# Identity

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/identity

## Quick definition

Identity is like your digital ID card. It tells a computer who you are. It is made up of things like your username, password, and sometimes a fingerprint or code from your phone. Without identity, a computer cannot tell if you should be allowed in.

## Simple meaning

Think of identity as the name badge you wear at a company event. When you walk into the event, someone checks your badge to see if you are invited and what areas you can enter. In the computer world, identity works the same way. Every person or device that wants to use a computer system has to have an identity. That identity is a collection of information that the system recognizes. For example, when you log into your email, you give your email address and password. That combination is your identity for that email system. The system checks its list to see if that identity matches its records. If it does, it lets you in. But identity is more than just a username and password. It can include other attributes like your job title, your department, or even the type of device you are using. These extra details help the system decide what you are allowed to do once you are inside. For example, a student might have an identity that only lets them view course materials, while a teacher might have an identity that lets them also edit grades. Identity is the foundation of security because you cannot control what someone can do if you do not know who they are. In a company, every employee gets a digital identity when they join, and that identity is carefully managed. When they leave, the identity is disabled so they can no longer access the systems. Identity also applies to devices and programs. A printer in an office has its own digital identity, so only authorized computers can send documents to it. A software application has an identity so it can talk to other applications securely. The whole concept of identity is about creating a unique, trustworthy representation of each entity in the system. Without identity, everything would be open to everyone, which would be unsafe and chaotic.

Identity is also important because it allows for accountability. When you log in with your identity, the system can record what you do. If something goes wrong, the administrators can look back and see which identity caused the issue. This is how companies track who accessed sensitive files or who made changes to a server. Identity also makes personalization possible. When you log into a website, your identity tells the site your preferences, so it can show you the right language, the right dashboard, or your saved items. Identity is the core building block of access control. It answers the first question any security system asks: Who are you? Once the system knows your identity, it can then decide what you are allowed to do and can keep a record of your actions.

## Technical definition

In IT and cybersecurity, identity refers to a digital representation of an entity that is recognized by a system, network, or application. An identity is composed of a unique identifier and a set of attributes. The identifier is something like a username, an email address, an employee ID, or a certificate serial number. The attributes can include roles, group memberships, permissions, authentication factors, and metadata such as creation date or last login. Identity management is governed by standards like LDAP (Lightweight Directory Access Protocol), SAML (Security Assertion Markup Language), OAuth 2.0, OpenID Connect, and SCIM (System for Cross-domain Identity Management). These protocols allow identities to be created, stored, authenticated, and authorized across different systems.

In practice, identities are often stored in a directory service such as Microsoft Active Directory (AD) or Azure Active Directory (now Microsoft Entra ID). These directories are specialized databases that store identities in a hierarchical structure. Each identity object has a distinguished name (DN) and many attributes. When a user tries to log in, the system performs authentication, which is the process of verifying that the identity is genuine. Authentication can use something you know (password), something you have (smart card or phone), or something you are (fingerprint or face). After authentication, the system performs authorization, which checks the identity’s attributes to determine what resources or actions are allowed. Authorization is often based on role-based access control (RBAC) or attribute-based access control (ABAC).

Identities also exist for non-human entities. Service accounts are identities used by applications or services to interact with other systems. Device identities are assigned to computers, phones, printers, or IoT devices. These identities often use certificates for authentication instead of passwords. For example, a laptop joining a corporate domain uses a computer account identity created in Active Directory. The identity is authenticated with a machine password or certificate. Similarly, cloud services use managed identities, which are automatically managed by the cloud provider, so that applications can authenticate without storing secrets.

Identity is central to the concept of zero trust security. In a zero-trust model, identity is the primary perimeter. Every request is authenticated and authorized based on the identity, regardless of where the request comes from. This means that even if someone is inside the corporate network, they still need a valid identity to access resources. Identity federation allows an identity from one domain to be trusted in another domain. For example, a user can log in with their corporate credentials to access a third-party SaaS application using SAML or OpenID Connect. This eliminates the need for separate usernames and passwords for each service.

Identity lifecycle management is a key IT process. It includes provisioning (creating the identity), maintenance (updating attributes), and deprovisioning (disabling or deleting the identity when no longer needed). Failure to deprovision identities is a common security risk, as former employees could still access systems. Modern identity solutions also include multi-factor authentication (MFA) and conditional access policies that evaluate risk factors like location, device health, and user behavior before granting access.

