Role-based access control, or ‘RBAC’ as it is usually called, has become a popular new buzzword in security organisations. But so many ideas come and go; does this one have legs?
A bit of history is in order here. While it has become a hot topic over the past six months, RBAC has actually been around for a number of years, based on research by the US National Institute of Standards and Technology. Created to help organisations manage access rights for numerous users, RBAC operates under the principle that the roles people play in an organisation change less frequently than do the individuals occupying those roles. For example, the role of a bank teller has existed for decades but there is a high turnover of individual bank tellers. With a system based on RBAC, the roles imply the accesses a user needs with a company. Therefore, theory has it, managing the roles rather than the individuals, is a more effective approach towards automation.
Why all the fuss over efficiently automating access rights? Actually, the stakes are quite high. According to IDC, 30-60% of active accounts on protected systems are orphans, that is, they cannot be associated with a valid user. Each of these 'orphan accounts' represents an open back door inviting hackers (or simply disgruntled former employees, partners or suppliers) to come in and wreak havoc on your system. To put it in dollar-and-cents terms, the average act of espionage from an insider costs an organisation about $2,7 million, according to the FBI.
The problem of orphan accounts has exploded because of the realities of IT security and network management in today's business climate. Because with mergers, layoffs and other changes, users come and go so frequently and new, access-controlled systems are constantly being rolled out, it has become enormously labour intensive to provision users with the access rights they need in a timely and controlled manner, and it has become even more expensive to keep track of these rights so that they can be suspended or deleted when the user no longer has need for them.
But RBAC is a theory, not a product. It defines an approach to represent roles and relations but not the instructions or tools to discover roles and make them useful. Today, a number of products utilise the concept of roles to assist in the access administration environment. ERP and portal initiatives often include some approach of using roles. Provisioning products and Web access control tools also include roles.
Which roles do you use, or want to use?
However, even though RBAC-based products are now available, your organisation may not be ready for them yet. The first step towards RBAC is analysing which roles you use, or want to use. It is necessary to put all your users (internal and external) into 'buckets' based on what they do. In practice, role-engineering is an experimental and expensive business analysis and results are mixed. Consulting companies offering 'role engineering' are quick to lend a hand if you do not have enough of your own, but this is still more of an art than a science. Many companies find they have nearly as many buckets, or roles, as they do users. Others have spent months only to throw up their hands after encountering political walls or running out of schedule.
The vacuum of products and processes to support the new science of role-engineering has drawn the interest of vendors and consultants. Role-mining tools are being proposed to discover hidden patterns of access rights that may imply a role. Standard roles are also being proposed. Because organisations operate differently and are already full of bad accounts, these approaches are expected to help only in limited situations.
If the results of the RBAC investment seem uncertain, you are right. But the problem is real, so what should you do? Be pragmatic about it. The reason you care about RBAC in the first place is to reduce administrative cost while improving your security and service quality. It turns out that the bang for the buck is not in this new theoretical approach but in solutions that are ready to give results now.
Provisioning systems have proven themselves to give large and visible benefits quickly by managing access rights across the entire enterprise. These systems offer concrete results and, if built flexibly, allow step-wise growth into RBAC when the time is right for your organisation. Provisioning systems offer:
* Password self-service to unload the help desk.
* Access rights accounting to track and enforce who has which accounts.
* They expose active accounts that should have been removed.
* Enforce and expedite approval processes with workflow to ensure proper authorisation.
These four functions have positive, visible impacts to your operations within just weeks of rollout.
The forward-thinking products also deliver 'policy-based provisioning,' which includes RBAC but with a practical bent. For instance, you might define a rule stating that any employee can get access to any system as long as their supervisor approves it. Adding other rules like 'The owner of the mainframe and ERP system must also approve access changes to these systems', would enhance security far above that achieved with typical manual approaches.
RBAC is not the first step in the solution, but is an emerging, powerful refinement to automated user provisioning. The first steps towards lower costs, better security and improved service lie not in optimised theories but in the concrete capabilities of provisioning systems available today.
For more information: Access360, 0944 148 354 9050
Infosecurity Europe took place from 23-25 April 2002, and is Europe's largest IT security event. The show featured a comprehensive range of free seminars and keynote sessions on the hottest information security topics as well as hosting the largest gathering of information security vendors and new products in Europe.
© Technews Publishing (Pty) Ltd | All Rights Reserved