Glossary

A | B | C | D | E | I | K | L | M | N | O | P | R | S | T | U | V | W | Y | Z

A

The process of controlling user access across a wide range of applications, systems, and resources belonging to an organization. This process encompasses all policies, processes, methodologies, and tools that enable system administrators to grant access to authorized users while preventing access to unauthorized users. Access management is a continuous process and requires periodic auditing to ensure that access rights are updated in sync with changes in the employee lifecycle.

A directory service developed by Microsoft for the Windows domain networks. Organizations use Active Directory (AD) to control which users have access to certain resources. AD stores data as objects, such as users, groups, applications, or devices, and handles the interaction of objects with the domain. For example, AD verifies access when a user signs into a device or attempts to connect to a server over a network.

Additional Resources: Multi-Factor Authentication for ADFS

A concept of using contextual data, such as user location, time of day, and IP address, to evaluate access requests. The adaptive authentication policies are triggered to require additional authentication steps only when contextual data indicates anomalous access behavior. With adaptive authentication, organizations can provide a better authentication experience for users while keeping company resources and data protected.
A service that evaluates each access request to determine if an additional factor of authentication is needed before access to requested resources is granted. Adaptive Multi-Factor Authentication uses machine learning to build a baseline profile for each user, leveraging user-specific contextual attributes such as location, device, network, and time of the access request. This enables organizations to analyze access requests against historical patterns, assign risk to each access attempt, and create step-up authentication policies that are triggered when anomalous behavior is detected.
The Idaptive App Gateway enables you to set up secure, per-app access to your on-premises applications without a VPN. With App Gateway, you can access applications that do not support modern authentication protocols based on application URLs, users, groups, and network information without exposing your entire network, installing hardware, or changing firewall rules.

B

An approach to authentication that allows end-users whose identity and credentials are managed by a third party to access corporate resources. For example, instead of requiring users to create a new username and password to access a particular resource, an organization can allow access by leveraging users' existing social identities such as Facebook, Twitter, LinkedIn, Google, or Amazon.
The practice of allowing the employees of an organization to use their personal computers, smartphones, or other devices for work purposes. Employee-Owned hardware can pose security risks to the organization if allowed to connect to the corporate network or access corporate data without preventative measures.
A brute force attack is a trial-and-error method used to obtain information that can lead to unauthorized access to protected data. In a brute force attack, an automated process is used to generate a large number of consecutive guesses as to the value of the desired data. For example, brute force attacks may be used to guess user credentials or crack encrypted data archive.

C

Customer identity and access management (CIAM) is a software solution that enables organizations to manage customer identity and profile data and control customer access to applications and services. CIAM solutions ensure that customers have seamless experience registering and managing their accounts, accessing applications and services from any device with single sign-on (SSO), and protecting their data with multi-factor authentication (MFA) capabilities.

Continuous authentication refers to a process of continually monitoring user sessions and evaluating the probability that a particular user is who they claim to be. The user is required to reverify identity to continue the session if the probability that a user may have changed is high. For example, continuous authentication can detect unusual shifts in a user’s behavior if a user's device is left unattended, and an imposter takes over the session. The goal of continuous authentication is to deliver intelligent, secure, and on-going identity verification without interrupting the workflow.

D

Delegated administration refers to the concept of assigning limited administrative privileges to a user or a subset of users that will allow them to perform certain actions on a specific object, group objects, or applications. For example, an organization can grant members of the Sales Team administrative rights to the Salesforce application without providing admin access to any other application or service.

E

An endpoint refers to any device outside the corporate firewall, including servers, workstations, smartphones, and tablets used to connect to the organization’s infrastructure. Endpoints represent vulnerable and lucrative points of entry for cybercriminals as they can be used to execute code and exploit vulnerabilities. With organizational workforces becoming more mobile and users connecting to internal resources from off-premise endpoints all over the world, endpoints are increasingly susceptible to attacks and need to be properly secured.