## Real-life example

Imagine you are going to a large convention center for a three-day conference. At the registration desk, you show your ID and receive a lanyard with a printed badge. That badge has your name, a barcode, and the color of the day. The color tells the security guards at different doors what you are allowed to do. On Monday, a blue badge lets you attend all sessions. On Tuesday, a green badge might only let you into the main hall. The barcode is scanned each time you enter a session, so the organizers know exactly which talks you attended. This badge is your identity for the conference.

Now, map this to IT. The registration desk is the identity management system, like Active Directory. Your photo ID is your real-world identity. The badge they give you is your digital identity. Your name and barcode are the unique identifier (username). The color of the badge is like your role or group membership. The scanning at each session is like authentication, the system checks that the badge is valid. The different color permissions are like authorization rules. The record of which sessions you attended is like an audit log. If you lose your badge, you go back to the registration desk to get a new one; that is like resetting a password or re-provisioning an identity.

If you try to enter a session you are not allowed in, the guard looks at your badge color and stops you. That is access control based on your identity attributes. If you give your badge to a friend, that friend can impersonate you at the conference. That is exactly like sharing your password, the system cannot distinguish between you and the person using your credentials. That is why identity must be protected. The conference might also use a special sticker on your badge for VIPs. In IT, that would be like a privileged role that grants elevated access, such as administrator.

## Why it matters

Identity matters because it is the foundation of all security in IT. Without identity, there is no way to control who accesses systems, data, or networks. Every single cybersecurity framework, from NIST to ISO 27001, starts with identity and access management (IAM). If you cannot answer the question Who is accessing the resource?, you cannot protect that resource. Data breaches often happen because identities are compromised, misused, or not properly deprovisioned. For example, the 2020 SolarWinds attack began when attackers compromised an identity with high privileges, allowing them to spread malware. That shows how critical it is to manage identities carefully.

In practical terms, identity management affects every part of IT operations. When a new employee starts, an IT administrator must create an identity for that person, set up their accounts, assign them to the right groups, and ensure they have the correct permissions. When an employee leaves, the identity must be disabled promptly. If this is not done, the former employee could still access company resources, including sensitive data or financial systems. Identity is also essential for compliance. Regulations like HIPAA, GDPR, and PCI DSS require organizations to track who accesses protected data. Identity makes that possible through audit logs. If a healthcare worker looks at a patient’s record without authorization, the identity-based audit trail will reveal that.

Identity also enables productivity. With single sign-on (SSO), a user’s identity works across multiple applications, so they do not need to remember many passwords. This reduces password fatigue and support tickets. For IT professionals, understanding identity is crucial for troubleshooting access issues. When a user cannot access a file, the first step is to check their identity attributes, such as group memberships. If a system is attacked, the first question is often: What identity was used to make the change? Identity is also the key to automation; service accounts with specific identities allow scripts and applications to run securely.

without identity, there is no security, no compliance, no accountability, and no efficient access management. It is the single most important concept in IAM and a core topic for any IT certification.

## Why it matters in exams

Identity is a foundational topic across nearly every major IT certification. In CompTIA Security+, identity is covered in Domain 3 (Identity and Access Management). You will be tested on concepts like authentication methods, authorization models, identity federation, and account management. Expect multiple-choice questions that ask you to choose the best way to verify an identity or to identify which attribute is used for authorization. For example, a question might describe a scenario where a user logs in with a password and a fingerprint; you need to recognize that this is multi-factor authentication using something you know and something you are.

In CompTIA Network+, identity appears in the context of network access control (NAC) and 802.1X. You need to understand how a device’s identity is used to gain access to a network. For instance, a question might ask why a laptop cannot connect to the corporate Wi-Fi, the answer could be that the device certificate used for identity has expired. In Microsoft exams like MS-100 (Microsoft 365 Identity and Services), identity is central. You must know how to configure Azure AD identities, implement hybrid identity with AD Connect, manage user and group attributes, and enforce conditional access policies. Questions often present a user synchronization issue and ask you to troubleshoot why an identity did not sync correctly.

For Cisco exams like CCNA, identity shows up in security settings on switches and routers. You may need to configure local username/password identities for device access or understand how AAA (Authentication, Authorization, and Accounting) uses identity to control access to network devices. Exam questions might ask what protocol is used to centralize identity management, the correct answer is RADIUS or TACACS+. In ISC2 CISSP, identity is a core part of Domain 5 (Identity and Access Management). The exam tests deep understanding of identity lifecycle, identity as a service (IDaaS), and federated identity models like SAML and OAuth.

