Glossary of Terms
Access – Ability to make use of any information system resource, to include but not limited to, data, services, schemas, functional accounts, applications, images, processes, and APIs.
Access Control – the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Control components encountered every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.
Access Management (or Access Administration) – the set of practices and processes associated with providing coarse-grained access to resources inside and outside of an organization. Granting access to resources and assets is typically viewed as an administrative function and is a common approach when organizations do not have an Identity & Access Management capability within their cybersecurity/information security organization.
Active/Simultaneous users – The subset of concurrent users that are simultaneously taking any action that utilizes a system’s compute resources.
Affiliation – the combination of one’s relationship with an organization and some form of trusted identity (which may not be from within the organization).
All Other Identities (AoID) – the universe of non-employee identities in the digital world. Identities (actors) that do not fit into any of today’s identity solution technologies, natively.
Approval – the granting of access to system resources based up the acknowledgement of the appropriateness of that access by a party or person other than the requester. Approval is most often associated with the function called Identity Governance (IGA) and can be granted using approaches such as Role Based Access Control (RBAC), Attribute Based Access Control (ABAC) or least-privileged access.
Attack Surface – The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.
Attribute – An attribute is any distinctive feature, characteristic, or property of an object that can be identified or isolated quantitatively or qualitatively by either human or automated means.
Audit – Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. Audits may be conducted by an organization upon itself, they may be conducted by an external organization such as an accounting firm or they can be conducted by governmental agency in the case of regulatory audits.
Authentication (AuthN) – Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. The most useful approach to understanding authentication is by asking “are you who (or what) you say you are?”
Authoritative Source – a repository of trusted information about an entity (e.g., person, organization, thing, etc.). For example, an HR system might be authoritative for employee data and a contract management system might be authoritative for vendor contract details.
Authorization – The right or a permission that is granted to a system entity, user or process to access a system resource. The most useful approach to understanding authorization is by asking “are you doing what you are supposed to be doing?”
AuthZ – The right or a permission that is granted to a system entity to access a system resource.
Bad Actor – A cybersecurity adversary that is interested in attacking information technology systems
Bring your own Identity (BYOI/BYOID) – BYOI is a form of federated identity where access to different service providers’ (SP) services is permitted using credentials provided by a third-party identity provider (IdP), not credentials created for the service itself. In practice, this means that users can access the service with identity credentials that they already have instead of creating new ones.
Brute Force – A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords. Password spraying is an example of a brute force method.
California Consumer Privacy Act (CCPA) – a law that allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Certification (or Access Certification) – Certification is a mandatory compliance activity that is governed by regulations such as Sarbanes-Oxley (SOX) that demand that SOX-obligated companies (both US and international) must regularly review and certify all access within their organizations to ensure that it is appropriate, least-privileged and has been accurately requested and approved. These certifications can be as frequent as quarterly for critical business applications to annually (or even once every two to three years) for low-risk applications and systems.
Chief Information Officer (CIO) – agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.
Chief Information Security Officer (CISO) – A senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure that information assets and technology are protected.
Churn – a measurement of the percentage of accounts that cancel or choose not to renew their subscriptions.
Cloud Identity Management – A service such as Okta that is hosted in the cloud, offering identity, authentication, and authorization functions for other cloud-hosted software services. A cloud identity management system is an alternative to traditional directory service systems, which typically manage identity for on-premises monolithic enterprise applications. These often leave cloud services with siloed identity services that must be managed individually, thus complicating lifecycle management.
Concurrent users – Users accessing a system within a given period of time with the potential to take an action.
Controls – controls are the methods through which risk is reduced within organizations. Control frameworks provide guidance across specific security domains such as identity, threat and vulnerability management, firewall and data protection. The most common control frameworks are published by NIST and ISO as well as Gartner’s CARTA model. Control effectiveness is the most common measure of an organization’s security performance.
Credential – Evidence attesting to one’s right to credit or authority.
Cyberattack – An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Cyber Resiliency – The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
Learn more: Cyber Resilience with Third-Party Identity Risk
Cyber Risk – The risk of depending on cyber resources, i.e., the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace.
Cybersecurity—The technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities, and attacks.
Cyberthreat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Data – Information in a specific representation, usually as a sequence of symbols that have meaning.
