The unique need for enterprise security is changing the way…
… enterprise owners & corporate executives are adopting Identity and Access Management (IAM) solutions.
The worldwide cost of cybercrime will extend by 15% per year over the coming five years, as per cybersecurity ventures.
Therefore, to combat such neck-breaking security threats, enterprises should leverage IAMs & understand the key terminologies associated with this discipline.
Glossary of Terms Associated with IAM:
It is a mechanism of identifying, controlling, tracking & managing authorized users of an organization who takes access to the enterprise network or system through IAM software.
It also deals with providing the privileges and level of access for every employee as well as groups within the system.
IAM solutions provide authorized access management services to protect the enterprise resources against unauthorized access and breaches.
Authentication, in context to computer security, is the process of assuring and verifying the user through his/her valid digital identity.
It is a security mechanism where a user needs to validate his or her identity to make a successful login attempt for accessing any resource.
It is the process of giving authority to a user to access a resource as well as determine the access level and privileges towards a particular enterprise asset or resource.
Adaptive Multi-Factor Authentication:
It is a technique of adapting to login parameters dynamically, based on different authentication scenarios and situations.
Once the system identifies that the login was suspicious or not from usual parameters like browser, geolocation, etc., adaptive multi-factor authentication turns on, asking for an additional authentication factor to re-verify the user.
These are specific sorts of security credentials that help identify a user during authorization attempts.
Some well-known authentication factors are biometric authentication, hardware-based authentication, smart authentication, password less authentication, etc.
It is the overall surface area, attack vector, or the number of potential points within the software’s environment where the threat actor or unauthorized user can attack or perform malicious actions to compromise it or breach its data.
It is a technique where the attacker systematically attempts all the possible letters using permutation and combination.
The entire operation takes place with the help of an automated script that leverages computer processing to find the right combination of passwords to enter an account.
A breach or security breach is a cyber incident where an attacker maliciously or without authority gains access into a system, network, or computer.
In other words, it is a break-in action accomplished by an attacker to steal sensitive information or harm the system of an organization.
Central Authentication Service (CAS):
It is a protocol that provides a single sign-on service for the web and other applications.
Its primary function is to authorize users to access numerous applications by providing a single login credential.
Cloud Identity Management:
These are identity management solutions hosted on the cloud that provides authorization and authentication functions.
It is an alternative to traditional identity management systems, where the user identity gets handled on-premises in a monolithic application.
In cloud identity management, the entire identity infrastructure runs on the cloud.
It also caters to various types of authentications like single sign-on, multi-factor authentication, hardware-based authentication, etc.
Credentials are data used for verification purposes for identifying legitimate users during authentication.
This data resides in the server or cloud.
When users try to login to the application, the application matches those credentials stored in the cloud to provide the required access.
Some well-known user credentials are username, phone number, email ID, PIN, passwords, paraphrases, etc.
Customer Identity & Access Management (CIAM):
Customer Identity & Access Management are customer-centric IAM solutions that enhance customer experience by providing access control & identity security concurrently.
All customer-facing apps can leverage CIAM solutions for digital identity-based authorization and authentication services.
Companies can leverage CIAM solutions either as IDaaS (that are based on the cloud) or on-premises (set up in-house).
Data Breach Prevention:
It is a practice of protecting data that includes software, techniques, people, and processes.
For defending a system against a data breach, enterprises should provide well-maintained user authentication and authorization process.
Directory services are functional units that act as the authoritative identity provider (IdP) for the entire organization’s IT infrastructure.
They help in storing, managing & delivering access to the data in a directory, for various digital entities of IAM like users, resources, devices, groups, etc.
Directory services are extremely important for user authentication and authorization throughout the digital workspace.
It is the process of revoking access control or privileges for a particular user from any application.
Organizations perform de-provisioning when an employee leaves an organization and all his/her access to resources and systems is removed completely by the admin.
It is a concept that uses the process of linking a user’s digital identity & attributes across various identity management solutions.
Because of this technique, users can quickly move between different systems and applications while preserving security.
Most organizations run through employees, and therefore, each employee should have their respective identity.
Identity management is a process that every enterprise employs to assure that every individual has the appropriate access they need to the company’s resources.
It is an entity or service of the IAM that helps construct, support, & manage identity information for different verified users.
It also delivers authentication services & is hosted in the cloud.
Such services work closely with single sign-on (SSO) systems for authenticating the users.
Incidence Response Planning:
It is the process of having a planned reaction (documentation) in situations where a cyber-attack occurs.
Such situations might be a data breach or a cyber investigation drill to check whether an attack is possible or happened.
Having an incident response plan in place helps the firm take prompt action and decisively act upon it when a security incident occurs.
JSON Web Token (JWT):
It is a JSON-based token that is based on an open standard (RFC 7519) and represents a few claims.
These claims determine that the holder is authentic & authorized to take access to a particular requested resource.
These web tokens get stored in a JSON format.
It includes data and standardized fields like subject, issuer, and expiry.
Lightweight Directory Access Protocol (LDAP):
Lightweight Directory Access Protocol is a unique, open, cross-platform protocol that helps in interacting with a hierarchical directory service for authentication and authorization.