Overall, exam questions on identity fall into these patterns: definition questions (What is a directory service?), scenario questions (An employee leaves, what should happen to their identity?), comparison questions (Difference between authentication and authorization), and configuration questions (Set up a service account in Azure). Make sure you know the difference between identity, authentication, authorization, and accounting. Also understand that identity is the base, without it, no subsequent security controls can work. Many exam traps use false synonyms, such as confusing identity with authentication. Remember: identity is who you are; authentication is proving it.

## How it appears in exam questions

Identity appears in exam questions in several common patterns. The first is the straightforward terminology question. For example: Which term describes a collection of attributes that uniquely identifies a user in a system? The answer is identity. Another common pattern is the scenario question where an organization is deciding how to manage user accounts. A question might say: A company uses multiple cloud applications and wants users to log in once with the same credentials. What technology should they implement? The correct answer would be identity federation or single sign-on, which both rely on identity.

The second pattern is the troubleshooting question. For example: A user cannot access a shared folder on the network, and their account appears in Active Directory. The administrator checks the folder’s permissions and finds the user is not listed. What is the most likely cause? The answer could be that the user’s identity is not a member of the correct security group. This tests your understanding that identity attributes (group membership) control authorization.

Another pattern involves configuration. For instance: An IT administrator needs to create an identity for a new application that will query a database. What type of account should be used? The answer is a service account, because it is a non-human identity. Some questions combine identity with multi-factor authentication: A user enters their password, then receives a code on their phone. What two factors of authentication are being used? The answer is something you know and something you have.

Identity also appears in compliance scenarios: An auditor discovers that several former employees still have active accounts. What does this indicate? The answer is a failure in the identity deprovisioning process. In cloud exams, you might see: What Azure AD feature allows you to require MFA based on the user's identity and location? The answer is conditional access policies, which evaluate identity attributes.

Finally, there are comparison questions: What is the difference between authentication and authorization? You must know that authentication verifies the identity, while authorization determines what that identity can do. Another variation: Which protocol is used to exchange identity attributes between an identity provider and a service provider? The answer is SAML or OpenID Connect.

## Example scenario

Your company, called GreenLeaf Tech, has 50 employees. The IT manager sets up a new server that stores important project files. To access the server, each employee must have an identity in the company’s directory called GreenDirectory. When a new employee named Sarah starts, the IT admin creates an identity for her: username sarah.green, a temporary password, and she is added to a group called ProjectX-Team. Sarah logs in for the first time. The server authenticates her by checking her username and password against GreenDirectory. Once authenticated, the server checks her group membership. Because she is in ProjectX-Team, the server grants her read and write access to the ProjectX folder. She can also access the company portal because her identity is recognized by multiple applications.

After six months, Sarah moves to a different team. The IT admin updates her identity by removing her from ProjectX-Team and adding her to Marketing-Team. Now Sarah can no longer write to the ProjectX folder, but she can access marketing documents. This is identity management in action. Later, Sarah leaves the company. The IT admin disables her identity. If anyone tries to log in with sarah.green, authentication fails because the identity is disabled. This ensures she no longer has access to any company resources.

Now imagine a scenario where the IT admin forgets to disable Sarah’s identity. A month after she leaves, a former coworker uses Sarah’s old password (which was not changed) to log in. The system sees the identity sarah.green as valid, authenticates it, and grants access. That is a security breach caused by poor identity lifecycle management. On an exam, you might be asked: What should the IT admin have done to prevent this? The correct answer: Disable or delete the identity immediately upon employee termination.

## Common mistakes

- **Mistake:** Thinking that identity and authentication are the same thing.
  - Why it is wrong: Identity is the set of attributes that represent a user. Authentication is the process of proving that the user is who they claim to be. An identity exists even before authentication happens. You can have an identity without being authenticated, as in the case of a locked account.
  - Fix: Remember: identity is the 'who', authentication is the 'prove it'. Identity is the noun, authentication is the verb.
- **Mistake:** Believing that a username alone is sufficient for identity verification.
  - Why it is wrong: A username is just the identifier, not the proof. Anyone can type a username. Without a secret like a password or a biometric factor, there is no way to confirm the identity. Username is like a mailbox label; authentication is the key that opens it.
  - Fix: Always think of identity as the whole package: identifier plus one or more authentication factors.
- **Mistake:** Assuming that a shared generic account (like admin) is a proper identity for security.
  - Why it is wrong: A shared account is not attributable to a single person. If something goes wrong, you cannot tell who used it. This violates the principle of accountability. Identity must be unique to an individual or device to enable audit trails.
  - Fix: Each person or device should have a unique identity. Use groups and roles to grant permissions, not shared accounts.
- **Mistake:** Confusing identity deprovisioning with disabling the user's email.
  - Why it is wrong: Deleting an email account does not remove the identity from all systems. The identity may still be valid for file servers, VPN, or cloud apps. Proper deprovisioning means disabling or deleting the identity in the central directory, which then affects all connected resources.
  - Fix: Deprovision identity at the source (e.g., Active Directory or Azure AD), not just one application. Use automated workflows to disable all associated accounts.
- **Mistake:** Thinking that a service account does not need proper identity management.
  - Why it is wrong: Service accounts are identities too. If a service account password is never rotated, or it has excessive privileges, it becomes a major security risk. Attackers often target service accounts because they are forgotten and powerful.
  - Fix: Treat service accounts with the same rigor as user identities. Use managed service accounts or gMSA to automate password management.

