Modern access controls: takeaways on what actually works

As we build access control policies into Oblique, it’s been interesting talking to IT and security teams to get examples of what they’d like to be able to implement. They’re shockingly… boring and unoriginal? Access management is one of those areas where organizations converge on similar approaches, because everyone is working with the same constraints. Even diverse organizations are generally protecting similar types of assets, dealing with similar compliance requirements, and working with similar tech stacks.

So, we wanted to document what IT and security teams have actually implemented today, in a new report on Modern access control policies, based on interviews with leaders from organizations with 125 to 5000+ employees. Here are the takeaways:

• Policy ownership is shifting from security-only to being jointly owned by security, IT, and the business. While security teams historically defined policies and IT implemented them, organizations are moving toward shared ownership. More importantly, they're delegating authority to business teams, by involving them in defining requirements, setting policies, and handling approvals — rather than IT or security teams who don't have the context.
• Controls should apply to data, not systems. The strictest controls should protect the most important assets: customer environments, customer data, and data within the scope of a compliance framework. But instead of focusing on protecting systems, teams are starting to think more holistically about data classification — even if that’s just distinguishing between systems that do and don’t have customer data — and protect resources based on the kinds of data they have.
• More complex policy requirements are enforced when access is changed. Access requirements can be enforced both when access is used, and when access is changed. Zero trust policies focus on real-time context around users and devices when allowing access to a resource. But the more nuanced requirements kick in when access is granted, modified, or renewed. These decisions require business context from HR systems and validation of requirements that simply aren't available at the time of access.
• Moving approvals from IT to managers improves speed initially, but human approvals remain a bottleneck. Delegating access decisions to managers notably improves the speed of an approval. But this initial unblock isn’t the end state. It’s often still too slow, and weakens security, since managers will approve any request to unblock their team. The real security and speed improvements come from asking those with context for approvals — app owners — and automating approvals entirely where requests are consistently approved.
• Pre-approving specific groups for access is necessary when implementing approval workflows. To successfully reduce standing access, users need a way to regain that access validly without a cumbersome process. How can this ease of use be balanced with minimizing risk and cost? Pre-approve a set of users who can invoke access when they need it. This approach works well for common patterns, like engineers accessing production during on-call periods, or support staff accessing customer data with valid ticket numbers.

This report reflects what organizations are actually doing, not what they aspire to implement. Real-world organizations are, well, realistic. They need to balance security requirements while still keeping their organizations functional.

If you’re deciding what to implement in your organization, your peers have already figured out what works. Read the report, learn from their experiences, and apply the same patterns to your organization.