Enterprise Mobility Management (EMM) is a set of services and technologies designed to prevent unauthorized access to enterprise applications and corporate data on employees' mobile devices. EMM enables organizations to centrally manage and enforce security policies, encrypt storage, and remotely delete all data from misplaced devices.

I

Identity and Access Management (IAM) is a set of technologies that helps organizations ensure that the right individuals have access to the appropriate resources. Organizations with mature IAM capabilities can decrease the risk of breaches associated with poor password practices, increase end-user productivity by simplifying access to resources employees need to do their jobs, and reduce the volume credentials-related help desk calls with secure and user-friendly self-service capabilities.

Identity as a Service, also known as IDaaS or SaaS-delivered IAM solutions, refer to identity management solutions that are hosted in the cloud and managed by third-party service providers. In recent years, SaaS-delivered solutions overtook software-based solutions to become the preferred IAM delivery method for the vast majority of customers. In contrast to IDaaS, software-delivered solutions, frequently referred to as “on-prem” solutions, are single-tenant solutions delivered as traditional software installations or virtual appliances.

Identity assurance refers to the ability to establish, with some level of certainty, that the electronic credentials provided by a person can be trusted to belong to the person they represent. Identity Assurance processes frequently combine Identity Proofing, user authentication, and electronic credential management services.

Identity analytics refers to a process of employing machine learning and artificial intelligence (AI) technologies to consume and analyze vast amounts of identity and access-related data and distill that data into actionable intelligence, allowing organizations to detect and respond to access risk more quickly. Identity Analytics relies on data from a vast array of other sources, such as data access governance, content-aware data loss prevention, security intelligence and event monitoring (SIEM), and database monitoring systems, as well as application, web, network, database and endpoint logs to obtain and analyze information about the use of access privileges.

Identity Lifecycle Management (ILM) refers to the collection of technologies and business processes that enable organizations to create, manage, and remove user identities based on defined roles, rules, and policies at every stage of the employee lifecycle.
Inbound provisioning refers to the process of leveraging user data from a trusted identity source, such as a Human Capital Management (HCM) system, to add users to identity repositories and applications. For example, an organization can set up integrations with its HCM system to provision new users into Active Directory and other applications.
Integrated Windows Authentication (IWA) refers to an authentication scheme that enables users to be automatically authenticated with Active Directory accounts to applications and services. With IWA enabled, users can access applications and services without additional authentication whenever they are signed in to the Windows domain.

K

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications using secret-key cryptography.
Knowledge-based authentication, commonly referred to as KBA, is a method of authentication that leverages answers to security questions to complete the authentication process. KBA is often used as a factor in multi-factor authentication (MFA) and for self-service password retrieval.

L

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

M

Multi-Factor Authentication (MFA) is an authentication method that adds a secondary step to the authentication process by combining at least two of the three authentication factor categories. Authentication factors categories include knowledge factors (something the user and only the user knows, such as username and password), possession factors (something the user and only the user has, such as a physical token), and inherence factors (something the user and only the user is, such as biometric features).

Mobile Device Management (MDM) refers to a component of Enterprise Mobility Management (EMM) solutions that enables remote administration of mobile devices, such as smartphones, tablet computers, and laptops.

Mobile Application Management (MAM) refers to a component of Enterprise Mobility Management (EMM) solutions that enables control over enterprise applications on end-users' corporate and personal smartphones and tablets.

N

NT LAN Manager (NTLM) is an authentication protocol used in Windows for authentication between clients and servers. NTLM can be used by application protocols to authenticate remote users and, optionally, to provide session security when requested by the application.

O

The Initiative for Open Authentication (OATH) is an organization that develops open standards that enable strong authentication of all users on all devices, across all networks.
OAuth 2.0 is an open-standard protocol for authorization. OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their credentials. As such, Oauth 2.0 allows users to grant limited access to their private resources on one site (which is called the Service Provider), to another site (called Consumer) without revealing their passwords or other credentials. To get access to the protected resources, OAuth 2.0 uses access tokens - a string representing the granted permissions. OAuth has built-in support for desktop applications, mobile devices, set-top boxes, and websites.
OpenID Connect is an identity layer on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. While the OAuth framework helps users grant access, OpenID helps ensure the users are really who they say they are.
One-time Password (OTP) is a password that is valid for only one login session or transaction. One-time Passwords can be supported as an authentication factor in Multi-factor Authentication implementations.

