This resource lists terms commonly used in Cloud Identity Security, addressing both human and non-human (NHI) identities.
A fine-grained authorization model that grants access based on attributes associated with users, resources, and environmental conditions.
A process where users can request additional permissions for a specific duration (JIT) or permanently (Standing) through a workflow that involves AI analysis and manual approval.
A logical container of resources managed as a single entity in a cloud or application environment.
Users authorized to manage and control specific accounts with access restricted to these accounts.
A method of protecting user identities and access controls without the need to install dedicated software agents on individual devices, instead relying on existing network infrastructure and APIs to monitor and enforce security policies, providing a broader view of user activity across different systems without the overhead of managing agents on each endpoint.
Artificial intelligence (AI) that can make decisions, take actions, and learn independently to achieve goals. It can understand natural language, plan workflows, and adapt to changing circumstances. Agentic AI is designed to be autonomous and proactive without the need for constant human guidance.
A unique identifier used to authenticate and authorize access to an API (Application Programming Interface).
The process of registering an application with an identity provider to enable authentication and authorization services.
The process of verifying the identity of a user, device, or system.
Refers to the practice of using technology to automatically assign, modify, and revoke user access rights to systems and data based on predefined rules and policies, essentially eliminating the need for manual intervention in managing who can access what information within a network, minimizing the risk of human error and ensuring consistent security enforcement across all users. Applies to the principles of Least Privilege.
The process of granting or denying access rights and permissions to resources based on authenticated identities.
A container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
A secure way to grant permissions to entities you trust in your AWS account.
Represents an Azure Active Directory application used for service-to-service authentication scenarios.
An identity in Azure Active Directory that applications can use to access Azure resources securely.
Measures the probability that an identity has already been compromised, derived from the dynamic behavior exhibited by the identities.
The extent of potential damage or impact that could result from a security breach or compromise of a specific identity or system.
A metric that measures the potential business impact of a compromised identity based on permissions.
A security policy enforcement point between cloud service consumers and providers to enforce security policies.
A framework for managing customer identities, authentication, and access to digital services and applications.
A cloud entitlement is like a digital key that grants specific access to cloud resources. It defines what a particular cloud identity (a person, a machine, or a service account) can do within a cloud environment.
A solution offering comprehensive features for managing access to cloud infrastructure resources, including visibility into entitlements, removal of unused entitlements, automated risk remediation, anomaly detection, and compliance automation.
The level of importance or business impact associated with an account based on its environment.
An IAM role that allows trusted entities from other AWS accounts to access resources in your account.
The digital representation of a customer or end-user within an organization's identity system.
A real-time approach to access control where permissions are granted to users, systems, or applications based on their current context and needs.
A digital identity is a collection of information uniquely identifying a person, device, application, or organization online. It's a one-to-one relationship between a person and their digital presence, which can include multiple accounts, credentials, and entitlements
A managed Kubernetes service on AWS that provides a scalable, secure, and fully managed platform for running containerized applications.
A list of IAM policies that a user can request for JIT or standing access in a specific account, configured by admins at the Provider level.
The mode in which a security vendor controls user permissions, grants necessary access, and provides temporary elevated privileges as needed.
A measure of the degree to which an identity’s permissions exceed its expected or required access, potentially increasing the risk of unauthorized access.
Identities from outside an organization's primary identity system, often used for collaboration with partners or customers.
Fast Identity Online is an open authentication standard that leverages hardware-based security keys to verify user identity, eliminating the need for traditional passwords and enhancing security against phishing and credential theft.
An identity management that allows administrators to control access to resources with high granularity, granting specific permissions for specific actions on specific resources, ensuring precise control over who can do what within a system.
A special type of account used by an application or a virtual machine (VM) instance, not a person, to authenticate and access Google Cloud resources.
Allows Kubernetes applications to access Google Cloud services using a Kubernetes service account.
A Group Membership in Okta refers to the association of users with specific groups, granting them access to resources and applications based on their group affiliations.
A Group Profile in Okta is a template that defines the common attributes and settings for multiple groups within an organization.
A software application for managing employee data and personal information.
The digital representation of an individual user within an organization's identity system, typically associated with a unique username or email address.
A feature in Kubernetes that allows pods to access AWS services securely by associating an IAM role with a Kubernetes service account. This enables fine-grained access control and eliminates the need to store AWS credentials as secrets.
A framework of policies and technologies to ensure that the right users have the appropriate access to resources.
A system that allows individuals to use the same personal identification to obtain access to the networks of more than one enterprise.
A system entity that creates, maintains, and manages identity information for principals and provides authentication services to relying applications within a federation or distributed network.
A set of processes and technologies for managing digital identities, access rights, and ensuring compliance with policies and regulations.
Users with no activity for a specified period, often former employees, pose a security risk due to potential exploitation by attackers.
