Implementing Role Based Access Control
- Apr 19, 2017
- Guest Author
Organizations seeking to improve their security posture and meet regulatory or audit compliance requirements must consider implementing role based access control (RBAC). For those of you who don’t know what RBAC is, let me provide a brief definition. RBAC is a method of establishing and controlling user access rights based on a user’s competency, authority, or responsibility within the organization. This relates to the access the user has to perform specific tasks, such as read, write, modify, etc. Controlling user access at this level offers several benefits including:
Implementing RBAC across an enterprise can be a very challenging undertaking. In fact, it can be so overwhelming that many organizations choose not to implement it at all. While this is certainly understandable, this leaves organizations at risk. The question then becomes, how can an organization approach the problem and successfully implement RBAC?
Organizations must first understand the business needs driving a move to RBAC. This can be accomplished through a needs analysis exercise. In this exercise, the organization will examine job functions, actors performing these functions, supporting business processes, supporting technologies, associated regulatory or audit requirements, and the current security posture of the organization. While this might seem like a lot of information to analyze, it is key to have a strong understanding of these elements in order to properly define the scope of the RBAC implementation. It is important to note, that while there should be some concept of the scope of the implementation, the needs analysis must be comprehensive to ensure organizations can validate assumptions and properly scope the effort for the most impact and the best opportunity to succeed. It is not uncommon for new information to be discovered during a needs analysis exercise that invalidates existing assumptions.
After the needs analysis phase is complete, the next step is to identify the scope of the implementation. This is where organizations can give themselves the best chance of success. Identifying a narrow scope for the initial implementation of an RBAC program allows the organization to focus their efforts and manage change within their environment. When considering the how to narrow the scope, it is always useful to focus on applications or systems where sensitive data is stored. This could include financial systems, order processing systems, HR systems, or even information security systems. The key is to choose a scope that makes sense within the current context of the organization and aligns to the critical business needs defined in the identified needs analysis phase.
Once the scope of the implementation is set, the heavy lifting of defining roles begins. Defining roles can be very challenging, however the information gathered in the needs analysis phase related to job functions, business processes, audit requirements, and technologies is invaluable in supporting this effort. This information allows an organization to fully understand how individuals perform their work, thereby giving them the details necessary for good role design. It also provides the background necessary to avoid some of the common pitfalls of role design including: too much or too little granularity in roles, role overlap, and too many exceptions in permissions grants. The more work an organization does up-front to understand how the business operates, the easier the role definition process will be.
The next step is the implementation and the rollout of the RBAC effort. This should be paced appropriately to avoid overwhelming the organization with too much change and to avoid unintended disruptions to business processes. Identify a core group of users and implement for them first. Monitor the impacts to the users and collect their feedback. Use this information to inform future phases of the rollout.
Rolling out RBAC doesn’t have to be overwhelming. Using standard project management methodologies, and leveraging some of the insights provided here, organizations can recognize the benefits of RBAC in their environments.