P

Business Partner Federation, also known as the B2B federation, establishes a trust relationship between two entities - the Service Provider (SP) and Identity Provider (IDP) using SAML tokens. Partner federation allows organizations to set up one-click access to their applications for partner employees. With B2B federation enabled, partners can easily access secured applications according to their own policies and processes.
Privileged access management (PAM) is a collection of processes and technologies focused on managing, monitoring, and protecting privileged user accounts, such as root or service accounts, within the IT infrastructure of an enterprise.
A privileged user account is an account that has more privileges than standard users. Privileged accounts might, for example, be able to install or remove software, add and remove users, or modify system or application configurations.
The process of granting access to data repositories, networks, applications, and databases based on unique user identity. For example, a new employee can be granted access to network shares and applications based on the user's role within the organization.
Phishing is the fraudulent attempt to obtain sensitive information such as access credentials, credit card details, and personally identifiable information, using deceptive emails and websites.
Policy-based access control, also known as Attribute-based Access Control (ABAC), is a strategy for managing user access to one or more systems, where the business roles of users are combined with policies to determine what access privileges users of each role should have. For example, every role within an organization can be defined as a collection of permissions and restrictions. An organization can then create a policy that allows employees to access objects and execute operations only if their role in the system has the relevant permissions.
Passwordless Authentication refers to a concept of user authentication by means other than a password. For example, users can enter their mobile phone number or email address and receive a one-time code or link, which they can then use to log in. Common types of passwordless authentication include email-based, SMS-based, multi-factor, biometrics, or passwordless authentication for logged-in users.

R

The Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol used for centralized authentication, authorization, and accounting. The RADIUS client is typically a network access server (NAS), and the RADIUS server is usually a process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
A Reverse Proxy is a server that sits in front of one or more web servers, intercepting requests from clients. A reverse proxy commonly performs tasks such as load-balancing, authentication, decryption, or caching.
Role-based Access Control (RBAC) is a model of assigning system access to users based on their role in an organization. With RBAC, organizations can create roles, assign role membership (static or dynamic), and define access policies specific to each role. RBAC provides fine-grained control and offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually.

S

Single sign-on (SSO) is an authentication process that allows users to access multiple applications and services with one set of login credentials. Enterprises typically use SSO to provide better user experience for accessing a variety of web, on-premises, and cloud apps. SSO can also give IT more control over user access, reduce password-related help desk calls, and improve security and compliance.
Secure Token Service (STS) is a service that can issue security tokens, validate security token claims, renew security tokens, and cancel security tokens. Because web services and requestors (consumers or clients) are typically deployed across different security domains and topologies, each domain may require a specific security token type to assert authenticated identities. STS service provides a way to exchange tokens across these different domains without re-authenticating or re-establishing trust relationships while allowing the requestor access to a web service's protected resources.
A session refers to any group of interactions between a user and an application that takes place within a given timeframe. A single session can contain multiple activities (such as page views, events, social interactions, and e-commerce transactions), all of which the session stores temporarily while the user is connected. When a user leaves a website, closes their browser, or session lifetime limits are reached the session ends.

Security Assertion Markup Language (SAML) is an open standard used to facilitate the exchange of authentication and authorization data between two systems, in particular, between an identity provider and a service provider. An identity provider is an entity within the system that provides authentication and ensures that the user really is who they claim to be. A service provider is an entity — generally, a server or other computer — within a system that helps the user access the services he or she wants.

