James Thew - Fotolia

Words to go: Identity and access management security

IT pros must keep up to date with rapidly changing identity technology and access threats. Help protect IAM security by getting familiar with this list of foundation terms.

As the number of insider and end-user security threats continues to grow, it is important to make sure IT teams have a solid identity and access management security baseline. IT leadership and administrators should brush up on the IAM tools and related technologies available to help streamline authentication, access and permissions in the enterprise.

Identity and access management is a framework of business policies and technologies that execute the management of user identities. IAM platforms combine identity management and access control. IT professionals can control user access to the organizational network with IAM framework functionalities.

Organizations use IAM products to ensure that authorized users receive access to the intended resources under the right circumstances. Functionalities of IAM are used to implement and specify processes related to user provisioning, access rights, authentication and compliance across the organization.

Refer to this list of identity and access management security terms and technologies to contextualize the current market trends in IAM.

Privileged identity management (PIM). The process of monitoring superuser accounts in an organization is known as privileged identity management. Superusers include CIOs, CEOs and database administrators. Without PIM oversight of these privileged, superuser accounts -- which have access to the organization's most sensitive information -- numerous system vulnerabilities are exposed. This is a major identity and access management security issue.

Implementation of PIM includes creating policy that specifies how superuser accounts are managed and what those superusers can and cannot do with their access reach. A responsible party must be identified who will ensure the PIM policies are carried out. Regular audits or inventory of privileged accounts is also common in PIM.

Identity governance. The policy-based centralization of user identity management and access control is known as identity governance. Identity governance products often include PIM, identity intelligence and analytics tools. Identity governance helps maintain regulatory compliance and supports IT security. These products help organizations orchestrate and review IAM policy and connect IAM capabilities with compliance regulations by auditing user access.

Single Sign-On (SSO). A single sign-on service permits end users to enter one set of login information to access multiple applications. This service retrieves user's authentication credentials from an SSO policy server and authenticates the user against a user repository. This streamlining service authenticates the user across all applications the user has access rights to, eliminating the need for individual application prompts to enter passwords during a given session.

SSO minimizes the burden of users having to remember various passwords for separate applications, but it is different from password synchronization, which sets all passwords to the same word. After a user authenticates initially with an SSO server, the SSO server intervenes on behalf of the user when subsequent applications challenge that user to provide credentials.

User provisioning. Businesses commonly seek to limit administrative hurdles that come with account management, and user account provisioning manages access to IT system resources in a consistent way. The term provisioning refers to providing or making a resource such as a file or network available. Coordination of user accounts, authorizations and allocation of physical resources associated with incorporating new users are all streamlined in a user provisioning process. The process of user provisioning is a part of identity management operations.

Role-based access control (RBAC). Role-based access control is a method used by administrators to control user access based on their role. Multiple users are categorized into groups by the access and services they require to do their jobs. This analysis of user-to-resource data to dictate RBAC user permissions is known as role mining. RBAC addresses vulnerabilities associated with users gaining access to information, services or resources that do not pertain to their job function. It also limits the need for various access policies.

When users gain access to extraneous resources, this leaves room for accidental or intentional insider threats. When it comes to identity and access management security, audits should be scheduled regularly to check and account for users' changing roles within the system. Administrators should also avoid categorizing too many users into one group, which may result in granting access to unneeded resources or privilege creep.

Privilege creep. The gradual accumulation of access to resources unessential to an individual's job function is known as privilege creep. This can occur when a user is promoted or moves horizontally to another role within the organization. Rarely are their previous access privileges revoked, even when they no longer require access to resources they needed in the past. Thus, their access privileges expand, and with them, the ability to exploit.

Exploits from privilege creep can happen in two ways: The user may abuse their own excess privileges, or an intruder who gains access to the user's account may do the same. Either option risks data loss, corruption or theft. Risk mitigation warrants periodic access rights reviews or audits. This process of confirmation of users and their appropriate privilege rights can detect privilege creep. IT teams commonly enforce the principle of least privilege to only allow access to the minimal amount of resources required to execute their responsibilities.

This was last published in June 2019

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing