Click on the word or phrase below to learn more about a key identity and security solution or feature.
Access to resources is governed by the values of a collection of user attributes (such as job title, location, cost centre, department and manager), resource attributes (such as owner, location, data content) and/or environment attributes (such as time of day, date, location of access, conditional access parameters).
Organisations often implement a hybrid approach using RBAC, ABAC and request/approvals.
Covers role and attribute-based access control along with privileged access management and privileged identity management. The net result is that users should only have enough rights to perform their duties and no more. To work effectively this must be automated with managed and time limited privilege escalation being provided in an intuitive fashion.
Also known as recertification. Useful for when users (or managers) have requested access to systems or applications which have not been assigned via RBAC or ABAC.
Regular attestation is a flawed concept because as soon as a campaign is complete, configured access is likely to be out of date again. The longer the period between attestation campaigns, the larger the problem (and hence the security threat level) becomes. A better solution is to define segregation of duties rules and then to check for violations in real time, saving attestation only for requested access confirmation. Even for this latter case, a better solution is to trigger micro-certifications (recertifying individual users) when their roles or attributes change.
Bring (or buy) your own device covers organisations where the user population may want to use their personal device of choice for work purposes.
Policies are put in place to ensure that all the devices and apps have a baseline security policy, and this helps to ensure that data security is maintained to the same level as a corporate owned/supplied device.
Conditional access is a function of Azure AD (and Office 365 for Business) that checks to see if the user meets certain criteria before enabling access. It will check to see what device the user has, where they are and what service they are asking for. The system can then validate (using pre-set logic) and decide whether the user needs to provide MFA or not.
Typically, CIAM takes the form of authentication software used with an organisation’s public-facing websites, apps and other digital services. This software seamlessly integrates with a company’s branded digital properties to provide powerful security and frictionless access. CIAM solutions and their associated features are key to meeting consumer demands for a unified experience, while reducing the risk of a data breach.
Put simply, cyber security is the protection of IT infrastructure from the theft or damage of hardware, software or electronic data as well as any disruption of services they provide.
Cyber security within an organisation extends across processes, people and technology and has steadily progressed to a board level concern as attacks against high profile organisations become more prevalent.
A widely used term, digital transformation broadly refers to the adoption of new and emerging digital technologies to evolve an organisation’s effectiveness.
These technologies can apply to business processes, the customer experience and influence an organisation’s workplace culture. The overall aim of undergoing a digital transformation is to ensure an organisation’s ability to adapt to (and survive in) a modern market, which has itself seen radical change due to the introduction of increasingly digital elements.
A workplace approach that allows employees to access data and applications on a variety of devices, from any location.
This approach is growing in popularity due to the increase in available devices as well as the flexibility and productivity benefits it provides to organisations. As a result, device management technologies such as Microsoft Intune have evolved to ensure security is maintained.
Hybrid identity links an on-premises identity to a cloud identity and ensures they are synchronised. The user can access cloud services using the cloud identity details and can access on-premises services using the local instance of the object.
Both identities are valid, creating a common user identity for authentication and authorisation that can be used in different scenarios.
An IAM solution or framework provides governance that access to data, systems and applications is available only for users who should have it, at the times they should be accessing it, and from the correct locations. To be effective, IAM should be automated, apply to on-premises, hosted and cloud environments. It should also be cross vendor and cross platform.
Business and security analysis skills are required to correctly specify an IAM solution, in addition to the technical skills required to implement one.
Efficient and automated IAM processes provide the basis for secure business agility (collaboration, B2B, B2C, etc.).
A term coined by Gartner when they combined two separate reports – identity governance and identity administration – into one in 2013.
Identity administration is what most users are familiar with and includes identity lifecycle management, connectors to data sources (HR, etc.) and data targets (ERP and accounting systems, etc.), password management, automated provisioning, and access requests and approvals.
Identity governance includes policy enforcement, segregation of duties, attestation (recertification), discovery of existing access, role mining, engineering and management, and analytics and reporting.