## Exam trap

{"trap":"The exam question asks: 'What is the first step in securing a network?' and lists options like 'Install a firewall', 'Implement strong passwords', or 'Define identities'. Many learners choose 'Install a firewall' because they think of perimeter security first.","why_learners_choose_it":"Learners often focus on external threats and think the firewall is the primary defense. They underestimate the importance of internal identity management, especially in modern zero-trust models.","how_to_avoid_it":"Remember that security starts with knowing who and what is on the network. Without identity, a firewall cannot distinguish between an employee and an attacker. Identity is the prerequisite for all other access controls. In exams, if the question is about the foundational step, think of identity first."}

## Commonly confused with

- **Identity vs Authentication:** Authentication is the process of verifying an identity, not the identity itself. Think of identity as your driver’s license, and authentication as the bouncer checking it. You need an identity before you can authenticate, but the two are separate concepts. Many exam questions specifically test that distinction. (Example: Your username 'jsmith' is your identity; entering your password to prove you are jsmith is authentication.)
- **Identity vs Authorization:** Authorization determines what an authenticated identity is allowed to do. Identity is the who, authorization is the what. You can have an identity with full privileges (e.g., admin) or limited privileges (e.g., guest). Authorization rules are applied after identity is confirmed. (Example: Your badge (identity) gets you into the building; the color of the badge (authorization) decides which floors you can visit.)
- **Identity vs Account:** An account is a container that holds an identity and its credentials. The identity is the set of attributes; the account is the record in the system. Often used interchangeably, but technically an account can exist without an identity if it is a system account with no user attributes. In most IT contexts, though, the terms overlap. (Example: In Active Directory, a user object is an account that contains the identity attributes like displayName, userPrincipalName, group membership.)
- **Identity vs Principal:** A principal is a broader term that includes identities like users, groups, services, and computers that can be authenticated. In security contexts, a principal is any entity with an identity. Identity is the core attribute of a principal. (Example: A security principal in Azure includes users, groups, and service principals. Each has an identity that can be assigned permissions.)

## Step-by-step breakdown

1. **Step 1: Identity Creation (Provisioning)** — An IT administrator creates a new identity in the directory service, such as Active Directory or Azure AD. They provide attributes like username, full name, department, and email. The identity is assigned a unique identifier (like a security identifier or SID). This step establishes the digital representation of the user or device.
2. **Step 2: Assign Authentication Factors** — The administrator sets the initial password or registers a certificate for the identity. For stronger security, the user enrolls additional factors like a phone number for SMS codes or a biometric fingerprint. These factors are linked to the identity, enabling the authentication process.
3. **Step 3: Configure Authorization Attributes** — The identity is assigned to groups (e.g., Marketing, IT-Admins) or given specific roles. These attributes determine what resources the identity can access. For example, adding the identity to the 'VPN Users' group grants network access. This step sets the permissions for the identity.
4. **Step 4: Authentication Process** — When the user attempts to log in, they present their identifier (username) and authentication factors (password and MFA code). The system validates these against the stored identity. If they match, the identity is considered authenticated. The system then records a successful authentication event in the audit log.
5. **Step 5: Authorization and Access Enforcement** — After authentication, the system looks up the identity's attributes, such as group memberships. It compares these to the access control list (ACL) of the requested resource. If the identity has the required permissions, access is granted. If not, access is denied. This decision is logged.
6. **Step 6: Identity Maintenance** — Over time, the identity's attributes may need to be updated. The user may change departments, requiring group membership changes. Passwords expire and must be reset. Attributes like phone numbers may change. The administrator or automated system updates these in the directory.
7. **Step 7: Identity Deprovisioning** — When a user leaves the organization or a device is retired, the identity must be disabled or deleted. This prevents unauthorized access. Deprovisioning should be done promptly and can be automated (e.g., via HR system integration). The identity is either soft-deleted (disabled) or hard-deleted (removed from the directory).

