The Abridged Identity and Access Management (IAM) Glossary

As a field within cybersecurity, Identity Management is undergoing rapid expansion as the importance of securing credentials becomes increasingly evident. Insider threats—or the fear of them—continue to plague enterprises across the globe. An estimated 80% of breaches involve stolen user credentials.

To deal with these dangers, new subcategories and tools within Identity Management seem to sprout up by the day with a flood of jargon to match. Cutting through all the jargon to determine what solution would meet your needs or which tools you need the most can be a daunting task.

We’ve gathered and outlined the more confusing Identity and Access Management jargon to help you process your needs more effectively. We’ll make sure to update this post as we curate more jargon definitions, but in the meantime here are the terms you most need to know as you think about your Identity Management solution in 2018:

Identity and Access Management (IAM)—IAM is a framework for managing the digital identities of users, including the organization and support necessary. With an IAM solution, IT managers can control what network data users can access, based on their roles within the enterprise. In addition, IAM allows visibility into user activities within their identities.   

Access Management (AM)—Access Management focusing on the granting or denying of authorization to use a service. While IAM is focused on the user and their attributes, AM is about the application of authorization policies to the user or role. Additionally, AM tends to be more absolute in its judgments—YES/NO—whereas IAM can be more granular in its permissions to certain users based on what data is essential to their role.

Identity Governance and Administration (IGA)—IGA is the policy-based centralized control of IAM, with the goal of not only bolstering security but also to ensure regulatory compliance. IGA can enforce, review, and audit IAM policies and activities but also record it. This has the added benefit of ensuring consistency in IAM policies via what roles have access to what data.  

Privileged Identity Management, Privileged Access Management, Privileged Identity Access Management (PIM, PAM, PIAM, respectively)—Many names for what is essentially the same goal the monitoring and protection of privileged users (sometimes called superusers) accounts in an IT environment. This kind of management is vital because such powerful accounts can wreck an equivalent amount of damage via leaks or disruptions if their credentials fall into the wrong hands.

Identity-as-a-Service (IDaaS)—Defined by Gartner as the delivery of IAM solutions as a service via the cloud in a multitenant or dedicated model.  IDaaS solutions deliver core identity governance, access, and intelligence capabilities to customers systems, both on-premise and in the cloud. The service can simplify IAM application deployment and usage.  

Biometrics—Short for biometric authentication, this tool uses distinct physiological characteristics as an authentication method. These characteristics might include fingerprints, faces, or irises, which are processed via recognition software. This is a developing field but one that is receiving increasing attention from the public as the the field transitions away from the traditional username/password paradigm.

Authentication—The process of verifying an individual as a legitimate user/actor in an enterprises’ network. Passwords are the most well-known authentication method.  

2-Factor Authentication—An evolution on typical authentication methods, 2-factor authentication involves the user providing two pieces of verifying information to confirm their identity before they are granted access. Often, this involves supplying something the user knows, such as a password or PIN and something the user possesses, such as a security token or a card.

Multifactor Authentication—An even further step in authentication maturity, multifactor authentication requires multiple pieces of information from the user before they are granted access. This information can include passwords and an ownership factor like a security token but also geofencing (ensuring the user is logging in from the location they should be rather than a distant country), bluetooth device proximity (in which a device registered to the user is close to the endpoint the login occurs on), and swipelocks (a password variation where the password is a movement on the mobile device screen).

Multifactor authentication can be programmed so that it requires more verifying information only if an identity is in doubt or is trying to access more sensitive information.

Single Sign-On (SSO)—An access management tool that helps manage multiple interrelated software or applications. When a user is granted access via single sign-on, they are granted access to an interconnected series of the enterprise’s software and apps. This reduces the need for multiple passwords and usernames, which in turn reduces password fatigue and losses.

Federated Identity Management (FIM)—An identity management solution in which multiple enterprises, whether distinct or under an umbrella company, allows users to use SSO to access all of their networks. This saves mutual costs and simplifies information sharing, but requires trust among the enterprises to work.

Insider Threat—A security risk that stems not from an external hacker but from an employee (whether current or previous) within the enterprise. These employees may have access or may fraudulently obtain access to sensitive data or resources, which they could leak or exploit. IAM solutions are designed in part to prevent such threats.   

While most companies fear the malicious threats by deliberate actors seeking to damage the enterprise, many more insider threats come from employee negligence or ignorance. These insider threats may result from sharing their credentials via unsecured email or fall victim to a spearphising campaign. Importantly, accidental insider threats are no less dangerous than malicious ones.

Ben Canner