As financial institutions role out identity management tools, they are faced with the challenge of maintaining business efficiency while standardizing the way their users access data. Likewise, the role entitlement phase can be a daunting task, especially when people are constantly moving within an organization along with the implementation of new applications and infrastructure. While some financial institutions, like Wachovia, have successfully implemented role entitlement, others are struggling with the basics due to the overwhelming number of moving parts and the pressures to maintain usability and stability during the transition.
Role entitlement allows organizations to gain efficiencies and apply access controls across all applications and infrastructure in their enterprise. Traditionally, users are provided access rights to services if they have the right management approval or on an as needed basis. As a result, there is no standardization of access rights even for individuals performing the exact same job or function. In addition, access rights tend to grow due to people moving within the organization and keeping old rights that are normally not required. The lack of a standard baseline to verify what rights a person requires has led to an increase in compliance audit findings and the resources necessary in applying appropriate security controls.
Role entitlement provides a method for financial institutions to baseline access rights for each user as defined by their primary job function and the tasks they perform. Roles also provide a way to assign multiple access rights as a single group rather then the traditional method of assigning individual access rights. This simplifies the process of managing user access controls and also provides a basis for automating the process of providing users with appropriate access rights to do their job. The hardest part in achieving this baseline is to determine where to begin and the best way to develop roles.
Below are some best practices. Instead of implementing both the conversion and changing the access controls, these best practices suggest performing the conversion into a role based tool while maintaining the same access controls currently in use. Once the conversion has been achieved, then take the appropriate time to collaborate with the business and human resources.
1). Determine scope
Identify small groups that are manageable from a project standpoint. This will allow you to complete the project quickly, gain experience in the conversion and reduce the problem resolution resource impact if problems occur.
2). Conduct human inventory
Conduct an inventory of the people who have like job duties within the group. Work with human resources to document titles and job duties related to the scoped group to build an identity dictionary. Identify and document any differences in tasks or greater responsibility due to oversight or management.
3). Prioritize by data risk/value
Conduct an inventory of the data type that the group has access to. Prioritize the data inventory by its value to your organization and the regulatory requirements that apply to your financial organization.
4). Conduct asset inventory
Using the data inventory as a guide, identify the applications and systems that provide the services to the data. This will highlight local vs. shared services and will help gauge the scope of the initial group. If groups outside the initial scope access the data using a shared system, treat the shared system as a separate project and revisit when the other teams are being considered for conversion.
5). Inventory current access rights
Conduct an inventory of the current access rights to the systems that are in scope. Even if the access is full, document this so you can duplicate the access in the conversion. This document will later provide the information necessary to fine tune access rights.
Using a standard lifecycle approach, implement the conversion on the group within the predefined scope. The conversion will be the objective while the current access rights will remain the same. Once the foundation is built, the second phase, which can be time-intensive, will focus on applying the principle of least privilege on the existing roles.
7). Align access right to principle of least privilege
Collaborate with human resources and other business groups to redefine the access right to the appropriate level.
Role entitlement is a process change and less of a technology change. The process of defining roles should be based on a complete analysis of how an organization functions and should include input from a wide spectrum of users, including business line managers and human resources. It is best to have tunnel vision and to work across the organization one step at a time.
About the author:
Rick Lawhorn, CISPP, CISA, is the chief information security officer (CISO) at PlanIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has more than 17 years of experience in information technology including extensive security experience, and has created a working group focused on developing meaningful metrics for CISOs. He can be reached at firstname.lastname@example.org.