Data Breach – Refers to an incident whereby data is accessed by an unauthorized individual or software system.
Learn more: Anatomy of a Third-Party Breach
Data Privacy – Also known as information privacy or data protection. Data privacy focuses on the ability of an organization to protect data from unauthorized access or misuse and the ability to share data according to the organization’s policies and procedures. . Data privacy demands may be driven by nation-states such as the EU’s GDPR or by regulatory agencies such as the FTC or by US states such as California’s CCPA.
Delegated Administration – the transfer of administrative responsibility for a specific administrative task from a higher authority to a lower authority (from an operational perspective, delegation of administration involves a higher-level administrator conferring upon a lower-level administrator the authority to carry out a specific administrative task; from a technical perspective, delegation of administration involves a higher-level administrator granting a controlled set of permissions to a lower-level administrator in order to carry out a specific administrative task)
De-provisioning – The removal of an individual’s organizational digital identity, access, and privileges.
Digital Identity – information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. Digital identities are differentiated from something such as an account/password by fine-grained characteristics and attributes associated with the external agent; such as, mobile device number, geolocation, IMEI, biometrics, etc.
Digital Transformation – the adoption of digital technology by a company to improve business processes, value for customers and innovation.
Due diligence – conducting a review of a potential third party prior to signing a contract to help ensure the organization selects an appropriate third party to partner with, and that the organization understands both the inherent and residual risks posed by the relationship.
Employee Identity Management – the process of verifying an employee’s user’s identity and their level of access to a particular system that begins with onboarding and requires ongoing maintenance, such as when employees change roles or leave the organization. It also often includes an authentication scheme, such as having the employee set their account password.
End-user – The person that uses a product for its intended purpose
Executive Order – The President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” was issued on May 12, 2021, to improve the state of national cybersecurity in the US and to increase protection of government networks following incidents involving SolarWinds and the Colonial Pipeline hack.
Learn more: U.S. Cybersecurity Regulation: Fact or Fiction?
Event – Occurrence or change of a particular set of circumstances.
Federated Identity – The agreed process of authentication between an organization, or Service Provider, and an external party, or Identity Provider. It is a mutual trust relationship that gives users access to a Service Provider’s applications by first confirming their credentials and permissions through the Identity Provider.
Federated Identity Management – A process that allows for the conveyance of identity and authentication information across a set of networked systems.
Federated Access – a form of single sign-on that allows users to use a single credential to authenticate across multiple organization’s systems and websites.
Fourth Parties – An organization’s third parties’ subcontractors and their own third parties. It is important to understand who your critical fourth parties are and the level of risk they may pose.
General Data Protection Regulation (GDPR) – a legal framework that establishes rules on how companies, governments and other entities can process the personal data of citizens who are EU citizens or residents.
Governance, Risk, and Compliance (GRC) – A set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity.
Group – A named collection of user IDs.
Health Insurance Portability and Accountability Act (HIPAA) – the primary law in the United States that governs the privacy and accessibility of healthcare information. HIPAA requirements prohibit health care providers and other health related organizations from inappropriately sharing or using patient data, but importantly HIPAA does not prohibit any patient from choosing to or actually sharing their own personal health data.
Human Resource Information System (HRIS) – a form of human resources software that combines a number of systems and processes to ensure the easy management of human resources, business processes and data.
Identity – The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
Learn more: Identity at the Center #62 – Managing Third Party Identity with David Pignolet from SecZetta , Beyond the Pandemic A decade of identity evolution forced into one chaotic year. What’s next?
Identity and Access Management (IAM) – Ensuring the right people have the right access at the right time. Includes not only granting access but updating and removing access appropriately.
Learn more: What is IAM? (AKA: Back to the basics)
Identity ascription – The act of giving a “thing” or an actor in the digital world an identity. This capability is most often seen in situations where the actor or thing is not a proxy representation of a human being. Bots, devices, processes, and other system related actors are the most common examples.
Identity assurance – The missing link in identity. Identity assurance is the continuous process of determining the who and why an actor or an identity should be trusted. Identity Assurance is not persistent trust (which would violate the core principles of Zero Trust). Instead, Identity Assurance is the evaluation and ranking of trust on a per transaction basis with the expectation that the evaluation and ranking of trust will be exercised each time an identity or actor engages in a new transaction type.
