Why Is Authorization Important?

There are really two basic parts of managing information;

  • Making sure it’s stored correctly and accessible
  • Controlling who can access and change it.

We end up paying a lot of attention to the first part and not so much to the second. Everybody knows about 7x24 and backups. Most institutions evaluate their Enterprise systems to make sure they’re covered. However, managing access to information is often not handled by an enterprise-wide approach.

Controlling access is often left to technical people in each functional area to take care of. Answering questions such as; “Who has access to HR information?” and “What does Bob have access to?”, are often difficult to answer. How it gets answered usually varies from system to system.

Granting access to information, especially sensitive information, is a critical business process. It should be clear what the process is, and who has what responsibility. The decisions should be recorded so they can be reviewed.

Although this can seem like an impossible goal, since every system is different, you can break it apart and make progress. The first thing is to separate out, enforcing the rule, from recording the rule.

What is the best way to record the access control business decision? You basically need to record who is allowed to do what in what context. Additionally, who decided it and when, and over what time it is effective. Forcing a clear, structured recording of the business decision, can be done across a variety of systems. Of course, the rule needs to be written in a way that it can technically be implemented and enforced.

The first stage might be manual; formalizing the recording of the structured authorization rule, and then using that to guide the set up of the system access control. The technical control can be compared to the business rule periodically to ensure they align.

Eventually, this could be automated so that the authorization rule system is integrated and actually drives the local system access control. The goal of an enterprise authorization system, that manages the authorizations everywhere might be a long way away, but it should not be an excuse to not start managing parts of the process better.

Start by defining the process and the rules around your most critical information, doing this first will go a long way towards getting a handle on managing access. Try to make the rules and process as straight forward and simple as possible. Bringing clarity to the process is a benefit itself. It is also a prerequisite for automating the enforcement of the rules. Its time to make this part of managing information consistent across the organization.