forging the sender address in email communication. Since core email protocols do not have built-in authentication, it is relatively easy to fake the origin of an email.
SSO is a system where one set of credentials is used to gain access to multiple apps, systems, and/or networks, without requiring credentials to be entered again
A method to provide SSO for apps which are not compatible with token-based authentication protocols such as SAML or OIDC. The system automatically fills forms by password vaulting and forwarding by using a browser plugin.
Zero Trust Security is a model that involves extensive authentication and authorisation of identities operating within a system. Contrasted with ‘Castle and Moat’ systems, where users are verified before gaining access to the network but left free when inside, a Zero Trust network will only authorise users to access specific areas. As a whole, the network is usually compartmentalised into many separate areas requiring further authorisation. Zero Trust does not refer to a specific technology or system, but rather the overall approach to security on those networks.