A System for Cross-Domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between IT systems, designed to make user identity management in cloud-based applications easier. SCIM can be used to automatically provision, and deprovision user accounts in external systems, such as custom SAML apps.
The Public Key Infrastructure (PKI)-based smart cards enable organizations to use physical cards to control access to a resource. Smart cards are frequently implemented by government agencies to complying with government regulations, such as the Defense Federal Acquisition Regulation System (DFARS) and International Traffic in Arms Regulations (ITAR).
Social Login is a method of Single Sign-On (SSO) for end-users. Using their existing login information from a social network provider like Facebook, LinkedIn, or Google, users can sign into a third-party website instead of creating a new account specifically for that website. Social Login simplifies registrations and logins for end users.

T

A time-based one-time password (TOTP) is a temporary passcode used for authenticating users. The user is assigned a TOPT generator delivered as a hardware key fob or software token. The generator implements an algorithm that computes a one-time passcode using a secret shared with the authentication server and the current time.

U

User and Entity Behavior Analytics (UEBA) refers to a process of gathering insight into the network, access, and security events to identify typical and atypical behavior of humans and machines within a network. UEBA uses machine learning, algorithms, and statistical analyses to figure out whether certain kinds of activity and behavior are likely to constitute a cyberattack.
User provisioning refers to the creation, modification, and deactivation of user objects and user attributes in one or more systems, directories, or applications in response to business processes. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service.
Universal Authentication Framework (UAF) is an open authentication standard developed by the FIDO Alliance with the goal of enabling a secure passwordless experience for primary authentication, as opposed to a second factor, as described in Universal 2nd Factor (U2F) standard.
Universal 2nd Factor (U2F) is an authentication standard that allows online services to augment the security of their existing password-based infrastructure by adding a strong second factor to user login. U2F simplifies two-factor authentication (2FA) by enabling the use of specialized Universal Serial Bus (USB) or near-field communication (NFC) devices.

V

A virtual private network (VPN) is a service that creates a safe, encrypted connection over a less secure network, such as the public internet. VPNs are typically used to connect remote users and machines to a private network.
A virtual directory or virtual directory server is a technology that provides a consolidated view of user identity and related information without having to migrate users into a single enterprise directory infrastructure. It serves as a lightweight service that operates between identity consumers and the various identity repositories across the environment. These identity repositories can be LDAP directories, databases, or even web services, and access to information can be either proxied through the virtual directory or correlated and cached through a complex set of rules.

W

WS-Federation is part of the larger Web Services Security (WS-Security) framework, which provides a means for applying security to web services through the use of security tokens. WS-Federation uses Security Token Service (modeled on the WS-Trust specification) to allow providers in different security realms to broker trust using the information on identities, identity attributes and authentication, and provider federation.
WS-Trust, a specification in the WS-Security framework, enables federation by defining a Security Token Service (STS) and a protocol for requesting and issuing the security tokens.
WebAuthn is a standard for secure authentication on the Web. WebAuthn APIs that makes it easy for a relying party, such as a web service, to integrate strong authentication into applications. This means that web services can offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.
WS-Federation is part of the larger Web Services Security (WS-Security) framework, which provides a means for applying security to web services through the use of security tokens. WS-Federation uses Security Token Service (modeled on the WS-Trust specification) to allow providers in different security realms to broker trust using information on identities, identity attributes and authentication, and provider federation.
WS-Trust, a specification in the WS-Security framework, enables federation by defining a Security Token Service (STS) and a protocol for requesting and issuing the security tokens.
WebAuthn is a standard for secure authentication on the Web. WebAuthn APIs that makes it easy for a relying party, such as a web service, to integrate strong authentication into applications. This means that web services can offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.

Y

A YubiKey is a hardware security token manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor and FIDO2 protocols developed by the FIDO Alliance. YubiKey enables organizations to provide strong two-factor, multi-factor, and passwordless authentication.

Z

Zero Trust is a security framework developed by Forrester based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Zero Trust stipulates that people, devices, networks, and workloads that access data must be verified at any point and at any time.

Zero Sign-On (ZSO) refers to a certificate-based authentication that enables users to seamlessly login to their assigned applications and services without additional authentication once their mobile devices are verified.