Cloud Identity & Access Management (IAM) Terms and Definitions
(Source - NMI - Enterprise and Desktop Integration Technologies (EDIT) Consortium, CSO Online and Carnegie Mellon Computing Services )
Access Management Service - provides authentication, authorization, control, and enforcement services that enable users to access corporate resources
Affiliation - specifies a person's relationship(s) to the institution in broad categories. For example: University - Student, faculty, staff, alumni. Business - C level executive, Departments, Employees, Partners, Customers, Suppliers
Attestation - the process of confirming a user's identity
Single-factor authentication uses a password or other single method to verify a users identity. Multi-factor authentication requires the use of at least two different methods to verify a user's identity (most commonly a password along with a card/PIN, authentication token, or one-time password sent via SMS).
Authorization - an extra security step that allows or denies access privileges to company resources including computer programs, files, apps or data. When a user signs in, authorization is usually performed before authentication (see "Authentication").
Authorization Audit - a process that provides an overview of the access capabilities of an entire enterprise. An authorization audit can be comprehensive (displaying all access privileges across the board to all resources), but it is generally performed to see who has access to a resource, or what resources one person has access to. Cloud Service Provider (CSP) - a service provider that offers storage or software-based services available as an on-premise (private cloud) or hosted solution.
Credential - the way in which a user proves his/her identity; usually with an ID and a password. Each of these is a credential.
De-provisioning - the removal of a person from an identity repository (for example, when someone leaves the company). This action removes a person's access privileges as well.
Entitlement - the ability to access a business service. A new employee is entitled to access a company email. However, he will be granted access only after he has been provisioned and access privileges have been provided.
Federation - an agreement between identity providers and service providers that allows for the sharing of information. It lets users of a service sign on to said service through one single identity provider. For example, Facebook Connect allows users to sign on to different websites using their Facebook accounts.
Group - a software construct that allows the management of multiple entities (i.e. employees) within one category. Groups are often used to define roles or other affinities. They simplify access control. A group, for example, might be a list of email addresses subscribed to a newsletter. A group can also contain a list of users allowed entry into a building. Furthermore, groups can also hold other groups inside them, containing lists of machines that can run certain pieces of software.
IAAS (Infrastructure-as-a-Service) - a provision model in which a company outsources pieces of its IT infrastructure (or the entire infrastructure) to a service provider that maintains it. Aspects of IT infrastructure frequently outsourced include utility computing & billing, administrative tasks, desktop virtualization, and Internet connectivity.
IAM (Identity-and-Access-Management) - a system-wide solution that manages an enterprise's authentication into external and internal applications. Users can sign on to multiple applications without having to know the credentials to each one. Additionally, the access management component allows for firms to determine who gets access to what resources within the enterprise.
IAMaaS (Identity-and-Access-Management-as-a-Service) - a model in which IAM (see "IAM") is outsourced to a service provider. The service provider therefore becomes responsible for keeping records of credentials, which are often encrypted.
IDaaS (Identity-as-a-Service) - an implementation with many single sign-on (see "Single Sign-on Authentication, or SSO") characteristics in which a company outsources its authentication to a service provider that dedicates itself to managing this piece of infrastructure.
Identification - the process in which a person's information is gathered and verified for accuracy. Usually, identity verification happens in a human resources or student services office. This office then creates a record within an archive after meeting with the individual.
Identification - is a prerequisite to registration (see below).
Identifier (ID) - a label (such as a name or some other text) that gives an entity a name. Such a name makes it easier to determine who is using what. Many entities have multiple identifiers which can prove useful. The name "Andrew" can be attached as an identifier to the email "firstname.lastname@example.org"
[Digital] Identity - a set of identity attributes (see "Identity Attribute") that are kept by an identity provider in order to properly associate them to an entity.
Identity Attribute - a property tied to an entity. This could be the entity's phone number, home address, or other details. The policies behind the handling of such attributes are usually governed by laws or standards in privacy and common business practices. These entities could be customers as well as employees.