Identity Authority – A trusted single system of record for authoritative information about all an organization’s identities (employees, third-party users, supply chain, franchises, non-human entities, etc.) purpose-built to support identity and access processes, systems, and decision-making. To be a trusted system of record, it must be complete, current, and accessible.
Identity Consolidation – Identity Consolidation enables organizations to simplify their Identity Governance and Administration (IGA) efforts by merging and organizing people data from many different sources such as disparate HR systems or other authoritative repositories, establishing and maintaining master identities in a centralized repository.
Identify Defined Security Alliance (IDSA) – a group of identity and security vendors, solution providers and practitioners that acts as an independent source of thought leadership, expertise and practical guidance on identity-centric approaches to security for technology professionals.
Identity Governance and Administration (IGA) – tools designed to manage digital identity and entitlements (access rights) across multiple systems and applications. The most useful approach to understanding IGA is to ask the question “do you have what you are supposed to have?”
Identity Management (IDM) – the act of using processes and solutions for the creation and management of user or connected device information.
Learn More: The Crisis in Identity Lifecycle Management
Identity Master Repository – a single system of record created through the consolidation of authoritative record data from many different sources such as HR systems or other repositories to create a master identity
Identity Proofing – Verifying the claimed identity of an applicant by authenticating the identity source documents provided by the applicant.
Identity Risk Management – a discipline within GRC which deals specifically with risks which are in some way or another identity-related
Learn more: Identity Risk
Incident Response – the coordinated and methodical approach to prepare for, identify, contain, and recover from a security event.
Inherent Risk – The risk to an entity in the absence of any direct or focused actions by management to alter its severity. The most useful approach to understanding inherent risk is asking the question “what are my risks if I do nothing at all?”
Insider Threat – An insider threat is a security risk that originates from within the targeted organization. It typically involves a current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an organization, and who misuses this access.
Internet of Things (IoT) – A development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.
Least Privileged Access Control – The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
Level of Assurance – OMB Memorandum M-04-04 describes four levels of identity assurance and references NIST technical standards and guidelines, which are developed for agencies to use in identifying the appropriate authentication technologies that meet their requirements.
Lifecycle Management – Evolution of a system, product, service, project, or other human-made entity from conception through retirement.
Multifactor Authentication – Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
Nth Parties – identities that are associated to 3rd party risk, but that are completely opaque to the customer. These are your fourth, fifth, sixth parties and so on. Depending on your supply chain, you could have risk exposure at levels seemingly far removed from your business.
Next Generation Access Control (NGAC) – offers fine-grained authorization policy management within what is quickly becoming a perimeter-less enterprise network. It’s like XACML but has important differences. NGAC provides access control for different types of resources accessed by various kinds of applications and users. Its infrastructure is scalable and can support policies of different types simultaneously, while remaining manageable as technologies change, data volumes grow, and organizations undergo restructuring. Its flexibility and adaptability to future states positions it to play an important role in helping organizations meet a variety of compliance requirements pertaining to access control.
Non-Employee System of Record – an authoritative source for data about non-employees – vendors, partners, contractors, freelancers, bots, service accounts, and other non-employee populations.
Learn more: The Non-Employee System of Record
Non-human Worker(s) – IoT devices, bots, service accounts, all interconnected within a network, often receiving privileged access to systems and data
Offboarding – the timely removal of all access (not just core access such as Active Directory) upon the departure or transfer of a human resource from an organization. The most consistent source of excessive access is failed off-boarding or transfer handling.
Onboarding – the process by which an organization establishes a relationship with an entity (person, organization, or thing) and completes tasks necessary for the entity to execute that relationship (e.g., policy signatures, approvals, account provisioning, etc.)’
Learn more: Collaborated Onboarding of a Non-Employee Demo
Operational Resilience – The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.
Operational Risk – The risk of loss from inadequate or failed processes, people, or systems or from external events. According to the US Office of the Comptroller of the Currency (OCC), operational risk is present in all products, services, functions, delivery channels, and processes. Specifically, an organization’s exposure to operational risk may be increased by third-party relationships because the organization may not have direct control over the activity performed by the third party.
Phishing – A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.
Privilege – A right granted to an individual, a program, or a process.
