Using role management in provisioning and compliance

Accurate management of privileges is a key component of compliance, and the process calls for systems that ensure access rights are granted only according to employees roles (i.e. role-based access control) across an entire enterprise. So it's no surprise that compliance issues are driving identity projects that couldn't be justified by return-on-investment principles alone.

In meeting these compliance concerns, role management is well recognized as a best practice for setting such controls. The problem is that as people change roles and gain access to additional systems, corporations are typically very good at getting people what they need, but poor at taking away what is no longer required. This issue is the driving force behind role management.

Compliance issues
The industry has developed a number of compliance-oriented best practices for role management, which focus on the following objectives:

1. Access to corporate IT resources should be granted to a person's exact needs as defined by their role within the organization.
2. Companies must confirm that only authorized users have access to sensitive information.
3. Companies should enforce common business process constraints, such as separation of duties.
4. Periodic assessments of access rights and privileges must be performed.

Role management provides the necessary framework for enterprises to efficiently manage access to sensitive data based on workers' roles in the organization. Thus role management becomes an effective tool in meeting compliance guidelines.

The role management process
Managing roles within a corporation needs to be set up and managed carefully. I propose a four step process.

1. Research:
   1. Analyze privileges from the existing IT platforms. Identify and quantify the quality of existing access rights.
   2. Define roles. After mapping all of your accounts, this is the second most challenging task.
   3. Meet with every director and department leader to define a role for every job code. You will find that different groups define the same role differently.
   4. Find applications that don't support role-based access.
   5. Foresee complications.
   6. Find potential compliance violations.
   
   
2. Plan:
   1. Prepare for role management. Plan and evaluate various role management and/or IAM solutions.
   2. Prioritize systems and project tasks based on urgency and data sensitivity.
   3. Review and clean privileges on individual platforms and simplify their structures.
   4. Balance roles against business process rules, such as segregation of duty.
   
   
3. Deploy:
   1. Design and deploy a business process-oriented role-based provisioning policy.
   2. Create an initial set of business roles to be deployed in the provisioning system.
   
   
4. Audit:
   1. Periodically audit provisioning policies.
   2. Refine, optimize and adapt role definitions to business changes.
   3. Review role privilege updates with business managers.
   4. Automate the testing of privileges.
   5. Demonstrate compliance verification.

Be prepared to spend two or three months evaluating each business process and its associated roles. You will likely spend an additional month writing the connector for any given application or system. Some enterprises have spent months mapping between data repositories and the roles that should have access to them. Despite the seemingly tedious nature of the work, this research is critical to project success. The old adage of "if you fail to plan, you plan to fail" is especially true in role management projects.

Lastly, it is likely that you won't find technology to be a barrier in your project; instead, it will be the organization's business processes. That having been said, you will likely find that role management products are still complex and difficult to use. The market is still maturing as vendors improve their own business processes. The effort of deploying a role management product is critical to meeting compliance guidelines. As such, you will find that while meeting those guidelines, you will be improving business effectiveness as well.

Conclusions
In this type of project, you will find that the creation of roles is typically a time-consuming process. There are tools available, however, that can help to automate it. The key to role management project success is to move cautiously, talk with your business units constantly, communicate the project objectives and success factors with end users and management, and focus on business processes as well as the technology. You will affect the way people work, never forget that. Set and exceed their expectations for the project.

About the author:
Tom Bowers, who holds CISSP, PMP and Certified Ethical Hacker certifications, is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members. Additionally, Bowers is the managing director of the independent think tank and industry analyst group Security Constructs LLC. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers is a technical editor of Information Security magazine and a regular speaker at events like Information Security Decisions.

SCHOOL MENU

	IAM SCHOOL HOME		IAM TOOLS LESSON HOME		IAM TOOLS WEBCAST		IAM TOOLS PODCAST

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Using IAM tools to improve compliance,   Identity and Access Management Security School,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Quiz: Using IAM tools to improve compliance VIEW ALL IN THIS CATEGORY RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management Using IAM tools to improve compliance Using IAM tools to improve compliance Quiz: Using IAM tools to improve compliance RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.