A Brutalist Approach to Identity and Access Management

Brutalist Identity and Access Management (IAM) isn't some novel invention promising magical solutions. Instead, it's a deliberate return to a more straightforward and fundamental way of managing user, privileged, and non-human accounts – a way to minimize the overwhelming complexity of modern identity stores.

Like all things Brutalist, this approach to IAM champions simplicity, raw controls, clear visibility, and the removal of unnecessary layers. It emphasizes core security principles and direct enforcement over complex abstractions and overly permissive default settings. Brutalist IAM prioritizes tackling the most critical security areas first, such as securing privileged accounts and mandating Multi-Factor Authentication. It favors the use of well-established and reliable security tools over unproven or overly intricate solutions, with documentation that is kept clear and concise, focusing on the essential "what" and "why" behind each security control.

Core Principles (Applicable to All)

1. Principle of Least Privilege (Strict Enforcement): Grant the absolute minimum permissions required for each identity (human or non-human) to perform its specific tasks, and nothing more. This is non-negotiable.
2. Explicit and Auditable Access: Every permission assignment must be explicitly defined, documented with a clear "why," and regularly audited. Implicit or inherited permissions should be minimized and strictly controlled.
3. Centralized and Transparent Management: Identity and access should be managed through centralized systems with clear visibility into who (or what) has access to what. Avoid fragmented or siloed management.
4. Strong Authentication, Always: Multi-Factor Authentication (MFA) is mandatory for all human accounts. Robust authentication mechanisms (e.g., strong keys, certificates) stored in a vault should be used for non-human accounts.
5. Regular and Ruthless Review and Revocation: Access privileges, especially for privileged and non-human accounts, must be reviewed frequently (e.g., monthly, quarterly, or upon job/role change) and revoked immediately when no longer needed.
6. "Zero Trust" Mindset: Assume no identity is inherently trustworthy. Verify every access request based on context, user/system identity, and the principle of least privilege.

Identity Management (Human Accounts)

1. Standardized User Provisioning/Deprovisioning: Implement clear, automated processes for creating, modifying, and disabling user accounts based on HR and role changes. Eliminate manual, ad-hoc processes.
2. Single Source of Truth: Rely on a single, authoritative directory service (e.g., Active Directory, LDAP) for user identities. Avoid creating redundant or shadow directories or accounts.
3. Clear Role-Based Access Control (RBAC): Define roles based on job functions with the minimum necessary permissions. Keep roles granular and avoid overly broad assignments.
4. Password Policy Simplicity (Length & Uniqueness): Prioritize password length and uniqueness over complex character requirements, aligning with modern security guidance. Enforce strong password policies and consider password managers. Avoid unnecessary forced password resets unless a compromise is suspected.
5. Session Management: Implement appropriate session timeouts and controls to limit the duration of access.

Privileged Accounts

1. Strict Segregation: Isolate privileged accounts from standard user accounts. Use dedicated administrative accounts for elevated tasks.
2. Limited Number of Privileged Accounts: Minimize the number of accounts with administrative rights. Justify each privileged account with a clear business need.
3. Secure Vault and Management: Implement a robust Privileged Access Management (PAM) solution to securely store, manage, and audit the use of privileged credentials.
4. Just-In-Time (JIT) Access: Grant privileged access only when needed and for a limited duration. Automate the provisioning and revocation of temporary privileged access.
5. Comprehensive Auditing and Monitoring: Log and monitor all actions performed by privileged accounts. Implement alerting for suspicious or anomalous activity.

Non-Human Accounts (Service Accounts, Application Identities, etc)

1. Purpose-Built Accounts: Create dedicated accounts for specific applications, services, or automation tasks. Avoid using human accounts for non-human functions.
2. Programmatic Credential Management: Utilize secure methods for managing credentials for non-human accounts (e.g., secure vaults, configuration management with secrets management). Avoid embedding credentials directly in code or configuration files.
3. Scoped Permissions: Apply the principle of least privilege rigorously to non-human accounts. Grant them only the specific permissions required to perform their designated function.
4. Regular Review and Rotation of Credentials: Implement automated processes for the regular rotation of passwords, keys, or certificates used by non-human accounts.
5. Monitoring and Alerting: Monitor the activity of non-human accounts for any unexpected or anomalous behavior.