The day “access” stopped meaning “login” and started meaning “authorization”

A security leader recounts the challenges faced by organizations in effectively managing access control during production issues, emphasizing that while connectivity and authentication are well-managed through mature tools and practices, authorization remains a complex problem. This complexity arises from its dependence on context and the dynamic nature of environments, making it difficult to define the "right" privileges. The narrative describes how teams often inherit disorganized access systems due to accumulated exceptions and temporary privileges that become permanent, leading to difficulties in incident reviews and audits. The problem is not moral but systemic, rooted in outdated assumptions that being inside a network implies trust and authentication implies legitimacy, which no longer hold true in modern, high-stakes production environments. The focus should be on granting access with tight scope, enforcing boundaries, and reliably revoking access once it's no longer needed, rather than continuously adding new authentication features without addressing the core issue of authorization.