Authorization concept:
Best practice recommendation
Best practice recommendation
IT security is an omnipresent issue for companies. Which employees really need access to certain sectors and access to (sensitive) data? What does effective protection against sabotage or hacker attacks look like?
The German Federal Office for Information Security (BSI) recommends that critical infrastructures (KRITIS) have access controls – both physical and logical – among other things. A suggestion that is also relevant for companies without KRITIS classification.
In terms of IT security, you therefore need an authorization concept that makes access traceable, protects against internal and external attacks and at the same time supports IT administration in a way that conserves resources. What aspects should you consider when designing such a concept? Find out in our blog post.
Three steps to your optimal authorization concept
But before you establish these in your company, it is worth taking a look at your current authorization structure. Check: Are there historically grown authorization structures?
Large amounts of unstructured data accumulate in the form of documents and files and the file server structure is becoming increasingly confusing. Who has which authorizations? If there is no overview, a security gap is created.
Reasons for an opaque authorization structure can be:
- Restructuring within the organization
- Change of technical platform, people and areas of responsibility
- Manual errors in the assignment of authorizations
- Permanent manifestation of temporary interim solutions
- Missing documentation or documentation that deviates from the technical conditions
- Changing requirements for data access
Implementing the authorization concept: Which software tool supports you and how?
Secure management of authorizations is possible with a software solution that supports IT administration. This is the only way to establish authorization assignment in the long term,
The extent to which a software solution should support the creation of a new concept is a decision for the administration. It helps to clarify the choice internally: What level of support do we want to use and how much should be implemented automatically in the future? You have the choice between tools for simple evaluation of the existing situation through to fully automated authorization management that is specifically aimed at end users and data managers.
The technical implementation takes place entirely via the system, so that no IT background knowledge is required for use. This means that authorizations can be assigned in a user-friendly and comprehensible manner using self-service.
The aim of automated authorization assignment using self-service is to shift the responsibility and handling of authorization processes away from IT administrators and towards data controllers. The defined target status can only be maintained in the long term if authorizations are no longer assigned “bypassing the system”, but via the request and approval workflows provided for this purpose.