## Practical mini-lesson

Identity management is a daily task for IT professionals. In most organizations, the primary identity store is Microsoft Active Directory (on-premises) or Azure Active Directory (cloud). As an IT pro, you will be responsible for creating, modifying, and deleting identities. The first thing to understand is that identity is not just about user accounts; it includes computer accounts, service accounts, and group objects. Each has a unique SID (Security Identifier) that is used internally by Windows for permissions. When you add a user to a group, you are modifying the identity’s attributes, which then affect that user’s access across all resources that use that group.

In practice, you will use tools like Active Directory Users and Computers or the Azure AD admin center. For example, to create a new user, you open the console, click New User, and fill in the name, logon name, and initial password. You then select the user’s group memberships. If you forget to add the user to the correct group, they will not have access to the network drives or applications that rely on that group. A common mistake is creating an identity but not adding it to the necessary security groups, leading to a help desk call. The fix is always: verify group memberships after creating an identity.

For service accounts, best practice is to use managed service accounts (gMSA) in Active Directory. These automatically rotate passwords and are less prone to human error. When configuring a service to run under a service account, you need to grant that identity the Logon as a Service right on the server. If you forget, the service will fail to start. In cloud environments like AWS, identities are called IAM roles or users. You attach policies to identities to grant permissions. For example, you might create an IAM role for an EC2 instance so that the instance can read from an S3 bucket. The identity (role) is assumed by the instance.

What can go wrong? Identity sprawl is a common problem. Over time, many identities are created for temporary needs and never removed. Disabled accounts can be re-enabled by accident if not deleted. Orphaned accounts (identities no longer tied to a real person) are a security risk. To avoid this, implement a regular review process. Also, understand the difference between authentication and authorization in practice: you might have a user who can log in (authentication) but cannot access a file share (authorization). The troubleshooting path is to check the identity’s group memberships and the resource’s ACL. Finally, always secure identities with multi-factor authentication, especially for privileged identities like administrators. Without MFA, a stolen password gives full access.

## Memory tip

Identity is the 'who' card. Without it, you have no clue who is who. In exams, if you see identity, think of the unique representation of a user or device.

## FAQ

**What is the difference between a user identity and a device identity?**

A user identity represents a person and includes attributes like username, password, and group memberships. A device identity represents a computer, phone, or printer and often uses certificates for authentication. Both are used to control access, but device identities are especially important for network access control (NAC).

**Why is it dangerous to use shared identities?**

Shared identities lack accountability. If multiple people use the same identity, you cannot determine who performed a specific action. This breaks audit trails and increases security risk. Always assign unique identities to each individual.

**What is identity lifecycle management?**

It is the process of creating, maintaining, and eventually removing identities from a system. It ensures that identities are only active while needed, reducing the risk of stale accounts. It includes provisioning, updates, and deprovisioning.

**How does identity work in the cloud?**

In the cloud, identity is managed by identity providers like Azure AD, AWS IAM, or Google Cloud Identity. Users and resources have identities that are used to authenticate and authorize access to cloud services. Federation allows on-premises identities to work in the cloud.

**What is a service principal in Azure?**

A service principal is an identity created for an application or automated tool to access Azure resources. It is like a service account in on-premises environments. It has its own credentials and permissions, independent of any user.

**What happens if an identity is not deprovisioned after an employee leaves?**

The former employee could still access company systems, including email, files, and applications. This is a major security risk. The identity should be disabled immediately upon termination and eventually deleted after a retention period.

## Summary

Identity is the digital representation of a person, device, or service in an IT system. It is the foundation of all security, because without identity, you cannot control who accesses what. In certifications, identity is a recurring topic across CompTIA, Microsoft, Cisco, and ISC2 exams. You must understand that identity is separate from authentication and authorization, though they work together. Identity involves creating unique identifiers, managing attributes like group memberships, and following a lifecycle from provisioning to deprovisioning. Common mistakes include confusing identity with authentication, using shared accounts, and neglecting service accounts. In exams, you will see definition questions, scenario-based troubleshooting, and configuration tasks. Remember that identity is the starting point for access control, and in modern zero-trust models, it is the primary security boundary.

For IT professionals, mastering identity management is essential. You will use directories like Active Directory daily, configure cloud identities, and enforce policies like MFA and conditional access. The key takeaway for exam success is to always think of identity as the unique 'who' and to understand how it interacts with authentication, authorization, and accounting. If you can keep these concepts straight and remember that identity must be protected, provisioned correctly, and deprovisioned timely, you will handle most exam questions confidently.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/identity
