Authorization, granting permissions based on who or what the authorized is, is a very important part of the enterprise data protection and security program. Each one of the previous sections on data security relies on proper authorization to underlying operating systems, applications, and the data. This facet of data security highlights the defense in depth mantra of information security. Regardless of the technologies implemented for encryption, tokenization, and masking, a developed process for authorization including access provisioning, account removal, level of access, and auditing will not only ensure that the data remains secure, but provides a defensible data security strategy that can aide in reducing risk and cost associated with external auditing engagements.