Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

10 Essential Identity and Access Management (IAM) Terms

Home
Industry Insights
10 Essential Identity and Access Management (IAM) Terms

Blog Article Published: 03/30/2024

Written by Megan Theimer, Content Program Specialist, CSA.

Identity and access management is kind of a big deal. People are working from anywhere and everywhere on all kinds of devices, so it's essential to know who's who in the digital world and to confirm that our digital communications are secure. If you’re just starting out on your IAM journey, don’t worry - we’ve got you covered. Below, review the definitions of 10 essential IAM terms that you need to know.


1. Identity and Access Management (IAM)

The policies, technologies, and processes that enable organizations to manage and control user identities, access, and privileges to systems and applications. IAM solutions typically include user provisioning, authentication, authorization, and auditing capabilities.

IAM helps organizations ensure that only authorized users can access sensitive data and applications. IAM also enables organizations to streamline user management processes and reduce the risk of insider threats.

Learn more about what IAM is and why it’s critical to good security hygiene.


2. Authentication

The verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Policies governing authentication may require single or multiple factors.

Understand the challenges and considerations involved in managing IAM in the cloud.


3. Authorization

The right or a permission that is granted to a system entity to access a system resource (network, data, application, service, etc.).

Properly manage machine identity authorization.


4. Privileged Access Management (PAM)

The strategies used to monitor and control the permissions given to users and systems in an IT environment. These strategies should include strong authentication requirements, implementation of account and session recoding to drive up accountability, and in some cases, requiring privileged users to sign in through a separate, tightly controlled system.

Get the rundown on PAM and several other components of IAM.


5. Least Privilege

The principle of giving users across an organization the lowest level of access that they need in order to perform their required tasks across a cloud environment.

Here’s why you need to be using the principle of least privilege.


6. Role Based Access Control (RBAC)

Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to one or more individuals.

Explore two authorization management models: Attribute Based Access Control (ABAC) and RBAC.


7. Just-In-Time (JIT) Access

The capability to provide access only when needed. The user requests access and is timeboxed. At the end of the user’s time, their access is removed.

Learn how JIT access is pioneering the future of Cloud Infrastructure Entitlement Management (CIEM).


8. Password Management

The process to specify multiple password policies, define password composition constraints, maintain password history, restrict passwords, configure password validity period, create password rules, etc.

Reframe common password management practices based on insights from the LastPass breaches.


9. Multi-Factor Authentication (MFA)

A security technology requiring a user to provide multiple methods of authentication before being granted access to a website or application. These factors usually include “something you know,” “something you have,” and “something you are.” This is a very important technique in containing identity based attacks. It is commonly used to authenticate identities before access is granted to critical systems such as finance and health.

Learn why MFA is essential in the healthcare industry.


10. One Time Password (OTP)

A password that is valid for a short time and for a single use. OTPs are aimed at preventing various attacks associated with traditional static passwords. They are often used as a part of MFA solutions, using a device to store the secret key generating new OTPs, covering the "something you have" factor in addition to the traditional "something you know."

Understand how robust authentication with OTPs is just one of many ways to help your end-users avoid falling for common threats.


Review more essential IAM terms in CSA’s Identity and Access Management Glossary.

Identity and Access ManagementTransitioning to the cloudZero Trust

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Secure your cloud data with Zero Trust Training
Related Articles:
The Future of Cloud Cybersecurity

Published: 04/29/2024

This Year’s Zero Trust Opportunity for Security Professionals

Published: 04/26/2024

How to Prepare Your Workforce to Secure Your Cloud Infrastructure with Zero Trust

Published: 04/24/2024

Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

Published: 04/24/2024