Privileged Account Management (PAM) – the extraction of privileges and entitlements from an individual’s level of access and the placing of those access rights into a process-bound data store such a as a password vault. The authorization to use these extracted privileges must then be requested, then granted, then returned and finally those privileges have their security mechanisms (password, MFA, etc.) changed to prevent future use without the invoking of the authorization and approval process, again.
Privileged Identity Management (PIM) – Privileged Identity Management (PIM) is a capability within identity management focused on the special requirements of managing highly privileged access. PIM is an information security and governance tool to help companies meet compliance regulations and to prevent system and data breaches through the improper use of privileged accounts.
Provisioning – A process that enables users to use their privileges to access applications and services.
Purpose-built – designed to meet specific business requirements., e.g., solve a specific challenge.
Ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid.
Reputation risk – The risk to the organization’s financial condition and resilience arising from negative public opinion. Third-party relationships that do not meet the expectations of an organization’s customers, shareholders, regulators, local community, or other external stakeholders can expose the organization to reputation risk. For example, when an organization is offering products and services originated by third parties as its own, the organization can be exposed to substantial financial and reputational damage if it does not maintain adequate quality control over those products and services as well as adequate oversight over the third party’s activities.
Residual Risk – residual risk is the financial, reputational, or operational exposure to negative consequences after controls and processes have been applied to a known inherent risk.
Revalidation – The act of verifying existing information known about an entity is current and accurate. See validation.
Reverification – reconfirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome). See verification.
Risk – The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Appetite – The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value.
Risk Assessment – The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Risk Rating – the classification of risks and their impacts on the business in terms of reputational or economic damage to an organization or a sector.
Role – A job function or employment position to which people or other system entities may be assigned in a system.
Role Based Access Control (RBAC) – Access control based on user roles and profiles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.
Rule Based Access Control – Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with Discretionary Access Control, access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object.
Supply Chain – Linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.
Learn more: Securing the Supply Chain from Identity Risk
Supply Chain Management – The active management of supply chain activities to mitigate risk, maximize customer value, and achieve a sustainable competitive advantage for an organization. Most usually applied to production processes, in some models supply chain management covers the entire value chain, from raw materials to sale of the finished goods and beyond.
Supplier Risk Management – A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplies product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
System of Record (SoR) – A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying attribute assigned to the individual.
Termination – The process by which user or customer credentials or privileges are de-provisioned and removed.
Third parties – vendors, partners, contractors, freelancers, bots, service accounts, and other non-employee populations.
Third-party identity risk – the potential threat presented to organizations’ employee and customer data, financial information, and operations from a specific identity/entity within a third-party non-employee organization that has been granted access to the organizations’ data and systems.
Third-party risk – the potential threat presented to organizations’ employee and customer data, financial information and operations from the organization’s supply-chain and other outside parties that provide products and/or services and have access to privileged systems
Third-party risk management (TPRM) – TPRM is the process of identifying, assessing, and controlling the risks an organization is faced with as a result of its relationship with another organization (the third party).
Learn more: The Identity Gap in Third-Party Risk Management,
Third-party risk management lifecycle – A framework of the natural stages that the relationship between an organization and a third party evolves through over time. The stages often include:
Third-party risk management programs are usually constructed to manage each stage within this life cycle in the context of the organization’s overall risk appetite and resilience objectives.
User – Individual or (system) process authorized to access an information system.
User Deprovisioning – the process of disabling, deactivating, or deleting user access to applications and resources
User Lifecycle Management – the process of managing user access by creating, modifying, and deactivating/deleting user accounts and their profiles across IT infrastructure and business applications. Often also referred to as managing joiner, mover, and leave (JML) processes.
User Provisioning – the process of creating and managing user access to applications and resources
Validation – Confirmation that details about an entity are current and accurate.
Vendor Risk Management – Often used interchangeably with third-party risk management. However, vendor risk management is a slightly narrower term. Third-party risk management includes a variety of other third-party relationships apart from vendors, such as services provided by affiliates and subsidiaries.
Verification – Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).
Vetting – The process of thoroughly investigating and validating information collected from or about an individual for the purpose of issuing credentials or privileges.
Zero Trust – A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
Zero Trust Architecture (ZTA) – the Zero Trust model provides security against ransomware and cybersecurity threats by assigning the least required access needed to perform specific tasks.