Having been at the GRC Dreamzone event in Paris, I have been at the forefront of the futuristic thinking in terms of Security and GRC related themes. With an eye on the future, many of the traditional principles have been brought into question, including least privilege access.
As implementation partners, we are often attempting to bridge the gap between technical solution and business challenge. In order to build an appropriate security solution, we appreciate that it requires knowledge of the business but also requires technologists to translate that into an effective solution design.
That can lead to a “lost in translation” scenario where a beautifully elegant solution may not fit the business risk requirements, can be ruined by poor business decisions or rendered outdated as the business evolves. This is especially true if the security is designed on the least privilege principles as the authorisations are deliberately intended to provide just enough access but no more. This means that your business approvers must also understand that and make good decisions accordingly, which often proves a challenge especially if they do not fully understand the technical design.
Given that applications are no longer isolated but are integrated and combined to form a patchwork quilt of application and access, perhaps it’s time to remove the constraint from the technical aspects and re-focus on empowering the business to make appropriate risk based decisions?
If the business requirements change, do we really want to have a time-consuming change request process to make changes to the building blocks of authorisation through a technical team, and have that repeated across all impacted applications? Why not have authorisations updated based upon business understanding of the potential risk or better yet, dynamically, based upon user information or situations e.g. change of operational unit, assignment of project or travel requirements / location?
The major challenge here is defining an authoritative source for that user information. If you are to place reliance on this data, it will need to be full, accurate and timely. Many organisations have tried it with both active directory and HR based data sources and it always proves problematic but if we can overcome that information management challenge, what then?
Perhaps change to a policy based approach that allows “most permissive” rather than “least privilege”. Use policies to allow or deny based upon user attributes automatically. That way, you can reduce the need to manage granular restrictive access authorisations but still retain control through the policy statements or rules.
You can still deny access as a default if required, but reduce the effort in administrating individually restrictive roles down to a granular level that only security technical analysts understand. Place the controls in the hands of the business by allowing them to make the policies (with guidance) in language they understand. If the policies are right and the user source data is complete & accurate enough, authorisations can be assigned dynamically to reduce overheads and still retain the controls over access.
