Multi-cloud Identity Management
IAM glossary: key Identity & Access Management terms explained
Whether you’re new to identity and access management (IAM) or a seasoned pro, there’s a lot of technical and complex vocabulary that you have to keep straight. It doesn’t take long for your head to start swimming. The concepts can seem similar but are finely nuanced and it’s important to know the distinctions.
Identity and access management is gaining more attention, but it’s not always clear what IAM includes and what some of the terminology means. Let’s explore the concepts, key terms and why IAM matters to your organization. The glossary of key identity and access management terms is a couple of scrolls down below.
What is IAM (identity & access management)?
Identity and access management is a set of processes, policies, and tools dedicated to regulating who (or what) has access to applications in the cloud or on premises. IAM defines and manages the roles and the privileges of each user or device that requests access to these applications.
A user could be anyone, including employees, customers, vendors, and partners. Devices that request access could include smartphones, computers, servers, and more. Each user or device is given a single digital identity, which is maintained and monitored to ensure the right access policies are applied.
IAM is essential to data security in the cloud and on-premises. As bad actors continue to use more sophisticated methods and technologies, IAM helps ensure that your data is secure.
What are IAM solutions?
Businesses are doubling down on their investments in IAM solutions. The market is expected to grow from $13.41 billion in 2021 to $34.52 billion in 2028.
IAM puts the genie back in the bottle so that no matter what environment or application your users are in, user permissions are handled the same way. You can use IAM methods wherever data security is a concern — on-premises, in the cloud, across multiple clouds, or in a hybrid environment.
Modern IAM solutions can also provide additional services, such as account management, compliance management, password management, role management, monitoring and reporting, and user provisioning. Examples of IAM technology are single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), and privileged access management (PAM). We explore each of these technologies below.
What are the benefits of IAM?
Identity and access management has many benefits but in general, IAM provides better access control and great security of information.
Your identity system identifies, authenticates, and authorizes users so that only the people who should access certain information can and blocks unauthorized users. IAM security boosts the efficiency and effectiveness of access management across an organization.
Here’s an overview of some of the reasons why you should be investing in IAM:
More secure data
You can make your data more secure by using various IAM approaches. Each user is continually re-authenticated in the background, and is granted the least amount of access while also meeting their needs to accomplish their tasks.
Because IAM is a centralized framework, IT workflows are inherently more streamlined. Make a change in one location and it takes effect across your users, devices, and environments. Automated activities such as password changes free up your staff to do more high-value work.
Often, organizations need to comply with data security regulations, such as PCI DSS, HIPAA, GDPR, or SOC 2 and many more. IAM tools are invaluable in helping to meet regulatory standards to keep you compliant.
Reduced human error
The automation that’s built into IAM reduces opportunities for human error. Your IT department doesn’t have to grant account permissions manually, and well-written policies ensure that you have consistent practices that are automatically implemented the right way, every time.
Enhanced access to apps across browsers and devices
Using IAM allows system administrators to provide a single sign-on experience, making it easy to access all of your applications on mobile devices.
Single sign-on (SSO) lets your employees sign in once and work seamlessly between applications without being interrupted to sign on multiple times.
IAM glossary: defining identity & access management terminology
A great place to gain a greater understanding of IAM is to know the key terminology that you come across. Here’s a definition of IAM followed by Strata’s handy IAM glossary of identity and access management terms, for your quick and easy reference so you don’t get caught by similar terms and acronyms.
An abstraction layer creates a separation — in this case, computing tasks — into two things, or entities. Abstraction is used in computer programming to provide a way to make a series of complex tasks simple by breaking them down into their component parts.
Identity Orchestration uses abstraction layers to decouple applications from their identity providers, so that all of your apps can use the same IAM system.
See also: “Identity Orchestration”
Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.
An application (or “app” for short) is a software program that can be installed on a computer, laptop, or another device such as a tablet or a smartphone. The term app is usually used to refer specifically to a mobile software application.
Applications often require some kind of authentication and authorization to ensure that only valid users have access to the app and its data. At one time, a username and password were considered sufficient. As technology has evolved, more sophisticated IAM methods became necessary.
The act of moving a software application from a legacy server to a new server — for example, from on-premises servers that are located on-site to cloud servers. When applications are modernized with more sophisticated IAM, legacy on-premises servers are unable to meet the new performance requirements that cloud servers can provide.
The process of verifying a user or device and ensuring that the user is who they say they are. For example, a login screen authenticates the user by matching the username with the correct password.
