Why You Shouldn’t Leave Authorization to IT

Gal Helemski
April 3, 2019

An Authorization plan involves determining who can access which resources and under what circumstances. When a company needs such a plan, management typically calls IT and explains what is needed, and IT sets about translating these requirements into code. This process can take longer than expected, because IT has other assignments to complete, including responding to urgent issues. Then there are the usual delays involved in coding, testing, and rewriting the code.

Additionally, the complexity of the Authorization plan itself often compounds these issues if there are a great number of roles with slight variations between them. Defining each one precisely can take a great deal of time, as can matching each employee to the correct role.

When the process is complete, the result is often an inflexible Authorization schema that can’t accommodate a sudden organizational change, such as employees being “lent” to another department. Because setting permissions involves working through a number of technical issues, the entire area of Authorization is generally seen as IT’s domain. As a company grows, this pattern continues, and Authorization becomes more and more IT’s responsibility.  

Authorization Is a Business Issue, Not an IT Responsibility

It’s bad enough that putting IT in charge of Authorization leads to a process that is cumbersome and inefficient. But it can also be risky, because as time goes on IT tends to relax previous restrictions on access to data. As Gary McGraw, VP of Security Technology at Synopsys says, resources “are set up for ‘internal use’ and then over time start being used ‘externally’ as well.”

However, even if IT personnel are constantly vigilant about access, putting them in charge of Authorization makes management and the entire company dependent on them. And this is not just a matter of semantics or logistics. It goes against a basic truth: Authorization is a business decision, making it a management issue. Of course, technology is needed to implement any access management plan, which is why IT is usually assigned to the task. Nonetheless, every Authorization decision must make business sense, whether in terms of meeting business objectives or ensuring that a company’s intellectual property is adequately protected.

In short, shifting access management decisions from IT to management puts policy back in the right hands..

Making Authorization Work For You

In order to make Authorization truly work for you, you need to establish a fine-grained access management plan without having to write any code. For example, you might want to let all salespeople see certain documents when they’re on the premises, using the company cloud, during working hours but not access them when it is 3 AM and they are off-campus, using an unsecured network.

Fine-Grained Authorization and Other Key IAM Terms

To get this kind of flexibility, you need a platform that supports a complex set of dynamic rules. For example, the platform should include an easy-to-use UI that enables you to easily create policies, and define attributes, such as users, resources, and conditions. It should also be easy to define complex rules based on those attributes, and you should be able to change them in real-time (for example, to block all user accounts if a security breach is detected). If the platform also has full support for cloud-based enterprise-grade networks, you will be able to connect databases and apps to all manner of input devices. Of course, any platform you choose must be fully compliant with privacy standards, including GDPR, as well as other regulations, such as PSD2.  Gone are the days when a change request goes to IT, takes weeks, and is billed to your cost center.

The Next Step

Authorization is too important to be left to IT. From organizational issues to security concerns, every Authorization decision must follow business logic. This means that management must be in charge of setting Authorization policies, rather than being dependent on IT for them.

To help you create Authorization policies that are right for you, you need a powerful but easy-to-use tool that enables you to create policies that fit your current needs, and is flexible enough to make immediate change in run-time and as your company grows.  

Most popular posts