Fundamentally, access refers to the ability of a subject and an object to interact. That interaction is the basis of everything we do, both in the information technology (IT) field and in life in general. Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example, consider a busy executive with an administrative assistant who serves as a gatekeeper, deciding who will be allowed to interact personally with the executive and who must leave a message with the administrative assistant. In this scenario, the visitor is the subject and the executive is the object. The administrative assistant serves as the access control system, restricting which individuals (subjects) may access the executive (object).

Consider another scenario that is a bit closer to home. When you leave your house, you lock the doors. The locked door physically restricts access by anyone without a key to the assets stored inside your house—your TV, computer, and stereo system. When you come home, you unlock the door and replace the physical restriction of the locking mechanism with a human gatekeeper who decides whether or not to let someone enter the house.

What would happen if data were freely available? After all, open source software has certainly made a convincing case for open information. What if the data in question is your company’s payroll file? If that file is unsecured, anyone could open the file and obtain sensitive information, including your Social Security number and annual salary. Think of the chaos that would ensue if a disgruntled employee decided you did not deserve the money you made and reset your salary. Data is one of the most valuable assets an organization possesses. IT professionals must invest time and energy into appropriately securing it.

What do executives, deadbolts, and payroll have to do with IT? They are physical counterparts to the technical access control systems that we use to protect digital and electronic resources—sensitive files, servers, and network resources. You might not have specific, documented rules for access when it comes to which visitors you allow into your home, but information systems use formalized systems to grant or restrict access to resources. Computers are not very good at making intuitive decisions, so you have to lay out specific rules for them to follow when deciding whether to grant or deny access.

Access control is the formalization of those rules for allowing or denying access. Access controls define the allowable interactions between subjects and objects. It is based on the granting of rights, or privileges, to a subject with respect to an object.

Identity management is the process of creating, maintaining, and revoking user accounts and providing the mechanisms used to authenticate users. Theoretically, identity management allows you to confirm that a person is who they claim to be (authentication), and access control allows you to restrict his or her activities to authorized actions (authorization). In practice, the concepts of identity management and access control are interwoven and are difficult to separate. For this reason, many people refer to both fields together as identity and access management (IAM).