Triple A:

Removing the mask on IAM

Triple A: removing the mask on IAM

Dragon Bane, Psycho the Clown, and Texano Jr. No, not members of some alternate Marvel superhero group, but wrestlers on the Lucha Libre Worldwide (AAA) roster. The ‘Triple A’: an organizing body behind – among others – WrestleMania.

Mexican professional wrestling: men of fearsome reputation, skills, and...masks! Indeed, real identities are hidden with great zeal by all combatants – which brings us to another ‘Triple A’, this time associated with Identity and Access Management (IAM).

A focus on identity

IAM. You most likely know the headlines behind this technology: an information security framework focused on securing digital identities in the workplace – and controlling access to company resources.

Where the triple A bit comes in, is with the three ‘sub-components’ involved:

  • Authentication – the process of confirming an identity
  • Authorization – defining the resources (data, apps etc.) individuals can access
  • Auditing – keeping track of all the changes being made to ensure compliance


This used to be easy – but then came along the cloud and mobile computing, and it got really complex, really fast. Now, identity has become the primary security boundary; Where the emphasis is now on confirming people are who they say they are – with access rights attributed to the back of it.

The challenge here being that once “you’ve” been authenticated and let in the door, IT has little insight into who’s actually behind the mask. Hence the growing interest in providing different levels of authentication:

  • Authentication with something you know – most commonly delivered through a user name and password or PIN
  • Authentication with something you have – for example a token, banking card or ID card. In this age of mobile devices, we often see the use of a smartphone as factor, with an sms code or authenticator app
  • Authentication with something you are – supplying biometric factors based on fingerprints, retinal scans or voice input


The principal question to be answered here is simple: what resources can a user be allowed to access? Well it sounds simple at least. The reality is that getting it right requires IT to strike a delicate balance between security and usability.

Central to the process of authorization is Access Control – where you set conditions for the apps, data, and devices a user can get his/her hands on. For smaller organizations, such limits can be agreed at individual level. But for larger enterprises comprising thousands of employees, broader frameworks are required – including role-based access controls that automatically create ‘personas’ based on job function and position.

To this can be added the emerging concept of ‘continuous authentication’. Where an individual is allowed access, but constantly monitored thereafter (think keystrokes etc.) to spot any suspicious behavior.



In order to complete the security picture, you need to enable auditing, to have a record of which users have logged in and what resources those users accessed. Obviously such a record can prove essential when responding to a potential cyber attack. It can also help with the wider software audit picture, by confirming who’s using which apps and services.

Equally, auditing can be a core building block for GDPR compliance – with identities covering more than just employees (partners, customers etc.). Done correctly, IAM can enable you to:

  • Comply with GDPR requirements such as managing consent by individuals to have their data recorded and tracked
  • Respond to individuals’ rights to have their data erased
  • Notify people in the event of a personal data breach

Wrestle your way to effective identity and access management

IAM brings with it many immediate benefits: ranging from the mitigation of security breaches and the prevention of data loss, to greater GDPR compliance and improved IT efficiency through automation. This all helps make IAM an absolute necessity for today’s business leaders. To find out more about SoftwareONE’s IAM capabilities, experience, and solutions...

Get in touch!
  • Managed Security
  • Mobility, Security





Blog Editorial Team

Trend Scouts

IT Trends and industry-relevant novelties



Multilayer EDR (XDR) is Next

Most organizations don’t want to work with EDR due to the huge number of alerts to manage. Cross-layer EDR (XDR) can be the solution. Find out how.

Endpoint Security: What you need to know about "Next-Gen" EDR

"Next-Gen" EDR

Combining EDR and SIEM might be the ideal way of fighting cyber security risks. But why isn’t EDR enough? Learn more about the challenges of standalone EDR and how it differs from SIEM.

  • 05 November 2020
  • Cybersecurity, Managed Security
  • Cyber-Crime, Cyber-Threats

Endpoint Detection and Response

With increasing workplace mobility, it's no surprise that endpoint devices become more vulnerable. Learn how EDR tools can protect you from malware!