Examples of authentication types include:
- Multi-factor authentication (MFA)
- Two-factor authentication (2FA)
- Token authentication
- Password authentication
- Biometric authentication
Authentication is established by providing certain credentials to prove that they are an authentic user. For example, a login screen authenticates the user by matching the username with the correct password.
Authorization is the process a server uses to determine if a user has permission to access the requested information, application, or webpage. Authorization usually coincides with authentication.
Each user is authorized to have certain access privileges — specific applications or areas of an app or defined types of information. Authorization might also include ways that information can be used — such as view-only, commenting, or editing privileges. For example, a department manager may be authorized to view certain employee records or to add comments, but only the HR Director has authorization to add or delete those records.
CAE (continuous access evaluation)
If an application already has a session, that token is said to expire at some point in the future. However, if something happens to that user (they’ve been compromised or possibly terminated) there’s no immediate cutoff of their sessions to all of these other applications. They have to wait until the time’s out. CAE is he mechanism to enable a token issuer to have a timely response to a policy violation or security issue.
The delivery of computing services over the internet — for example, servers, storage, databases, networking, software, analytics, and intelligence. Cloud services typically provide greater computing power and speed, security, and data storage.
As more companies migrate to the cloud, their sensitive data is also moving to the cloud. And because most organizations are using multiple clouds, data is scattered across a multi-cloud landscape.
Moving data or an application from on-premises servers to a public cloud provider’s servers. Often, organizations move to multiple clouds, to take advantage of the various benefits that different public clouds provide. Cloud computing provides tools, storage, security, software, and services that on-premises servers can’t offer.
Cybersecurity Mesh Architecture (CSMA)
As identity silos introduce challenges for organizations, cybersecurity becomes increasingly complex and difficult to manage. Gartner has defined CSMA as a concept designed to help companies address silos using a collaborative and flexible approach.
CSMA takes a modular approach, using a set of supportive layers to achieve better security with fewer resources. This includes a distributed identity fabric — an abstraction layer that focuses on providing identity and access management services. Cybersecurity Mesh Architecture is particularly useful in hybrid, multi-cloud environments.
Distributed identity (sometimes called decentralized identity) is what happens when companies adopt a multi-cloud or hybrid-cloud strategy. Digital identities are stored in multiple places, or distributed locations. The person associated with those identities needs to control the access to their personal information.
Because identities are stored in multiple locations, using different IDPs, distributed identity inherently creates identity silos. See “Identity silos.”
Defense in Depth (DiD) is an approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.
End of life (EOL)/ end of support
End of life occurs when a software application (or an older version of the application) is no longer being supported by the developer or vendor.
Recently, several on-premises IDPs have approached end of life, making it necessary to move legacy applications to the cloud, where they can be supported.
Federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. In this system, an identity provider (IDP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources.
The combination of an on-premises data center with a public cloud that shares data and applications. A hybrid cloud solution allows organizations to use the cloud as needed when demand exceeds their on-premises datacenter’s capabilities.
Most enterprises today have a hybrid infrastructure, because they rely on several legacy applications that weren’t developed for a cloud environment. It can be challenging to build interoperability between on-premises and cloud systems, often leaving organizations struggling to find a robust hybrid cloud strategy.
Identity and access management (IAM)
Identity and access management (IAM) is an approach that manages and organizes all of your user identities into one system with a consistent set of rules and policies. The purpose is to ensure that the right users have the right access to the right resources at the right time. IAM includes systems and processes that work together to assign a single digital identity to each user. The user is authenticated when they log in and authorized for specific access. IAM also monitors and manages those identities throughout their life cycles.
Identity and access management is critical to an organization’s security program because it stands between users and sensitive information. IAM must ensure that only the right people have the right access to the right data and controls.
Identity & application migration
Migration generally means moving from old legacy identity systems to new and modern, cloud-native identity systems. A migration has two components: user identity migration and application migration. Identity refers to the people/names who are registered to use a computing system.
Many companies that migrate to the cloud also invest in modernization. Modernization involves updating applications to make them cloud-native. Modernized applications benefit from a more complete support of the cloud architecture, which enables them to meet today’s (and tomorrow’s) business requirements.
A distributed identity model for managing identity silos that come with each cloud in a multi-cloud environment. An identity fabric is an abstraction layer that uses orchestration to manage identity providers across multiple clouds. The identity fabric makes it possible for distributed systems to overcome a siloing effect and use the same IAM methods.
