This tip is part of SearchSecurity.com's Data Protection Security School lesson, "Watching the Watchers." Click the lesson link for additional material on how to monitor the activities of your most trusted insiders with a combination of policy, process and technology to keep unauthorized access and data loss to a minimum.
Role-based access control (RBAC) is a powerful tool companies can use to manage security by defining user roles and permissions, rather than assigning permissions to specific users. Using roles, companies can maintain a consistent security posture, audit the accuracy of access, prevent "access creep" and effectively manage thousands of users and rapid change. For all the value of role-based access control however, security professionals may find it difficult to design good role-based access control models for a company.
Effective role-based access is about more than technology. In fact, with role-based access available in most identity management systems, companies can readily find a comprehensive solution for role-based access. The difficulty lies in role engineering: The selection of appropriate roles, design of a role hierarchy that matches the corporate culture, and structure and management of roles as the company changes. These are all organizational, process and operational challenges – all things outside the core skill set of security pros and extending far beyond IT. Role-based access management is at its core a business issue, not a technology issue.
Role-based access control model: RBAC management starts with governance
Many companies make the mistake of starting their implementation of role-based access management with a technology selection. That almost guarantees the project will be costly, poorly executed and a failure. Instead, role-based access management projects should start with governance: identifying the key stakeholders and responsibilities in the project. Role-based access management is ultimately an implementation of business process and business strategy, because it defines how employees interact with each other and the applications. In most organizations, key stakeholders would include: human resources, IT, audit, business unit managers, executive leadership and legal. All of these have a stake in the lifecycle of an employee and their interactions with others.
Once a governance team is in place, it is time to start the process of role engineering, by identifying the common "classes" of employees. IT will need to work closely with HR and business unit leaders to classify employees by function – this can be done in a spreadsheet or even on a whiteboard. In a small business, it is likely any one employee will have multiple responsibilities that would normally be a complete job description in a bigger company. That would mean each employee has multiple roles, which cumulatively define that employee's permissions. In a larger company, roles may closely follow job titles. There will also be common "core" roles shared by most employees or most employees within a department. For example, in an educational environment, core roles might include "student" and "staff." Almost immediately, you will see that even at the simplest level there will be exceptions: Is a lab assistant a student or a member of staff, or both? These types of cases will lead to the definition of more specific roles that can be "layered" to create a complex set of permissions. For example, a lab assistant may have the "student" role, the "student advisor" role and the "lab manager" role. A member of staff may have the "staff" role and the "lab manager" role.
Avoiding role sprawl for effective security management
It becomes readily apparent that the process for creating roles can very quickly get out of control. Without a clear process, the organization will suffer from "role sprawl" – new roles created for very narrow use cases, accumulating until there are too many roles to manage. A key part of a role engineering process is to limit and constrain the creation of roles. Every role created by IT will need to be managed, reviewed, audited and maintained by IT or the security operations team. As the number of roles increases, so does the maintenance burden, the complexity of the system and the likelihood of errors. To avoid "role sprawl," companies must establish change-control procedures to evaluate each request for a new role: Is a new role necessary? Can an existing role be modified to encompass this new role?
Role-based access management is a very powerful technology for controlling access to IT resources and applications. It empowers system administrators with the ability to quickly and consistently categorize users and give them immediate access to the resources they need. However, role-based access must correspond to business functions and business processes. IT must lean heavily on the business leaders to help understand the job functions and define the correct roles, even if IT is responsible for day-to-day management of those roles. The hardest aspects to implementing a role-based access management system are operational and organizational. If an organization defines a clear process that includes the necessary stakeholders, they will have a much better chance of creating an effective, scalable and long lasting role-based access management solution.
About the author:
Andreas M. Antonopoulos is a senior vice president and founding partner with Nemertes Research, where he develops and manages research projects, conducts strategic seminars and advises key clients. Andreas is a computer scientist, a master of data communications and distributed systems, a Certified Information Systems Security Professional (CISSP), with an engineering, programming and consulting background. For the past 16 years, has advised a range of global industries on emerging technologies and trends.