Solutions that offer both administration and governance tools in a single coherent package offer a key differentiation over administration solutions which have had a governance layer bolted on.
When an organisation has employees, it needs to understand their lifecycle; from joining as a new starter, through moving departments and roles during their career, to leaving at the end of their time.
This joiner/mover/leaver (JML) process describes the identity lifecycle at a high level.
An identity management system should be able to take the JML process and automate it as much as possible.
Mobile application management allows an organisation to control how data is accessed by employees working from personal devices. Policies are applied to apps on the user’s device. If the device is lost, data on that app can be remotely wiped. In addition, data that is found in an internal email or document can be blocked from being copied to non-approved applications or saved to non-supported locations.
Mobile device management is the remote, ongoing monitoring and management of an organisation’s mobile device ecosystem. It controls the security configuration and delivers applications and policies to each user’s device. For example, updating critical security patches, or locating, locking and completely wiping data on compromised devices.
A comprehensive MDM system should be capable of covering a range of operating systems (Windows, iOS and Android) simultaneously.
Sometimes the use of an ID and password is not enough to provide access to an application or data set. In these cases, the system can be configured to request an additional element of authentication.
Examples of MFA include: a one-time password (OTP) sent as an email/SMS; a phone call; a code created by an authenticator app; or a push notification to an installed (and configured) app.
Privileged access management solutions effectively store the credentials of user accounts that need access to sensitive assets (i.e. admin users) in a separate system. An administrator would not have administration rights assigned to their account but would have to pass through this system each time. This ensures they receive just-in-time (JIT) access to administration services for Active Directory (and any service that uses AD for authentication and authorisation).
A PAM solution effectively adds an extra layer of security, with greater control and visibility of who is doing what.
Privileged identity management provides a similar function to PAM, but relates to Azure AD rather than an on-premises AD. To remember which is which, the “I” in PIM can stand for Internet, while the A in PAM can stand for AD.
A form of authorisation which depends upon the role (or roles) assigned to a user.
Role engineering is a specialist, time-consuming task, with the ever-present danger that the outcome will be as many roles as there are users. The world is moving more to a model of defining a small set of base roles, configuring granular access levels to systems and applications, and providing a request/approval mechanism for users (or their managers) to request more access as required.
Single sign-on is the ability to access multiple applications without the user having to provide their ID and password more than once. But SSO probably causes more questions than most abbreviations.
There are really two types that need to be considered. There’s enterprise SSO, which uses a client on a workstation to provide SSO to all applications (web-based and thick client); however, most SSO concerns getting a user to authenticate automatically to a web-based service.
Web-based applications tend to use SAML (security assertion mark-up language) or OIDC (open identity connect) to provide the SSO.
Software as a service is a third-party web-based application that is bought by an organisation for day-to-day use. Typically, organisations would subscribe to the service hosted in the Cloud, scaling as required, with patches and performance updates occurring automatically. Organisations give up control, particularly around data security, but benefit from significant cost-saving advantages versus building and maintaining an inhouse application for the same purpose.
Examples include: Salesforce, Concur, ServiceNow and Office 365.
User provisioning relates to the creation (provisioning) of a user account (object) in a system. This could be a directory service, an application or some database system. It can be on-premises or cloud-based.
A typical identity and access management system would automate the creation of user accounts – as well as update, disable and delete as required – significantly reducing the administration workload for an IT department.
Self-service password reset gives users the ability to reset their own password (for example, if they have forgotten it) without the need to raise a ticket with their organisation’s service desk. The password reset would typically prompt them to answer pre-set, personal questions, or would adopt multi-factor authentication (e.g. a pin sent to the user’s mobile phone).
Given the frequency of password reset requests, SSPR is popular with internal IT departments – and a key feature and benefit of identity management systems.
Sign up for great content and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Great content and resources
We’re here to help you on your journey towards becoming greater.
Get in touch to find out how.