The TOME Project: A Lexicographic Perspective on IAM
1. The TOME Project
A Lexicographic
Perspective on IAM
By
David Doret
March 2021
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
T
O
M
E
easure
he
pen
ncyclopedia
2. (HIDDEN) AGENDA
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
• Brainwashing on the
importance of terms accuracy
in the IAM field
• The TOME Project
• Sample Dictionary Entries
• What’s Next, Q&As
3. IS IAM A FIELD OF SPECIAL KNOWLEDGE OR EXPERTISE?
YES
Short answer:
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
4. IS IAM A FIELD OF SPECIAL KNOWLEDGE OR EXPERTISE?
60+ years of academic research and
industrial innovation
A vibrant community of researchers,
products & services vendors,
analysts and field professionals
YES
Short answer:
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
5. DO WE HAVE AN ACCURATE IAM TERMINOLOGY?
NO
Short answer:
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
6. DO WE HAVE AN ACCURATE IAM TERMINOLOGY?
We have fragmented handywork
composed of piecemeal definitions
and patchworked lexicons and
standards
NO
Short answer:
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
7. HOW IMPORTANT HAVING AN ACCURATE IAM VOCABULARY IS?
Open Measure by David Doret et al. is licensed
under a Creative Commons Attribution 4.0 International License.
Your IAM Project Communication Misunderstandings
Vital
Short answer:
8. HOW IMPORTANT HAVING AN ACCURATE IAM VOCABULARY IS?
Think of:
• Performance Benchmarking
• Stakeholders Management
• Product & Services Design
• Professional Services
• Academic Research
• Coaching
• Training
Open Measure by David Doret et al. is licensed
under a Creative Commons Attribution 4.0 International License.
Vital
Short answer:
Your IAM Project Communication Misunderstandings
10. WHAT IS THE TOME PROJECT?
Non-profit Association
Wiki
Bibliography Dictionary
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
Perpetualy Free
Agnostic
Collaborative
Methodology
Community (700+)
Corpus
Find out more and contribute at:
https://open-measure.atlassian.net/wiki/spaces/DIC/pages/1056014337/Methodology
11. WHAT IS A GOOD DEFINITION?
Neutral (not emotional)
Consensual
Necessarily imperfect
Iterative
As accurate as possible
Intensional (with an “s”)
Visual
Supported with samples
Linked to related terms
Inferred from a corpus of authoritative sources
Substantiated with bibliographic references
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
Find out more and contribute at:
https://open-
measure.atlassian.net/wiki/spaces/DIC/pages/1056014337/Methodology
12. DICTIONARY ENTRY TEMPLATE
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
Find out more and contribute at:
https://open-
measure.atlassian.net/wiki/spaces/DIC/pages/
1056014337/Methodology
13. ENOUGH THEORY: SAMPLE ENTRIES…
T
O
M
E
easure
he
pen
ncyclopedia
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
14. CREDENTIAL
Definition 1
A data structure that is a collection of identity
attributes and assertions that vouches for the identity
of an entity through some method of trust and
authentication.
(…)
Logical credential examples: Password, PIN, Public Key
Certificate
Physical credential examples: Biometrics, Certificates,
Driving License, ID Cart, Passport, SIM Card.
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/67633343
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
15. Definition 1
An account takeover is a class of identity theft that
consists for a perpetrator to take control of an existing
identity of another entity without authorization. A
common motivationn for account takeover is to earn
money by perpetrating fraud.
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/1079050286
ACCOUNT TAKEOVER
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
16. PRIVILEGE ABUSE
Definition 1
Privilege Abuse is a class of information security threat
consisting in an intentional abusive usage of effectively
granted access permissions. It is a subclass of the
insider threat.
It may be divided into two subclasses:
Excessive Privilege Abuse: (…)
Legitimate Privilege Abuse: (…)
The main motivations of threat actors for Privilege
Abuse are (…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/814449037
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
17. Definition 1
A zombie account is a fake digital identity
that is controlled by an unauthorized
entity.
(…)
Zombie accounts may typically proliferate
on systems such as social networks where
subscription is opened to a large
audience, where identities are not
centrally verified and where zombie
account managers may find an interest.
(…)
The detection of zombie accounts is
difficult, function of the sophistication of
their management by the zombie account
manager.
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/782893195
ZOMBIE ACCOUNT
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
18. SEGREGATION OF DUTIES
Definition 1
SoD is a fundamental component of internal control. It is a class of
control policy prescribing that two or more people are required to
perform some operation in such a way as to prevent the perpetration
or concealment of fraud or error, whether by commission or omission.
Its goal is to mitigate operational risks of misappropriation,
destruction or waste of organizational assets by employees. It
accomplishes this by making collusion between agents a necessary
condition, thus effectively increasing the difficulty and risk of
perpetrating or concealing fraud or error.
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/1071185955
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
19. ROLE EXPLOSION
Definition 1
Role Explosion is a phenomenon that is sometimes
observed in relation to the implementation of Role-
Based Access Control. It is characterized by the
uncontrolled increase of roles, sometimes with very few
members per role. This phenomenon reduces the
benefits yielded from Role-Based Access Control and
may constitute a liability in extreme cases.
Possible causes of role explosion (…)
The consequences of role explosion (…)
Possible solutions to avoid role explosion (…)
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/1152483772
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
20. Definition 1
Authorization Externalization is a software architectural
design that consists in externalizing the authorization
logic to a specialized and centralized system instead of
implementing it within the application.
The key drivers for this architectural design are the
reduction of the cost and complexity of software
development and maintenance related to the
authorization logic, and the improved scalability for
application owners in consistently managing
authorizations across numerous heterogeneous
applications.
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/1137573936
AUTHORIZATION EXTERNALIZATION
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
21. Definition 1
Tranquility is a property that influences the
security of systems.
Once a system state is demonstrated as statically
secure, a difficulty is to further demonstrate that it
is dynamically secure. Put differently, to
demonstrate that given an initial secure state,
subsequent state transitions always lead to a
secure system. The tranquility property captures if
and how modifications in the security clearance
level of subjects (e.g., people) and the security
classification level of objects may take place in the
system. It distinguishes three possible tranquility
levels:
• Strong tranquility (…)
• Weak tranquility (…)
• No tranquility (…)
(…)
https://open-measure.atlassian.net/
wiki/spaces/DIC/pages/1181876587
TRANQUILITY PROPERTY
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
22. KEY LINKS
The homepage of the dictionary:
https://open-measure.atlassian.net/wiki/spaces/DIC
The homepage of the bibliography:
https://open-measure.atlassian.net/wiki/spaces/BIB
The LinkedIn feed to stay attuned:
https://www.linkedin.com/company/open-measure
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
23. HOW TO HELP?
Users
Use and promote and
request new entries
Reviewers
Comment, critique,
review, suggest
Authors
Research and
develop entries
Patrons
Donate at:
https://www.patreon.com/
bePatron?u=27895661
Corpus IT
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
https://open-measure.atlassian.net
24. WHAT’S
NEXT…
Open Measure by David Doret et al. is licensed under a Creative Commons Attribution 4.0 International License.
David Doret
https://www.linkedin.com/in/daviddoret/