Identity Orchestration refers to a logical identity fabric that ensures identities and user access policies are consistent across disparate identity systems and multiple locations, both in the cloud and on-premises. It allows distributed identity systems to work as one and organizations to choose best-of-breed solutions and not get locked into one identity vendor.
Identity Orchestration lets you access your apps the same way, no matter where they run or which identity system you use. Strata’s Maverics platform is the first Identity Orchestration Platform to provide this solution.
Identity provider (IDP/IdP)
An identity provider (IDP) is a system that creates, maintains, and manages a user’s digital identity. It assigns a unique set of credentials for each user and also handles authentication services for an app within the network. IDPs are third-party services that are trusted to securely store and manage your organization’s digital identities.
IDPs communicate with each other and other web service providers using languages like SAML (Security Assertion Markup Language) or data formats like OAuth (Open Authorization). Examples include Auth0, ForgeRock Identity Cloud, IBM Security Identity and Access Assurance, Microsoft Azure Active Directory, Okta, Oracle Access Manager, and Ping Identity.
Whatever IAM solution you choose, be sure that it will provide all of the capabilities you will need now, as well as in the future. IAM is a constantly evolving domain, and vendor lock-in has prevented many companies from modernizing their systems as new technologies emerge.
Identity silos (A.K.A. identity domains)
Identity silos or identity domains are where user identities exist. These are interoperable systems that can’t communicate with each other. Identity silos make it difficult to gain a comprehensive view of a user base and create opportunities for data breaches.
As enterprises move their identities to multiple clouds, they also use a different identity provider (IDP) for each cloud. Because every IDP has its own proprietary system and structure, distributed identities don’t interact with each other. A silo effect is created.
The process of ensuring that a user is who they claim to be. Verification uses a set of characteristics or traits that are unique to specific users. For example, MFA requests something the user knows (e.g., a username or password), something they own (e.g., a one-time code sent to your phone), and/or something they are (e.g., biometric information).
A legacy app, or application, is a software application that was written for an earlier, frequently on-premises operating system or hardware platform. For example, the app may have been intended to be installed directly on a desktop computer rather than developed as a SaaS application.
Legacy apps pose a challenge to modern identity management because they were designed to work with outdated technologies. Often, the only way to modernize these applications is to rewrite the code itself — an expensive and lengthy process.
Legacy identity system (IDP)
An identity management system that is built on an older, on-premises platform. As companies invest in modernizing for the cloud and multi-cloud environments, legacy systems will provide challenges that must be addressed. These on-premises apps aren’t built for a cloud environment, and they weren’t designed for modern identity management.
Increasingly, organizations will need to find solutions that bridge the gap to provide modern IAM solutions without requiring apps on legacy systems to be completely refactored.
Lift & shift cloud migration process
Also known as “rehosting,” this process migrates an exact copy of an application or workload from IT one environment (typically on-premises) to another (usually the cloud). This strategy is faster and simpler because it doesn’t involve any change to the application architecture or the code.
The use of two or more cloud services — for example, Microsoft Azure, AWS, or Google Cloud Services. Multi-cloud services give companies greater flexibility to optimize performance, cut costs, and use the best cloud technologies.
As more organizations invest in multi-cloud computing, it will become increasingly challenging to manage identities across multiple clouds and identity providers. Seamless user experiences will become threatened because each vendor has its own IAM methods that don’t always play well with others.
Multiple clouds mean multiple IAM systems, which creates identity silos that don’t talk to each other. A challenge for IAM is to overcome these data silos so that organizations can have a single IAM posture across all applications.
Multi-factor authentication (MFA)
MFA uses multiple ways to confirm a user’s identity when they attempt to sign in to an application. Multiple factors make it more difficult for an unauthorized user to gain access. One example of MFA is a password, paired with a text or email confirmation.
MFA requires users to provide multiple factors to prove their identity. It’s a more robust authentication method than simple password authentication because it asks you to provide something you know (e.g., a username or password), something you own (e.g., a one-time code sent to your phone), and/or something you are (e.g., biometric information).
On-premises identity system
An identity management system that uses on-premises software. See also “Legacy identity system.”
The automated configuration and management of computing systems. Orchestration helps IT to more easily manage complex tasks and workflows.
In the multi-cloud environment, orchestration provides a way to manage identity and overcome the challenges of identity silos.
