In one of my recent posts, I talked a little bit about how the levels of data protection—authentication, authorization and auditing (or accountability)—applied to unstructured and semi-structured data. By the title of the post I bet you can guess what I’m going to talk about today: authorization.
If you recall, authorization refers to what someone can actually access once they’re authenticated. To illustrate, let’s assume someone is trying to access a system; let’s call her Mary. The authentication step is where we verify that this person is actually Mary. Authorization is when the system decides what Mary can and cannot do once she’s authenticated. What data can she access? What can she do with that data? Can she just read it, or can she change or delete it as well?
Ensuring proper authorization has traditionally been very difficult. Let’s look at a Windows environment as an example. How do we control Mary’s authorization? Typically, we put her into security groups, and then put those groups on the access control list (ACL) of shared folders, SharePoint sites, and Exchange public folders. So if Mary is part of the Marketing group, she would be placed in Group_Marketing. Data that the Marketing group needs access to would be placed in folders that have Group_Marketing on the ACL. Now, once we’ve authenticated Mary, she’ll be able to access data in those folders. Easy!
So what’s wrong with this, then? Well, first of all, Group_Marketing may exist not just on folders belonging to the Marketing department, but it’s possible that group is also on some other, unrelated folders. If you ask your Windows admin to show you all of the folders a specific user of group has access to, he or she probably can’t do it. It’s too hard to answer that basic question using the built-in tools Windows offers. On top of that, we’ve got all these folders everywhere that are open to global access groups. In Windows alone we’ve got Everyone, Domain Users and Authenticated Users. If a folder has one of those groups on the ACL it means everyone can access it. Maybe it’s by design, like if the folder has a bunch of blank forms or templates everyone should be able to access. Often, though, it’s by accident—somehow the folder was set to be open for Everyone, and now we have no idea what’s in there, who’s using it and who should have access to it. Basically, we’re not performing any authorization at all. If you’re authenticated, you’re authorized!
Another problem is that users tend to be put into new groups without ever having old access revoked. Let’s say Mary’s a real go getter and decides she wants to move from marketing into R&D. Now she needs access to all of R&D’s data, so IT puts her into Group_Research. What’s often not done, though, is pulling her out of Group_Marketing. Maybe she needs access to a few things during her transition, so it’s put off for a while and then never actually done. Or maybe IT generally doesn’t revoke access when it’s no longer needed, which is also common. IT is really good about granting access since users call up the help desk when they can’t get to something they need. But no one ever calls up the help desk screaming that they have too much access, do they? The end result is that the longer Mary’s with the company, the more data she’s going to likely have access to, and our authorization controls become less and less effective.
These are just some of the challenges organizations today are facing when it comes to proper authorization. When groups to the right data sets, folders are open global access and unwarranted access not being revoked are all symptoms of broken authorization. What’s needed to fix these problems, and ensure they stay fixed, is automation. The reason we can’t easily fix a folder open to a global access group is because we have no good way of figuring out who actually should have access. We need an automated way to gather data about all this data (metadata) and then analyze it so we can start answering basic questions: Who’s got access? What are they doing with that access? Who’s got access that should be revoked? In future posts we’ll talk about how we can use intelligent automation to clean up authorization and implement a sustainable, secure access control model.