Extended Slovník

Subject

In cybersecurity and identity & access management (IAM), a Subject refers to any entity—such as a user, application, device, or service—that attempts to perform an action or access a resource within a system. It is the who or what that needs to be authenticated and authorized.

In the realm of cybersecurity and identity & access management (IAM), the term Subject denotes the active entity initiating a request or seeking to interact with a system's resources. This entity can be a human user attempting to log in, a service account requesting data from another service, an IoT device sending sensor readings, or even an application seeking to access an API. The core function of a subject is to act as the initiator of an operation, making it a foundational concept in security architecture and access control frameworks.

What is a Subject in Cybersecurity?

A subject is any entity—whether a person, application, device, or automated service—that attempts to perform an action or access a resource within a system. In formal security models, the subject is distinguished from the object (the resource being accessed) and the action (the operation being performed). For example, when an employee opens a confidential document on a corporate server, the employee is the subject, the document is the object, and "read" is the action. This tripartite model (subject–action–object) is central to how security policies are defined and enforced, as outlined in guidelines from organizations such as NIST (Special Publication 800-63).

Why is Subject Identification Critical in Security?

Properly identifying the subject is the very first step in any secure interaction. Without reliable subject identification, a system cannot determine who or what is requesting access, making it impossible to enforce meaningful security policies. Subject identification underpins the following critical functions:

  • Accountability: Every action in a system can be traced back to a specific subject, enabling audit trails and forensic analysis.
  • Access Control: Security policies are enforced based on the subject's identity and associated attributes such as roles, group memberships, and device context.
  • Risk Assessment: Systems can evaluate the risk level of a request based on contextual information tied to the subject, such as location, device posture, or behavioral patterns.

The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the importance of robust subject identification as a cornerstone of Zero Trust architecture, where no entity is inherently trusted.

How is a Subject Authenticated?

Before a subject can perform any action, its identity must typically be authenticated (verified) and its authorization (permissions) checked against predefined policies. Authentication methods for subjects include:

  • Knowledge-based factors: Passwords, PINs, or security questions.
  • Possession-based factors: Hardware tokens, smart cards, or mobile devices.
  • Inherence-based factors: Biometrics such as fingerprints or facial recognition.
  • Token-based authentication: API keys, OAuth 2.0 access tokens, or OpenID Connect ID tokens used by services and applications.

Standards like OpenID Connect Core 1.0 and the OAuth 2.0 Authorization Framework define how subjects are authenticated and how identity assertions are conveyed across systems. For example, a microservice requesting data from another microservice might use an API key or bearer token to prove its identity.

When is a Subject Established in a Session?

A subject is formally established at the moment of successful authentication. Once the system verifies the subject's identity, a session is created that binds the subject to a set of attributes and permissions for the duration of the interaction. Key aspects include:

  • Session creation: Upon authentication, a session token or security context is generated, representing the subject throughout the interaction.
  • Continuous evaluation: In modern security frameworks, the subject's context may be re-evaluated during the session—for instance, if the subject's device posture changes or an anomalous behavior is detected.
  • Session termination: When the subject logs out or the session expires, the association between the subject and its active permissions is revoked.

This lifecycle ensures that a subject's access is tightly controlled from the moment they enter the system until they leave.

Which Entities Can Be Considered a Subject?

The concept of a subject extends far beyond human users. In modern IT environments, the following entities can all act as subjects:

  • Human users: Employees, contractors, or customers logging into applications with credentials. Example: A human user logging into an enterprise application with their username and password.
  • Service accounts: Automated accounts used by backend services to access databases or other APIs. Example: A microservice requesting data from another microservice using an API key or token.
  • IoT devices: Sensors, cameras, or smart devices that send data to cloud platforms or request configuration updates.
  • Applications and bots: Software programs that interact with APIs or other systems on behalf of users or autonomously.

The attributes associated with a subject—such as roles, group memberships, clearance levels, and device context—are crucial for making granular access decisions, especially in frameworks like Attribute-Based Access Control (ABAC). Organizations like the National Cybersecurity Center of Excellence (NCCoE) provide guidance on implementing robust subject management across diverse entity types.

Understanding and properly managing subjects is fundamental to establishing secure access controls and maintaining the integrity and confidentiality of information systems across any organization.

← Back to Glossary