Identity Provider (IdP) - an organization that establishes relationships with users and service providers and mediates transactions of data between them. It allows service providers to accept logins from users of the identity provider (as opposed to making a whole new account on the service provider).
Identity Management - an integrated system of business policies, processes, and technologies that allows an organization to control access to internal and external resources. This system also protects any sensitive data from unauthorized access. It represents an entire category of solutions that work with each other to administer authentication, access rights, restrictions to access, profiles, passwords, and other attributes that are tied to the user within the system.
Identity Proofing - the process by which a physical person is associated with his/her digital identity. This is often done in the registration phase, when a person submits a copy of a passport or driver's license.
Identity lifecycle management - refers to the entire spectrum of technologies that create and maintain digital identities. Identity lifecycle management is usually composed of synchronization, provisioning, de-provisioning, and management technologies that deal with all user data within an identity.
Identity synchronization - the process by which an identity repository is synchronized with a current database to ensure that all the data within any particular identity is consistent and up-to-date.
Level of Assurance (LoA) - the degree of certainty that the user has accurately identified his/herself with proper credentials. New standards are emerging revolving around LoA practice (i.e. NIST 800-63).
Within the context of these standards, Level of Assurance is defined as:
the degree of confidence in the proofing process (see "Identity Proofing") used to establish the identity of the individual who receives a set of credentials, and
the degree of confidence demonstrating that the individual who uses a set of credentials is really the individual whom the credentials belong to.
Many regulations and standards might require a high level of assurance that the individual in question who receives a set of credentials to an application is really that person. For example, banks need to identify a person with a physical presence at the office and multiple photo IDs before opening an account.
OAuth - an open authorization standard that allows certain applications to access server resources on behalf of a user. Facebook apps, for example, use this type of authorization to let users choose whether an app can have access to certain account features or not.
OpenID - a standardized method of de-centralized authentication. It's an open form of federated identity management (see "Federation").
One Time Password (OTP) - a password that is valid for only one login session. This is much like Google's SMS password for phone number confirmation. It sends the user a code through SMS that he/she must input in order to confirm his/her ownership of a phone number.
Onboarding - the process of introducing a new employee into a company's identity and access management (IAM) system.
Offboarding - refers to the process of removing a user from a company's identity and access management (IAM) system. This term may also refer to the process by which new restrictions are applied to a user's access to company resources.
PaaS (Platform-as-a-Service) - a service whose purpose is to allow a user to create his/her own custom-built online applications. PaaS providers give users the tools and libraries necessary to create these applications, usually with much more ease than it would take to develop an entire application from scratch.
Password reset - a process by which a user changes one's own password. This greatly diminishes the time lost by IT administrators in responding to support calls. The reset applications usually appears in a browser and allows the user to reset the password after correctly answering some questions that verify the user's identity. The questions could be replaced entirely by a secret word or phrase.
Persona - a digital identity (like a group of attributes) that a user can select to represent oneself in a certain context. For example, a staff member may be labeled both "user" and "administrator." One may choose to give this staff member the ability to act as an administrator in some contexts and have the mere power of the user in others.
Privilege - an additional construct that streamlines and simplifies access management. Privileges allow certain users (entities) within an infrastructure to have a number of powers. These privileges usually come from and are maintained through the evaluation of entitlements and application access policies.
To make things simpler, we could look at the following example: A privilege could be written into a system to allow all users with the ["Business Analyst" role] within the ["Computing Services Capital Account"] to [issue a purchase request for up to $2000]. But this can only happen [during normal business hours] and [not within 3 business days of quarterly closing]. The expression of a privilege is usually shown as: an [entity with particular identity attributes] can access [an object] using a given [method] under [certain circumstances] but not [some other circumstance].
Privileges are easily suspended and overridden depending on the company's best interests (i.e. an account has been compromised and an account needs to have temporarily restricted access to all resources until the situation is sorted). The suspension of a privilege does not require any de-provisioning of resources or the revocation of any entitlement.
