Centralized Versus Distributed Approach

For identity and access management, we can also choose to adopt a centralized or a decentralized approach.

There’s no right or wrong answer in terms of having a centralized or decentralized approach. Typically, though, there are some broad trends that we can draw out. A centralised access management typically is classed to be more secure. Partly what we have here is a single team in a single physical location, usually, but operating to the same standards of work. So we have a group of people working in the same space, working under the same workflows, to the same standard. We also tend to have much better corporate compliance with this kind of configuration. If we have a central authentication system, a central service desk, this can help us manage to those minimum standards.

Decentralized, we can start to see things like line of business systems being managed and maintained in isolated silos of the business. And you will see some organizations actually separate their main directory, their user directory, up into individual departments, and there’s no single point of management. Now, one of the benefits of that decentralized approach is the system manager or those local teams typically have a much higher awareness of the people that they’re working with and so can be more equipped to spot inappropriate levels of access that occur. So if there are problems in terms of access, they can be a good first line in terms of spotting them.

So elevated privileges, users that have left the organization, users that should not have access to a given system – this can all be drawn out through that team. The disadvantage typically, and again, this is a trend, it’s not always the case. The disadvantage of a decentralized team is that it can start to lose the standardisation. You can lose the standard corporate approach through the devolved nature. So there are different ways to do this. There are pluses and minuses to both approaches. Administrators have a fairly complex set of challenges here when trying to deal with the management of distributed access systems, things like enforcing a policy.

If we look at something like Active Directory, with our access management policy, we can state that an account may expire after six weeks. And we could apply that to a user, to a group, or to all users. When we have individual line of business systems that aren’t integrated into that directory service, that are managed locally, we’re reliant on those individual managers to enforce that policy. And it may be that that’s not technically enforced, that that requires administrative enforcement. And human beings are fallible. We will almost certainly have issues in terms of non-compliance. The benefits, again, of distributed systems, generally, is that siloing of data can provide an extra level of protection.

So if the main directory is compromised, the individual line of business system can remain isolated from the threat. Potentially that benefit doesn’t occur if the user is allowed to reuse passwords across all of their accounts. And again, we’ve probably seen examples of users reusing their passwords across all the different systems. So this is not good practice by any means, but does happen. Awareness of access requirements may be greater as well for central teams. Trying to understand the local business needs, the local business requirements, typically that works better if the centralized team have some link to the local business unit, to the business owner of that line of business system so that they can understand who should have access.

And again, this may be influenced by the organizational structure. If we have a large enterprise organization operating in hundreds of countries, this may actually dictate how we operate. We may also have a group model for our business. Business groups may have multiple individual companies operating in an aligned fashion together. Again, this may dictate how we operate our identity and access management system. We may not have a choice. So we may have management by territory or by organizational units. It may not be possible to influence that process.