Access keys that have not been used for at least 30 days.
A comprehensive approach to managing and optimizing an organization's identity security posture across various systems and environments.
A security approach that focuses on detecting and responding to threats related to identity and access management.
A security approach where elevated privileges are granted only when needed and for a limited time, reducing the risk of standing privileges.
A curated list of permissions a user can request during future JIT sessions tailored to their role and previous IAM policies.
The practice of maintaining secure access keys by regularly rotating them, ensuring they are active, and avoiding unused keys.
An identity used by processes running in a Kubernetes pod to authenticate with the Kubernetes API server and access cluster resources.
A security principle granting only the minimum necessary permissions to users, systems, and applications to perform their functions.
User accounts created and managed within a specific system or application, not centrally managed by an organization-wide identity provider.
The digital identity of a device or system used for authentication and secure communication between machines.
A cloud-based identity and access management service that provides single sign-on, multi-factor authentication, and user management for Microsoft and non-Microsoft applications.
A security system requiring multiple authentication methods to verify a user's identity.
Digital identities associated with systems, applications, or services rather than individual users, used for machine-to-machine communication and automation.
An open standard for access delegation, commonly used for secure authorization in web and mobile applications.
The mode in which a security solution monitors identity privileges and usage to offer insights on permission policy usage and recommendations.
An identity layer on top of the OAuth 2.0 protocol, allowing clients to verify end-users identity based on the authentication performed by an authorization server.
A solution for managing, controlling, and monitoring privileged access to critical resources within an organization.
An identity and access management (IAM) platform that provides secure authentication, authorization, and single sign-on (SSO) solutions.
A set of rules that define permissions and restrictions for identities or accounts within a system or organization.
Measures the probability of an identity being compromised, derived from its authentication configuration and organizational status.
A set of cybersecurity strategies and technologies for controlling elevated access and permissions for users, accounts, processes, and systems. It includes password management, session recording, and access request workflows.
The process of gaining higher levels of access or permissions than were granted initially, either through legitimate means or due to a security vulnerability.
Measures the business impact (Blask Risk) to the organization if an identity is compromised. It is determined by considering the types of permissions granted and the criticality of the accessed resources.
An entity that offers services related to infrastructure, applications, or identity management.
Actionable suggestions aimed at reducing identity posture risk across an organization.
Identifying and actively addressing security vulnerabilities or threats, taking necessary steps to eliminate them, and minimizing potential damage by patching systems, updating software, or implementing security controls once a threat is detected. Vendors providing context-based scripts or automation for each recommendation will more quickly address security risks or issues within an organization’s identity or policy.
The potential for unauthorized access, data breaches, or other security threats associated with identities, accounts, policies, or systems. This includes:
A method of regulating access to computer or network resources based on the roles of individual users within an organization.
An entity that provides Single Sign-On (SSO) and authentication services to other applications or services using Security Assertion Markup Language (SAML) protocol.
A standard for automating the exchange of user identity information between identity domains or IT systems.
An open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
Refers to whether an account contains sensitive data determined by predefined rules that can be customized.
A special type of account application or service used to interact with systems rather than being associated with a human user.
Roles assigned to cloud workloads (virtual machines, serverless functions, K8s service accounts, or applications) to manage their access and permissions within the cloud environment.
A unique type of IAM role linked directly to an AWS service. It is pre-defined by the service and includes all the permissions required to call other AWS services on your behalf.
Critical users within an organization’s cloud and application environment.
An authentication scheme allowing users to log in with a single ID to access multiple related but independent software systems.
Outdated or unused identities that may pose security risks if not adequately managed or deprovisioned.
Permanent access rights granted to an identity or account which remain in effect until explicitly revoked.
A user with unrestricted access to all accounts within a provider, capable of making system-wide changes, posing a significant security risk if compromised.
An identity automatically created and managed by a system or platform, often used for secure access to resources without explicit credentials.
In Okta, User Profile Data refers to the personal and professional information associated with a user account, including name, email, department, and any other attributes specified by the administrator.
A cloud-based HRIS platform that streamlines various HR functions such as payroll, benefits administration, talent management, and time tracking.
The digital representation of an employee or internal user within an organization's identity system. It typically includes attributes such as job role, department, and access permissions, and is used to manage access to internal resources and applications.
A security approach where users are not granted permanent access rights to systems or resources. Instead, privileges are granted on-demand and for a limited time, reducing the risk of unauthorized access and improving overall security posture. This concept aligns closely with the principles of Just-in-Time (JIT) access and Zero Trust security models.
Assumes no user or device can be implicitly trusted, requiring strict verification and authorization for every access request, regardless of location or network connection.
A security model that requires strict identity verification for every person and device trying to access resources, regardless of whether inside or outside the network perimeter.