See also: “Identity Orchestration”, “Identity fabric”
OpenID Connect (OIDC) is an authentication protocol. It verifies a user’s identity when they try to access a protected HTTPS site. Most IAM products often use several authentication protocols, including Security Access Markup Language (SAML), OpenID Connect (OIDC), and System for Cross-domain Identity Management (SCIM).
This is a set of principles and best practices for choosing, storing, and managing your passwords. The idea is to make sure that passwords are secure from unauthorized users.
Compromised user credentials are among the most common targets for hackers to access a company’s networks. At one time, a user password was enough to protect your sensitive data, but passwords are no longer considered effective protection against bad actors.
As technology has evolved, so has the need for more advanced identity systems. To protect their data and their people, organizations are turning to identity and access management (IAM) systems (e.g., Auth0, Cisco Duo, Fischer Identity, ForgeRock, or IBM).
A set of rules that enforce password settings. For example, your company’s password policy may require a minimum number of characters, a mix of upper and lowercase letters, and special characters.
A password policy helps make your data more secure when it incorporates multi-factor authentication, requires strong passwords, forces scheduled password changes, and even implements passwordless authentication. Each user is continually re-authenticated in the background and is granted the least amount of access that also satisfies their need.
Passwordless authentication is the process of verifying a user’s identity without using a password. These methods often include biometrics or a secondary device.
More than 80% of data breaches occur because of weak or stolen passwords. When you consider the number of cyber attacks is increasing by 50% each year, it’s critical to implement a solution that can reduce the chances of a data breach.
Privileged access management (PAM)
Similar to RBAC, PAM identifies the users and technologies that need privileged access and assigns specific policies to them.
Role-based access control (RBAC)
Users are assigned certain types of access permissions based on their role within the system — for example, a user, an editor, an administrator, or a super user. Role-based access prevents users from gaining access to information they shouldn’t have, which also reduces the damage that can occur if a bad actor gains control of a user’s account.
Security Assertion Markup Language (SAML) is an open standard that simplifies the login experience for users. It lets you access multiple applications with a single set of credentials that you only have to enter once.
Because IAM systems need to be able to integrate with various systems, most IAM products use several standards, including Security Access Markup Language (SAML), OpenID Connect (OIDC), and System for Cross-domain Identity Management (SCIM).
Secure hybrid access
Secure hybrid access is a Microsoft tool that provides secure remote access to on-premises web applications. Strata’s Maverics platform works with Microsoft, provides secure hybrid access, and helps organizations achieve zero trust.
Single sign-on (SSO)
Single sign-on, or SSO, is an IAM service that allows users to log into a system once, on a single page, and have access to all of their applications within the system. SSO lets your employees sign in once and work seamlessly between applications without being interrupted to sign on multiple times.
Two-factor authentication (2FA)
Two-factor authorization fortifies the security of accounts by using two factors to login — usually, something you know (login credentials) and something you possess (e.g., your phone).
Requiring two factors helps ensure that the authentication request comes from a trusted user and not a bad actor who stole the password. While a hacker may be able to get a password, it’s much less likely they will also have possession of the user’s phone as well.
Two-factor authentication can use several different types of authentication, including tokens, passkeys, biometrics, and verification codes.
Verified credentials are a set of one or more claims made by an issuer. A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. The claims in a credential can be about different subjects.
Zero trust is a data security approach that assumes the system is already compromised and prevents access to requested information until the user’s identity can be verified. In essence, it follows the philosophy of “trust no one and verify everything.”
As hackers’ technologies and techniques continue to advance, it is increasingly necessary to base the management of identity on the pillars of zero trust — least privileged access and continuous authentication.
These pillars work together to ensure that no user has more access or permissions than they absolutely need on a moment-by-moment basis. As soon as the context changes, the user’s activities are re-evaluated.
Zero trust, or a zero trust architecture (ZTA), is a framework and not any particular technology solution.
The future of IAM
Not only does IAM protect your company’s data, but it also gives you the tools to make the user experience more streamlined and more enjoyable. The need for better user experiences is increasing significantly.
According to Gartner, by 2024, organizations that provide better IAM user experiences will outperform competitors by 25% in satisfaction metrics for both customer and employee experience.
New IAM innovations are continuously introduced as the need for more advanced technologies increases. Moving into 2023 and beyond, we can expect to see several developing trends in IAM.
Use this list of identity and access management key terms as a cheat sheet to keep track of the acronyms and similar words that can trip up IAM newbies and lifers alike. Did we leave any off the list? Let us know! Or if you would like to learn more about how Identity Orchestration can help you better manage your IAM, please reach out.