The Case for Justified Access

Whether they are creating software or shoes, data is the operational backbone of the enterprise. Access to high quality data at the right time, by the right people, has been proven to provide a huge competitive advantage.

The focus on data increases its value — making it one of the most valuable assets in an organization. As such, a disciplined approach is required to ensure it is well-protected. At SGNL we believe the future of managing access to this data is through a strategy that encompasses business justification, or Justified Access.

For decades, protecting data stored in computer systems has meant the configuration of static access control lists (ACLs) and access control entries (ACEs) based on who has access, what they have access to, and what they can do with that access. As time has passed, organizations and products have also gotten more and more clever about how to describe who can get that access. The industry at large has explored roles as a means of grouping similar users and granting access (via Role Based Access Control or RBAC). More recently, there’s been a realization that almost any attribute (or group of attributes) can establish a population of users that might have similar data access needs (via Attribute Based Access Control or ABAC).

These strategies have gone a long way to granting the workforce access to the data they need to do their job. People who have a Customer Success Manager title (for example) might need to access customer data to provide support, issue refunds, update records, or tens of other possible actions depending on the business. Similarly, users in Sales and Support departments might need to understand telemetry to provide insights to their customers and prospects as well as in forecasting, budgeting, or churn analysis.

There are several downsides to Role and Attribute-based Access Control:

One not-so-obvious downside of Role and Attribute-based access control is that it glosses over the question of whether a user should access a specific piece of data at a specific point in time with some business justification. RBAC/ABAC methodologies deal solely in whether a user can access a specific piece of data which often leads to a massive breadth of ambient access for every user.

For many organizations, whether a user should be utilizing their privilege to access data is documented in privacy and security training, organizational policies, and retroactively in security/compliance audits — not when data access is actually happening.

As you might suspect, this causes an array of challenges for different parts of an organization:

At SGNL we’ve seen these downsides and symptoms manifest at organizations both large and small and believe the solution lies in a new, principled type of Justified Access management strategy:

At SGNL we’re creating the future of Justified Access management, delivering an authorization solution that determines who should be able to access data based on their current task, business need, and justification, sourced from the organizational context that exists in the systems your organization already manages.

Related posts:

Eva Green peered over the edge and instantly felt butterflies fluttering in her stomach, she couldn’t see much past the fog, but she could tell it was a long way down, “Hang in there, champ. Two more…

Quando sono un poco giù di corda, mi rifugio qui, tra gli scritti logorroici e l’anonimato più protettivo. Medium è più discreto e mi rende più intima. Mi tiene vicina e lontana. Su Facebook ci vado…

The air had a metallic twang to it. Mr Spoon stuck his tongue out. He seemed almost reptilian, searching for something in the air. “Ouch. Your friend’s blood type must have been O. I’m afraid they…