Using access management systems has become a standard practice for businesses that need to control who has access to critical applications and sensitive data.
In the past, many companies decided that the most efficient way to address access management was via a centralized model. The responsibility to issue login credentials, enforce the use of strong passwords and multifactor authentication, and address noncompliant behavior often fall to one or two people who manage access for the entire company.
In addition to providing employees with login credentials, the centralized access control management team would also be responsible for login and passwords for guest Wi-Fi or contractor access to the network for maintenance.
A well-managed access control system will do the job of keeping unauthorized people from using business applications or downloading data, but unfortunately, it can also stand in the way of productivity and, in some cases, even decrease in effectiveness over time.
Confirming identity, determining the proper level of access, and creating a profile all take time. Businesses and enterprises with large workforces or remote locations may need to wait hours or days for its security team to issue new credentials when an employee's security level changes, when the team onboards a new hire, or is looking to automate off-boarding.
Managers and the HR department can quickly become frustrated with delays. Additionally, for the employee who has to call a manager or take other steps for access until their credentials arrive, the process can also create a negative impression of management and the company's culture – even stir the feeling that Big Brother is watching.
Another challenge associated with centralized access control is that it can become so routine that it turns into a rubber stamp activity. Security staff under pressure to issue credentials may do so without proper research into the person's identity or confirm the level of access a visitor needs. Moreover, because a security staff member is at least one-step removed from why a person needs access, they may not have all of the information they need to make the best decisions.
Also, security staff responsible for company-wide access management needs to ensure that profiles for employees who resign or retire are closed so that they no longer have access to the network, applications, and data. Deactivating profiles, however, may not get the urgent attention it need from an overburdened access control team.
To overcome centralized access management challenges, some businesses are transitioning to a decentralized access control model. These operations forgo reliance on a security team or staff member to issue credentials and take all responsibility for enforcing the company's access control policy. Instead, a broader team throughout an organization has the ability to log into the access control management system, add new employees, and create credentials for third-parties or visitors.
In theory, because department managers are granting access rather than only one or two people in central management, there could be tighter access control. Managers or their appointees closest to a given situation are making the decisions about who can log in and access data and what level of access they should have. They're more informed and more capable of applying the Principle of Least Privilege, giving only required access to build the highest level of security -- following this principle, if login credentials fall into the wrong hands, unauthorized people would be limited to the data they could see and the programs they could execute on the system.
Decentralized access control can also result in additional benefits, including streamlining processes, removing barriers to productivity, and aligning with employees' expectations in a modern, "self-service" culture.
Decentralization, however, does have one significant drawback compared to centralized management: Oversight. In fact, lack of visibility into access management could undermine the system's primary goal of limiting and tracking who is using logging into the system, making changes, and accessing data at all times. In a decentralized model, it's possible that different people will interpret company policy differently, creating a lack of consistency – and increased risk.
The best strategy to follow when moving to a decentralized access control model is to also deploy a governance solution. Selecting the right software, however, is crucial. You need to find a solution that strikes a balance between monitoring the system and not interfering with the autonomy that a decentralized system is meant to provide. Intelligent governance software that can pinpoint high-risk activities and provide alerts while "running in the background" is a smart choice. It can monitor the system for activity that doesn't align with the company's access control policy and inform the individual who made the error or the security team that they need to intervene to correct it.
Businesses are transitioning to decentralized access management to give departments more flexibility and fewer delays when creating security profiles and issuing login credentials. However, they need to preserve the element of control that centralized management provides. A governance solution is the final part of a solution that creates an environment of efficiency and productivity with the appropriate level of security.
Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.