These directory services maintain a database of details like user IDs, passwords, computer accounts, authentication details, etc.
Least Privileged Access Control:
This technique helps in providing legitimate access, performing routine checks, and monitoring unauthorized access.
It is a concept used to restrict the access of a particular user by limiting the user from giving certain privileges.
It helps in configuring various IAM security policies, usage monitoring, location tracking, and allowing the operation for provisioning and de-provisioning.
It also comprises wiping of data remotely from devices.
These devices could be company-owned or employee-owned devices.
Multi-factor authentication (MFA) is an electronic form of authentication where multiple digital factors remain involved for performing a typical sign-in.
Two-factor authentication is the more common form of authentication.
MFA determines better system security, especially to prevent a system from credential compromise.
It is because each added authentication factor requires extra effort to compromise, making the system stronger.
For example, after username and passwords, the authentication system might ask for OTP or biometric authentication.
OAuth 2.0 is abbreviated as open authorization version 2.0.
It acts as a standard for allowing applications and websites to gain access to resources that remain hosted by other web apps on behalf of that user.
This standard means of accessing the user data is supported by various IAM solutions.
It is the second major version of OAuth and is not compatible with OAuth 1.0.
OpenID Connect (OIDC):
It is an authentication protocol and a basic identity layer that works on top of the OAuth 2.0 protocol.
Through this, 3rd-party applications can identify end-users & acquire basic user profile details.
It employs JSON web tokens (JWTs) and allows single sign-on method over multiple applications.
One Time Password (OTP):
One Time Password is like a password or alphanumeric code that users can use only once.
Systems often use this with other authentication mechanisms like password-based authentication, as an additional factor for robust security.
There are 2 main types of OTPs.
The first one is HMAC based One-time Password (HOTP).
Here in HOTP, H stands for HMAC (Hash-based Message Authentication Code).
The other one is Time-based One-time Password (TOTP).
For HOTP, the OTP remains valid till a new hash gets generated.
For the TOTP, time is the key factor on which the OTP’s validity depends.
Passwordless authentication is a technique of verifying users digitally without leveraging any passwords.
So, to identify the user, this authentication mechanism includes confirming the possession of a secondary device (through OTP or magic link) or other security traits that are unique to each individual, such as their face, voice, or fingerprint.
Leveraging this mechanism in the IAM reduces the risk of password-stealing or any other password-based attacks.
It is the process of enabling some resources or enterprise systems available for the user.
Based on the organization’s requirements, the IAM admin can render provisioning to the user.
The admin can establish an identity and associated access arrangement in a software system.
For example, when a new employee on-boards, the admin does the provisioning of what resources the employee can access and with what privileges.
It is a prevalent social engineering attack, where cyber criminals practice to deliver fraudulent communications, emails, or web pages that will look legitimate & the victim will become the prey of the cyber criminals.
They mainly perform this attack to reveal or steal sensitive information from the target victim.
Security Assertion Markup Language (SAML):
It is an open standard mechanism for exchanging authentication & enables identity providers to deliver authorization details to service providers (SP) or different parties.
It uses XML language as a standard data-interchange tool for standardized contacts between the identity provider and services.
Single Sign-On (SSO):
It is a user authentication and session authentication service that enables users to perform federated login using a single login credential.
For example, a single user credential such as login ID and password or biometric authentication allows users to login to other applications based on that same login session.
Working with an organization’s intranet leverages this the most.
Many companies like Facebook, LinkedIn, etc., allow you to login to Facebook or LinkedIn account through your already logged-in Gmail account.
Service provider (SP):
A service provider is a system that delivers generic services that are there within an IAM.
Users can enjoy login to a federated systems through the service provider by different ways of authentication.
In other words, it is a federated partner that renders services to the end-user.
It does not authenticate users but instead asks for determining authentication from an identity provider.
Also known as a security token, is a technique of authenticating multiple applications through signed cookies comprising session state information.
It acts as an electronic security key that allows a user to establish and confirm his/her identity by storing specific personal data like a digital certificate.
Token authentication generates tokens that help in re-authentication as the user returns.
It is also known as Two Factor Authentication (2FA), which adds an additional security layer for making sure that people who are gaining access to an online account re-verifies themselves through two different factors.
In a normal scenario, the user enters their username and password.
Once this authentication mode is done successfully, they will be asked to supply another piece of information such as OTP or biometric authentication.
Universal Authentication Frameworks (UAF):
FIDO Alliance developed Universal Authentication Frameworks (UAF) to enable a safe passwordless experience, by leveraging one or more security factors on their digital devices.
For enabling such a universal authentication structure, the user has to provide a local biometric or PIN to the system.
It is the process of approving business rules that determine the various conditions under which a system’s action can proceed.
The network admin or the security professional handling the IAM will set these validation rules, so that no employees violate the policies.
This helps to maintain a secure work environment.
Zero Trust Security Model:
It is a security framework by Forrester Research.
According to this principle, users should continuously validate themselves through authentication mechanism.
Users are also responsible for configuring security posture before gaining or maintaining access to enterprise resources or networks.
Secure your enterprise right now – Start 15 Days Free Trial