Privilege Management - a system that lets the owner of a resource to modify or assign privileges for applications under the guidance of enterprise policy and business practices. This could also include delegating the creation of privileges to someone else.
Using a privilege management system requires careful coordination between application coordinators, enterprise policy stewards, and enterprise data designers to make sure that streamline the process of auditing and managing user access. Coordinators must also ensure that the constructs and models defined within the privilege management system enable a reasonable amount of sharing.
An example of trouble that could be experienced in such a system is ambiguity caused by the assignment of privileges to certain users within a role that doesn't include such privileges, which causes confusion as to who ultimately has access to a resource.
Provisioning - the process (usually automated) that enables users to use their entitlements to access applications and services.
Registration (credentialing) - the process that gives users their electronic credentials and ties their identity to a particular service. This process ensures that users are tied to the right identity.
Since multiple registrations can use one identification process, the two ("Identification" and "Registration") are defined separately.
Role - an identity attribute that gives users automatic privileges when assigned, for the purposes of access management. Roles may take the form of groups. A group may be a role if it contains people that have a specific set of privileges.
Role-Based Access Control (RBAC) - a model in which users are assigned "roles" that give them a certain level of access to resources. The assignment of a role grants a certain set of entitlements to a user.
Software as a Service (SaaS) - sometimes referred to as "on-demand software," Software as a Service is a computing model in which the running of a piece of software is outsourced to a cloud server. The software is often accessed via a browser. The software and its data are hosted on the cloud.
Security Assertion Markup Language (SAML) - an XML-based standard for exchanging user data (with regards to authentication, authorization, and attributes) between an identity provider and a service provider. This is used, for example, on websites that let users sign in with their Facebook accounts. An SAML transaction happens when the user logs in.
SCIM (System for Cross-domain Identity Management) - a specification designed to make user identity management in cloud-based applications easier.
Security principal - an entity that can be authenticated by a computer or a network.
Service Provider - a host that provides clients with services. A service provider is expected to manage its relationship with an identity provider and trust its capabilities to manage policies required to operate the service responsibly.
Session - a phenomenon that occurs when two entities exchange information. Data flows from these two entities (often client-to-server or server-to-server) to complete tasks. For the purpose of this glossary, the most important information exchanged within a session includes claims for one or both connected entities and time-out information (the amount of time before a session is automatically terminated). Time-out information is important to prevent open sessions from lingering and keeping information about the user floating around, which can later be grabbed by someone else.
Single Sign-on Authentication, or SSO - a service model in which users log into one single platform that gives them automatic log-in access to multiple applications for a certain period of time. Users using this system only have to remember one set of credentials, as opposed to learning a new password for each application. SSO is most often used to refer to "Web Single Sign-on." However, it can also be implemented outside the web (i.e. in an in-house virtualized environment through vSphere/ESXi).
SPML (Service Provisioning Markup Language) - an XML-based standard in which collaborating companies exchange user, service provisioning, and resource data. This service is complex, lacks conformant implementations, and is nearly unsupported by the vast majority of application vendors.
System of Record - a storage system that is designated as the "authoritative source" for a certain piece of data or identity attribute. The system of record is the direct line of access to the data elements it controls, meaning that all modifications to data elements should be brokered via the system of record. Different identity attributes can be controlled by different SoRs, so every SoR must be online and available to respond to requests for the identity attributes under its control.
Trust fabric - a medium by which information (particularly in the healthcare industry) can be exchanged between two or more trustworthy sources. A trust fabric composes a framework that systems rely on to safely exchange sensitive data via secure channels.
Verifier - additional information that seals the bond between the entity and identifier. This is most often a password (bound to a username). Cryptographic signatures are also used for electronic verification of the attributes of online entities (as is seen in X.509 certificates).
eXtensible Access Control Markup Language (XACML) - an XML-based standard of authorization which is used to enhance interoperability between multiple vendors.