Manage Learn to apply best practices and optimize your operations.

Using role management in provisioning and compliance

Role management provides the necessary framework for enterprises to efficiently govern access to sensitive data based on workers' jobs. However, many organizations fail to rescind unnecessary access privileges when employees change roles. In this tip, contributor Tom Bowers offers up best practices to ensure that privilege management isn't a shortcoming in your organization's identity and access management strategy.

This article is part of the Identity and Access Management Security School. Visit the Using IAM tools to improve...

compliance lesson page for more learning resources.

Accurate management of privileges is a key component of compliance, and the process calls for systems that ensure access rights are granted only according to employees roles (i.e. role-based access control) across an entire enterprise. So it's no surprise that compliance issues are driving identity projects that couldn't be justified by return-on-investment principles alone.

In meeting these compliance concerns, role management is well recognized as a best practice for setting such controls. The problem is that as people change roles and gain access to additional systems, corporations are typically very good at getting people what they need, but poor at taking away what is no longer required. This issue is the driving force behind role management.

Compliance issues
The industry has developed a number of compliance-oriented best practices for role management, which focus on the following objectives:

  1. Access to corporate IT resources should be granted to a person's exact needs as defined by their role within the organization.
  2. Companies must confirm that only authorized users have access to sensitive information.
  3. Companies should enforce common business process constraints, such as separation of duties.
  4. Periodic assessments of access rights and privileges must be performed.

Role management provides the necessary framework for enterprises to efficiently manage access to sensitive data based on workers' roles in the organization. Thus role management becomes an effective tool in meeting compliance guidelines.

The role management process
Managing roles within a corporation needs to be set up and managed carefully. I propose a four step process.

  1. Research:
    1. Analyze privileges from the existing IT platforms. Identify and quantify the quality of existing access rights.
    2. Define roles. After mapping all of your accounts, this is the second most challenging task.
    3. Meet with every director and department leader to define a role for every job code. You will find that different groups define the same role differently.
    4. Find applications that don't support role-based access.
    5. Foresee complications.
    6. Find potential compliance violations.
  2. Plan:
    1. Prepare for role management. Plan and evaluate various role management and/or IAM solutions.
    2. Prioritize systems and project tasks based on urgency and data sensitivity.
    3. Review and clean privileges on individual platforms and simplify their structures.
    4. Balance roles against business process rules, such as segregation of duty.
  3. Deploy:
    1. Design and deploy a business process-oriented role-based provisioning policy.
    2. Create an initial set of business roles to be deployed in the provisioning system.
  4. Audit:
    1. Periodically audit provisioning policies.
    2. Refine, optimize and adapt role definitions to business changes.
    3. Review role privilege updates with business managers.
    4. Automate the testing of privileges.
    5. Demonstrate compliance verification.

Be prepared to spend two or three months evaluating each business process and its associated roles. You will likely spend an additional month writing the connector for any given application or system. Some enterprises have spent months mapping between data repositories and the roles that should have access to them. Despite the seemingly tedious nature of the work, this research is critical to project success. The old adage of "if you fail to plan, you plan to fail" is especially true in role management projects.

Lastly, it is likely that you won't find technology to be a barrier in your project; instead, it will be the organization's business processes. That having been said, you will likely find that role management products are still complex and difficult to use. The market is still maturing as vendors improve their own business processes. The effort of deploying a role management product is critical to meeting compliance guidelines. As such, you will find that while meeting those guidelines, you will be improving business effectiveness as well.

In this type of project, you will find that the creation of roles is typically a time-consuming process. There are tools available, however, that can help to automate it. The key to role management project success is to move cautiously, talk with your business units constantly, communicate the project objectives and success factors with end users and management, and focus on business processes as well as the technology. You will affect the way people work, never forget that. Set and exceed their expectations for the project.

About the author:
Tom Bowers, who holds CISSP, PMP and Certified Ethical Hacker certifications, is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members. Additionally, Bowers is the managing director of the independent think tank and industry analyst group Security Constructs LLC. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers is a technical editor of Information Security magazine and a regular speaker at events like Information Security Decisions.

This was last published in January 2007

Dig Deeper on Privileged access management