Join InCommon



The Best IAM Advice Ever: The 2023 Edition



Estimated reading time: 4 minutes

Edited by Apryl Motley, CAE – InCommon Communications Lead

Throughout 2023, we asked members of the InCommon community to share the best identity and access management (IAM) advice they had ever received and from whom. Without further ado, here are 16 pieces of the best IAM advice ever.

InCommon Community

1. Identity is not a product; it is the byproduct of a well architected/designed solution.

– Corey Lee, Security CTO, Microsoft Education

2. Make sure you have proper buy-in from your stakeholders before you start. One of the worst feelings you can have is to spend months building an IAM solution and then have to retool several IAM processes because you did not have stakeholder buy-in initially.

– Matt Growden, CISSP, Executive Director of Identity Services, Provision IAM

3. From Mairéad Martin, CIO of EDUCAUSE (2018-2022): The earlier IAM comes up and is represented in the onboarding of a new service, the easier your job will be.

– Johnny Lasker, Principal Service Integration Engineer, Internet2 Trust & Identity

4. From Dan Taube, CISO, Illinois State University: IAM is about getting the right access to the right people at the right time.

– Jeremiah Haywood, Lead IAM Administrator, Illinois State University

5. Early in my career on the Purdue Fort Wayne campus, there was no IAM team, and I had to learn on my own. I got bit by the bug and just started diving in and learning everything I could. My advice to others is to find the smart people and ask a lot of questions!

– Mandi Witkovsky, Director of Identity & Access Management at Purdue University

Collage of best IAM advice contributors. From left to right: Christoper Bongaarts, Judith Bush, Scott Cantor, Tommy Doan, Erik Coleman, Mandi Witovsky, Summer Scanlan, Corey Lee, Matt Growden, Ben Rapplyea, Chris Misra, Bruce Vincent, Johnny Lasker, Jeremiah Haywood, Warren Anderson, and Ian Bruckner.

6. From Jeff Schiller, MIT: Never store credentials in plaintext, ever.

– Chris Misra, Vice Chancellor and CIO at the University of Massachusetts Amherst

7. Andy Dale pointed me to Kim Cameron’s “Laws of Identity” years ago. These principles still ring true.

– Judith Bush, IAM Architect at OCLC

8. My retired coworker Kevin built our prior identity system in such a way that he could reconstruct our lightweight directory access protocol (LDAP) directory in a couple hours from the data in our system. This made it easy to test minor tweaks to the inbound feeds and LDAP provisioning – make your changes, regenerate the directory, and compare the before and after to verify the differences are as expected. We lost this functionality when we went to our current system (and it is unlikely that our new system will have this capability), which has made it difficult to verify the correctness of the system logic. The (implicit) advice then is to devise a simple, automatable testing strategy for your IAM services, and everyone will be happier.

– Christopher Bongaarts, IAM Architect, University of Minnesota

9. “There’s no limit to what you can accomplish if you don’t care who gets the credit.” I believe I saw the quote from somebody in our community, so they probably know who they are.

– Scott Cantor, Senior Systems Developer for Digital Security and Trust, The Ohio State University

10. From Mimi Mugler, UCB IAM team (rest in peace, friend): Never believe the user! Verify!

– Summer Scanlan, Business Systems Analyst, University of California Berkeley

11. From Bob Morgan: Not everyone will get the joke, but the best advice is “mumble, mumble, mumble.”

– Bruce Vincent, Director of Identity and Collaboration Services at SLAC and Stanford University

12. Paraphrased from G. Mark Hardy’s “CISO Tradecraft” podcast: If you don’t accurately know who should have access to your resources, how can you expect to keep your resources available to them and inaccessible to everyone else?

– Ian Bruckner, Project Manager and Portfolio Coordinator, Office of Digital Transformation and Process Improvement, Illinois State University

13. From an Internet2 conference presenter a long time ago: Provisioning is about productivity. Deprovisioning is about security.

– Tommy Doan, IAM Lead, Office of Information Technology, Southern Methodist University

14. Just because someone thinks they are affiliated does not mean they are.

– Ben Rappleyea, Manager, Office of Identity and Access Management, Illinois State University

15. Stop using people’s names as identifiers.

– Warren Anderson, IAM Ligo Lead, California Institute of Technology

16. “There’s an edge case for everything.” (from an unknown conference presenter many years back). Don’t try to perfect automation to account for every possible scenario; just have a documented manual process for those edge cases.

– Erik Coleman, IAM Architect, University of Illinois–Urbana-Champaign