# ZTMM Glossary
## Identity
### Authentication
- Static Access
- A type of access that remains consistent or unchanged for a period of time (e.g. username & password)
- Dynamic Access
- May change frequently or be generated on-demand (e.g. OTP)
- Multiple entity attributes
- Using various characteristics or pieces of information associated with an entity (typically a user or device) to verify their identity during the authentication process.
- Example
- Google's "you signed in from a different location, please verify (locale),
- You signed in with a new device, please verify,
- Detects any suspicious activity or behavior (activity).
| Example 1 | Example 2 | Example 3 |
| -------- | -------- | -------- |
|  |  |  |
- Phishing-resistant MFA
- An authentication method that is designed to significantly reduce the risk of falling victim to phishing attacks.
- Examples
- Hardware security keys, biometric authentication
- FIDO2
- Enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. No passwords, using biometrics/face scan/physical key
- FIDO Authentication
- Developed by the FIDO Alliance, is a global authentication standard based on public key cryptography.
- With FIDO Authentication, users sign in with phishing resistant credentials, called passkeys. Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
### Identity Stores
- Minimal Integration
- Very limited or basic connectivity and interaction between the self-managed identity stores and the hosted identity store(s).
- The identity stores are not fully synchronized or coordinated with each other. Users might need separate credentials and logins for different systems, and data sharing or access management between these stores may be limited or not well-established.
- Example:
- Cloud and SSO are not well-integrated --> not too efficient, can be improved.
- Consolidate
- [[Definition]](https://dictionary.cambridge.org/dictionary/english/consolidate) To combine several things, especially businesses, so that they become more effective. - Bring together or merge multiple self-managed and hosted identity stores into a single, more organized, and secure system.
- Example:
- Cloud and SSO are now integrated to create a single, organized, and secure system.
### Risk Assessments
- Limited Determinations
- The agency's assessment or evaluation of identity risk is not thorough or comprehensive.
- Manual Methods
- The agency determines identity risk manually, which implies the need of human involvement to identify the risks.
- Static Rules
- Predefined and fixed rules that do not change or adapt based on changing circumstances or new information.
- Automated Analysis
- The use of tools and technologies to automatically assess and evaluate security risks, vulnerabilities, and compliance in an organization's network and systems.
- Dynamic Rules
- Rules that adapt and change based on real-time information and evolving circumstances.
- Continuous Analysis
- An ongoing and real-time monitoring process that evaluates the security posture of an organization's network and systems as events occur.
### Access Management
- New Function
- Access Management was previously not included in [ZTMM Version 1.0](https://www.cisa.gov/sites/default/files/2023-01/Zero_Trust_Principles_Enterprise_Mobility_For_Public_Comment_508C.pdf). Hence, it is a new function in ZTMM Version 2.0.
- Permanent Access with Periodic Review
- [[Definition]](https://pcidssguide.com/how-to-perform-user-access-review/) Permanent Access: Usually given when an employee only needs access once or may need it in the future.
- [[Definition]](https://www.ekransystem.com/en/blog/user-access-review) Access Review: A user access review (or user access audit) is part of the user account management and access control process, which involves periodically reviewing access rights for all of an organization’s employees and third parties.
- Periodic Review: Access review that is done periodically.
- Permanent Access with Periodic Review: Employee(s) who were given a permanent access to the organization's account/system that is going through access review periodically.
- Automated Review
- [[Definition]](https://dictionary.cambridge.org/dictionary/english/automated) Automated: Carried out by machines or computers without needing human control.
- Automated Review: An Access Review that is done by machines and/or computers, which implies that human intervention is not necessarily needed. Automated Review is most likely performed at scheduled intervals (periodically).
- Need-based Access
- The practice of granting users, applications, or devices the minimum level of access necessary to perform their specific tasks, roles, or functions within an organization.
- Session-based Access
- [Definition] Session: Sessions describe an environment where the rights available to a user can be dynamically limited based on the context in which the user is acting.
- Example: A PwC employee shares a Google Document with a user with the email address abc@gmail.com, and grants the right to view the document only. User abc@gmail.com logs into the gmail account, in which the session starts, and can only view the document, without the right to edit when they attempted to make changes. After the user logs out, the session ended.
- Just-in-time Access
- [[Definition]](https://saviynt.com/glossary/just-in-time-access/) Just-in-time Access: A security practice that grants users, processes, applications, and systems an appropriate level of access for a limited amount of time, as needed to complete necessary tasks.
[src](https://www.cyberark.com/what-is/just-in-time-access/)
- Implementation Example ([src](https://delinea.com/what-is/just-in-time-access)):
- [Privileged Access Management (PAM) solutions](https://www.gartner.com/reviews/market/privileged-access-management) provide a “request access” feature to enable users to request access to privileged information for a specified time.
- Other features such as “checkout” automatically rotate credentials whenever a checkout time period ends.
- Just-enough Access
- [[Definition]](https://www.emkal.ca/principle-of-least-privilege-just-enough-access/) Just-enough Access: a user should be given the minimum level of access to do his/her job (the principle of least privilege).
- A specific implementation of need-based access control that emphasizes providing users with precisely the level of access required to complete a specific task, often for a limited duration. JEA goes a step further by ensuring that access is not only based on needs but is also time-bound and task-specific.
- [Implementation](https://learn.microsoft.com/zh-tw/compliance/assurance/assurance-identity-and-access-management): Microsoft Online Services uses the Just-In-Time (JIT) Just-Enough-Access (JEA) model to provide services team engineers with temporary special permissions to the production environment when such access is needed to support Microsoft Online Services.
### Visibility and Analytics Caoability
### Automation and Orchestration Capability
### Governance Capability
## Devices
## Networks
## Applications and Workloads
## Data
## Cross-Cutting Capabilities
Google Drive
Gist
Clipboard
Sign in with Wallet
