Identity and Access Management Terms Your C-Suite Needs to Know

Now that your C-suite understands your company’s information security program, it’s time to move further into the educational phase.

As you evaluate and prioritize the risks your organization faces, identity and access management (IAM) should become a clearer and clearer priority. To help you educate your CEO on the need for increased investment in modern IAM solutions, here is some key IAM terminology that you can use as you work to transition your company to a more modern strategy.  

Authentication: Authentication is the process used to validate the identity of an individual, traditionally through username and password credentials. It consists of two steps: identification of the user using an identifier, such as a username, and verification of the user’s authenticity through information, such as a password. Authentication should not be confused with authorization, which refers to the process by which individuals are given access (the ability to view and/or interact with) to various system resources based on their authenticated identity.

• Contextual or Context-Based Authentication: Context-based authentication is an authentication process that uses policy to determine whether authentication attempts are valid or not. In context-based authentication, factors like geolocation, geographic reputation, and even behavioral analysis are combined to determine whether or not to allow a log-in attempt to proceed.

• Multi-Factor Authentication: Multi-factor authentication is an authentication process that requires verification steps from at least two different categories of authentication factors to validate a user. Those authentication factors are: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). A key challenge of MFA is the balance between security, which increases with the number of authentication factors demanded and usability, which decreases with the number of authentication factors required.

• Risk-Based Authentication: Similar to contextual authentication, risk-based authentication is a more intelligent authentication process that learns a user’s typical usage patterns and uses factors, such as device type, geographic location, and time of day, to determine whether a login attempt is consistent with the user baseline and therefore, low-risk or deviates from the baseline and therefore higher-risk. Risk scores rise the more the log-in attempt deviates from the user’s normal usage pattern, requiring users to present more credentials, and access policies can mandate that access be denied at a certain threshold.

• Single Sign-On (SSO): SSO systems are authentication gateways that allow users to access multiple applications or systems with a single log-in.

• Strong Authentication: Strong authentication is any authentication process that uses requirements stringent enough to withstand outside attacks. NIST 800-63B (Authentication and Lifecycle Management) specifically calls out the Levels of Assurance for Authentication, in section 4. True, “hard” (strong) authentication begins at Level 3, where a minimum of TWO, mutually-independent factors for authentication are required. While Level 2 appears to require two,as written, it allows for ONLY a multifactor device, such as an OTP token, which does not truly require two unique factors for authentication.

• Two-Factor Authentication: Simpler than multi-factor authentication, two-factor authentication requires two separate validation mechanisms, such as a security token and a password.

Compliance: In business terms, compliance is the state of being or the process of becoming compliant with relevant laws, regulations, or industry best practices.

• Attestation or Attestation of Compliance: Attestation or attestation of compliance is the process by which an organization declares its compliance to the relevant governing body,for example, PCI DSS.

• Audit: In a compliance audit, independent third parties review and evaluate an organization’s compliance with regulatory requirements or guidelines.

• Governance: Governance is the creation of defined policies and the monitoring and enforcement of their implementation, particularly as it relates to compliance.

• Risk Management: Risk management is the practice of identifying and forecasting potential threats to the organization, prioritizing those threats, and executing strategies to minimize them.

Password Vaulting: This refers to securely storing and regularly rotating or randomizing passwords for critical service and administrative accounts. These can be both directory and ‘local machine’ accounts. This effort is focused on preventing pass-the-hash (where consistent local administrative account passwords are all the same, and an attacker quickly moves from machine to machine, after gaining an administrative password hash) and other attacks.

Privileged Access Management (PAM): Also known as privileged account management or privileged session management, PAM, is a category of software designed to monitor and control the activities of privileged user accounts within systems in order to prevent abuse or misuse of accounts with elevated privileges, such as the ability to access secure data or to make changes to system configurations. These privileged user accounts are not typically tied to individual humans; instead, these “superuser,” “root,” “administrator,” or “service” accounts are managed jointly by an IT group.

A few of the many threats that exist within the business landscape:

• Malware: Short for “malicious software,” malware is software designed to compromise computers, in some cases damaging them and in other cases intentionally opening up vulnerabilities for further attack. APTs, keylogging, and phishing are types of malware.

• Advanced Persistent Threat (APT): An APT is an extended, multi-phase, targeted attack on a network. It frequently uses techniques, like social engineering, to deliver malware or steal credentials that enable attackers to enter systems, map them from the inside, and eventually capture and exfiltrate sensitive data.

• Keylogging: Keylogging is the use of hidden software or hardware to record users’ keystrokes, generally in order to capture user credentials, such as passwords.

• Phishing: Phishing is a social engineering technique in which attackers attempt to steal sensitive information by leading victims to believe that the attackers are reputable or legitimate entities, such as corporate IT staff or management.

• Ransomware: Ransomware is a particular payload, often installed and executed by other malware, that locks or denies a user access to a computer system until a requested sum of money—the ransom—is paid to the attacker.

• Shadow IT: All too common in the enterprise, shadow IT refers to the adoption of technologies within a business without IT’s approval or involvement, often leading to security vulnerabilities.

• Spear Phishing: More sophisticated than phishing, spear phishing is highly targeted and makes use of personal details about the victim to appear legitimate. Attackers who use spear phishing often gain information by researching their victims online before making initial contact.

• Whaling: A highly specialized form of spear phishing, whaling takes spear phishing techniques and uses them to either impersonate or even defraud high-level executives, typically requesting that large sums of money be transferred to the attacker.

And the vulnerability tests designed to detect areas of weakness and security flaws in your systems and software:

• Penetration Test: While applicable to all industries (not just relative to card data-handling, like PCI requires), penetration testing utilizes the findings of vulnerability scans and other information in order to attempt to gain access to protected systems and data.  In “Information Supplement - Penetration Testing Guidance - March 2015”, the PCI Standards Council defines a goal of Penetration Testing in the following manner: “To determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs, and/or cardholder data.” Many of the most successful penetration testers leverage identity and credential attacks; as such, penetration testing is crucial to ensuring that IAM systems are doing their job.

• Vulnerability Scan: A vulnerability scan is a process used to detect security flaws in given systems or networks using software that checks potential vulnerabilities against known weaknesses. Attackers use these to determine where best to infiltrate your systems.

Please note, however, that while these are some of the most common industry terms, this is by no means a comprehensive list of threats. Many others exist, among them exploits, spyware, Trojan horses, rootkits, and backdoors.

And there you have it: a primer of some of the most important authentication and security terms you need to know today. Making sure your CEO and the rest of your C-suite are up to date on today’s terminology is key to maintaining productive discussions as you move forward with your security planning, so make sure everyone is on the same page before turning to the next.