Newcomers and old hands alike can feel a little lost in the alphabet soup of acronyms in the identity management and protection arena. Some of the acronyms might seem fairly straightforward, but hidden complexities can lead to confusion or misunderstandings. In other cases, two or more acronyms relate to the same set of ideas, but the differences between them can greatly impact implementation and effectiveness.
To help you plan and implement an identity management program more effectively, or just feel less at sea, we’ve put together a list of the most common acronyms and their definitions:
IdM — identity management
This term is often used to refer to both the processes of managing and protecting identity information and the tools used. Generally, it refers to procedures used to make sure that only those who need to be identified by a system have identities in that system, and that the information stored in those identities is kept up to date.
IAM — identity and access management
Many organizations use this term interchangeably with IdM to describe the processes and procedures used to identify, authenticate, and grant access to users of platforms and systems. However, IAM is also used to describe a distinct set of services provided by Amazon Web Services for access and identity management on AWS and compatible platforms.
IdP — identity provider
An IdP is a trusted software platform or service that acts as a clearinghouse for identity information, authentication, and auditing. Common examples are Active Directory and related services, as well as solutions that provide adaptive identity verification, such as SecureAuth products. Identity providers can be accessed both by end users (such as when they log in to a desktop) and by other software platforms (programmatically).
IDaaS — identity as a service
IDaaS refers to IdM, IAM, or IdP provided as a cloud platform, as opposed to being hosted entirely within an organization’s own IT infrastructure. In IDaaS, the trusted authority that manages and verifies identities is provided by a third-party service provider, and is accessed by applications and platforms that may be managed by the organization or by other vendors but can physically reside anywhere that has access to the IDaaS solution. This technology is rapidly evolving, and not all IDaaS providers offer the same types of identity services. For example, some can federate with existing identity platforms like Active Directory, where others require exclusive use of their own directory and identity services.
SSO — single sign-on
When a set of applications needs to be accessed by the same group of users on a regular basis, it is convenient — and often safer — to have those users log into one central identity service, and have that service log them into each of the applications. A great example of this is online banking. A customer logs into the bank’s main website, which then logs them into each of the ancillary service sites that the bank maintains for savings and checking accounts, credit card services, wire transfers, etc. The customer logs in once with the main identity service (the bank’s website) and is automatically and invisibly logged into each sub-service by that identity service.
SAML — Security Assertion Markup Language
SAML is a set of protocols commonly used by IdM solutions to enable one platform to get identity information securely from another. It is one of the principal technologies used to make SSO possible. As an open standard, SAML provides a way for products and platforms from many different vendors to verify identity information and authorize (or block) access, leveraging an IdP as a trusted repository of identity information. Using the online banking example, let’s say that your bank offers life insurance underwritten by a different company. The bank website asserts your identity to the insurance website via SAML messages, logging you in without your needing to provide a username and password to the insurance site. Since SAML messages are transferred securely, and your username and password aren’t transmitted between sites (just the assertion that the bank knows you are who you say you are), security can be maintained without directly sharing your identity information.
WS-FED — Web Services Federation
WS-FED is also a set of protocols for passing identity assertions between different systems from multiple vendors by using a trusted IdP to verify the user. WS-FED supports many of the same use cases as SAML. However, WS-FED is primarily used by IBM and Microsoft platforms and systems that speak primarily to those platforms.
WS-Trust — Web Services Trust
WS-Trust is a third methodology for asserting identity between platforms, with a focus on validating security tokens to determine identity. In this case, the token is an XML file based on the user providing identity information (such as a username and password) directly. Because this method does not require an IdP but instead relies on a basic set of policy statements, it is often considered less secure than other methods: Since an unauthorized user could pass a valid token (since there is no requirement to assert against a trusted IdP), the credentials can be seen as valid when in fact the user is still unknown.
MFA/2FA — multi-factor authentication/two-factor authentication
Using additional methods in addition to a username and password alone. To log in, you have to provide something you know (your username and password). But two other factors are possible: something you have, and something you are. 2FA authentication requires two different factors for authentication, and MFA requires two or three different factors. Each factor has multiple possible methods. For example, “what you know” might be a username and password. “What you have” might be a set of numbers sent to your token device, or a link sent to your mobile device. “What you are” could be a fingerprint, retinal scan or other biometrics.
OTP — one-time password
A one-time password is a common method of providing an additional factor to support MFA/2FA logins. OTPs can be a set of digits or other information sent to a physical token or a passcode sent to an email address, phone or app. Since the OTP is time-dependent, entering it verifies that the user has access to the device or account at the time of the login attempt.
RADIUS — Remote Authentication Dial-In User Service
RADIUS is a networking protocol for allowing a user to authenticate and gain access a platform or network; it also provides ongoing accounting information about that access and connectivity. The name comes from the protocol’s origin as a way to allow customers dialing in via a modem to authenticate and gain access to a set of services, and for the service provider to get the information necessary to bill that customer for using those services. Today, RADIUS allows access to internet service providers (ISPs), VPN services, WiFi networks, and many other types of network authentication and use in which no dial-up connection is involved.
We hope this handy set of definitions is helpful. Of course, there are many other terms and acronyms used in the identity management and protection sphere. Different platforms and vendors have their own languages to describe facets of their tools and systems, and new standards are being implemented as technology advances. If you have a term that you see often and think should be defined here, reach out and let us know!