Co-Founder & CEO at Authomize. Ex: Product Lead at Check Point, ForceNock’s Co-Founder & CEO (acq by Check Point), ReSec’s Co-Founder & CEO.
Long before Covid-19, most organizations knew that they had to make the transition to the cloud.
The cloud was clearly the direction that business was moving, with a 2019 report from Gartner declaring that the public cloud services market would grow by 17% in 2020. Everybody knew that they had to get there in the next two to three years. And then 2020 happened, and three years turned into two months.
The move to remote work has meant that everything your company was able to do at the office now needs to be available from anywhere. But just because this is the logical conclusion doesn’t mean that getting there is any easier.
One of the biggest challenges for organizations in their rapid transition to the cloud has been in managing permissions.
In smaller organizations with a more limited number of employees, managing who needs which permissions is not too terribly complicated.
It is when you begin to reach a larger scale that it becomes increasingly difficult to get through the process. Requests by department heads to grant or revoke permissions become a more entrenched process that requires additional rounds of approvals in organizations. This all ends up becoming a substantial time suck that hurts efforts to actually get work done.
This begs the question: Why is permission management such a challenging process?
Not Too Hot, Not Too Cold, But Just Right
Striking the balance between too many permissions and not enough is tricky to get right.
There should always be a healthy tension between granting your people as many permissions as they need to do their jobs while restricting which permissions they have so as to minimize your threat surface.
This idea is most commonly referred to as the principle of least privilege, wherein you grant the bare minimum of permissions to employees for them to access what they need. If they are not given enough permission, then they will be unable to function effectively.
The risk here is pretty straightforward. The more people who have permissions into more things, the greater chance that either they can cause harm or that their account can be compromised for doing harm.
With this balance in mind, we need to think about how we can work within our organizations to find the Goldilocks point on the spectrum — not too hard, but not too soft — and make it all work quickly and efficiently at an enterprise scale.
Three Tips For Faster And More Secure Permission Management
As I’ve explained, striking the balance between speed and security is a tricky one. In my experience, the best way to improve this process is to set the right policies at the top.
Here are three tips that I have found to be incredibly effective in organizations that I have worked with. Hopefully, they will be valuable to you, too.
1. Differentiate Based On Risk
Decide which assets and permission are critical and which entitlements are less sensitive to your organization.
Those assets that need the highest level of protection should be centralized and brought to the attention of key decision-makers who have the authority to grant these permissions. This is not a position for a “rubber stamp” kind of person.
For those assets that have a lower risk profile, hit two birds with one stone by delegating the approval process out to the relevant stakeholders. Your VP of marketing can probably be trusted to hand out approvals for Salesforce permissions as needed.
2. Reduce The Noise
Save the valuable time of these higher-level deciders by ordering your approvals in a way that they have to clear the toughest barrier first.
This will likely mean more rejections at earlier stages. But it will work wonders in ensuring those that are approved receive the most attention.
3. Define Roles And Permissions Ahead Of Time
My preferred approach to allocating permissions comes down to assessing need. We need to think about which roles within an organization are likely to need a certain set and level of permissions in order to do their jobs.
For example, marketing will probably need permission for Salesforce but not AWS or Azure data storage. Flip this assumption for developers. These role-based permission profiles should be pretty clear and upfront for someone joining or leaving a department.
So why not save some time by preapproving the permissions that fit with their roles as a standard part of the onboarding process?
Sure, some alterations will be needed depending on the specifics of their jobs, but the bulk of the approval process being done ahead of time will allow them to get started significantly faster, improving productivity.
Once you define these categories of roles and permissions, just make them an option item in your drop-down list for your IT service management (ITSM) solution to simplify the process one step further.
Learning Through Trial And Error
Peter Drucker was spot on when he said, “If you can’t measure it, you can’t improve it.” Make sure you measure your tickets to determine where they get stuck and analyze why. But most of all, be prepared to test and adjust constantly.
Just like in the story of Goldilocks, getting to “just right” takes time to achieve. Your organization may not have to contend with a family of angry bears, but the stresses of the current situation are very real. So be patient as your team works hard to get on course here.
Finding that sweet spot for permissions will take some time to get right, but starting the process now will make it easier for your organization to do it correctly moving forward as cloud services become the standard.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?