The 3 laws of identity and access management

In today’s digital world, you need to be able to manage your identity and access to stay competitive. Identity and access management (IAM) is a vast topic that has been around for years. Many laws govern IAM, but this blog post will focus on three of the most important ones — The 3 Laws of IAM.

Law 1: You must manage all levels of access.

This law dictates that a company must manage the access levels for various users. There are three primary types of access — least, standard, and unrestricted (least has the fewest permissions). Let’s break down these three levels of access.

Least — A user is assigned the minimum levels of access to complete the tasks and responsibilities of their job.

Standard: A user is assigned the default level of access that is suitable for the environment. No privileged access is set at this level of access.

Unrestricted — Admin-level access that is assigned to administrators or other users with server-level privileges.

Each type of access requires its own process of how it’s assigned, who it’s assigned to, and how it’s removed. This lifecycle of access must be governed to ensure all users have the proper access at the right time. This is the heartbeat of your IAM system as it drives the business logic of how users gain access, who approves that access, and how that access is de-provisioned, and how often the access is certified.

Law 2: Thou shalt authenticate everyone every time

Authentication is the focal point of IAM systems. You need to have a way to identify people so you know who they are and what rights they should get. This includes strong authentication methods like time passwords, digital certificates, context-based authentication, and multi-factor authentication. Authentication has become table stakes in modern architectures and has been abstracted to the point that it’s mostly plug-and-play. The critical point is to make sure that it covers all areas of interaction, be it user-facing, partner-facing, or machine-to-machine.

Law 3: Authorize, authorize, authorize!

The third law of IAM is authorization. Authorization controls who can access what resources and to what level they are authorized. One example where this would be helpful is for an employee working in a company’s accounting department who needs high access levels but doesn’t need admin-level access. For example, the employee needs to be able to access financial data to run reports but doesn’t need access to modify the data. In this instance, the employee would be given the entitlement that authorizes her for read privileges and not write or edit.

There are several methods of authorization management that you can employ, Policy-based (PBAC), Attribute-based ( ABAC), and Role-based ( RBAC). Whichever is chosen, the key point is to make sure a consistent approach is applied and maintained as part of your access management strategy.

You need to be able to manage your identity and access to stay competitive. This blog post is meant as a primer for those who are new to the topic or want more information on how IAM can help you win in business today. Although far from the only laws of IAM, these three build the core of your IAM implementation. Got questions? Have your version of the three laws? Let me know in the comments.