What is Identity?
Status: Scaffold — content in progress
Identity in security context is the set of attributes that uniquely identifies a principal (user, service, device, or workload) within a system and governs what that principal is allowed to do.
Core Concepts
Principal
Any entity that can be authenticated and assigned permissions: human user, service account, machine account, managed identity, API key holder, or workload identity.
Authentication vs Authorization
| Concept | Question | Examples |
|---|---|---|
| Authentication (AuthN) | Who are you? | Password, Kerberos ticket, OAuth token, certificate, MFA |
| Authorization (AuthZ) | What are you allowed to do? | ACL, RBAC role, IAM policy, Group Policy |
Authentication proves identity. Authorization decides what the authenticated identity can access. These are separate steps and separate attack surfaces.
Credentials
The evidence a principal presents to prove identity:
- Something you know: password, PIN, secret key
- Something you have: hardware token, smart card, one-time code
- Something you are: biometric
- Context-based: IP, device posture, time, location
Identity Lifecycle
Provisioning → Authentication → Authorization → Session management → De-provisioning
Each lifecycle stage is an attack surface.
Identity Types in Enterprise
| Type | Examples | Risk Profile |
|---|---|---|
| Human users | Employee accounts, contractors | Phishing, credential theft |
| Service accounts | Application service accounts | Often over-privileged, rarely rotated |
| Machine accounts | Computer objects in AD | Pass-the-Hash, unconstrained delegation |
| Managed identities | Azure Managed Identity, AWS IAM roles | SSRF → IMDS token theft |
| Federated identities | SSO via SAML/OIDC | Token forgery, session hijacking |
| Non-human identities | API keys, CI/CD tokens, PATs | Secret sprawl, insufficient rotation |
What Makes Identity Attacks Powerful
- Legitimate tool use: Stolen credentials authenticate via normal channels — no malware payload needed
- Broad access: A privileged identity gives access to everything that identity can reach
- Hard to detect: Authenticated access looks like normal user behavior
- Long dwell time: Identity-based persistence (backdoor accounts, added credentials) can survive months
Cross-Links
| Topic | Link |
|---|---|
| Identity as Perimeter | identity-as-perimeter.md |
| What is ITDR? | what-is-itdr.md |
| Active Directory | AD Overview |
| Attack Surface | identity-attack-surface.md |