Wednesday, September 2, 2009

RBAC...Why Bother? 4 Reasons to Start an RBAC Program Today

Role Based Access Control (RBAC) is the process of granting people within similar job functions the same access to resources (systems, data etc..) required to do their job. The concept centers on putting into business friendly terms the logical grouping of resource access. These resource access groupings are called "roles". It's a daunting task when you consider all the various systems that can exist within an enterprise - there are the common applications everyone uses like email, the company portal, conference scheduling systems. And the one-offs that are very specific to performing a job function - HR payroll processing apps, CRM tools for Sales personnel, other business specific applications... So why do it? What are the benefits?

Simplification
The process of ensuring that new hires have access to what they need when they need it on day one is not easy. Often it requires several system set up requests before the right access is granted. Not to mention decomposing what someone else in a similar job function has access to. Wouldn't it be easier to have access automatically granted based on the job function someone is in? It's not an "auto-magic" process. There is upfront work involved in establishing the link between job function and system access needs. But once it's done (and the maintenance process is established) the on-boarding of new hires and department transfers becomes a lot easier and quicker.
Action: Get a sense for how much work you are in for. Look at a slice of the enterprise - one job function within one business unit or department. Analyze the system access granted to a few people within the same job function.

Consistency
Even if you know what access is required to do your job the process for getting that access established may vary. You make a phone call to so-and-so to get access to system A, send an email to a mail group to get access to system B, and submit a request through an intranet based system to get access to system C. Sound familiar? With all of these disconnected and differing processes for granting access, how can an organization know that the appropriate scrutiny is being applied to verifying who SHOULD have access to certain applications and information? Is the same approval required for all resource access? In an RBAC environment the role setup process is defined and can evolve as necessary. Based on the specific requirements of an organization the proper controls required for assigning access by job function area established and consistently applied each time that role is requested for a person. Ensuring the right level of approval is applied.
Action: Pick a set of applications and for each ask the question "Who needs to know who is accessing this application?". If the answer results in a Visio diagram, consistency is important.

Accountability
Central to an RBAC model is the governance. Governance takes the form of placing accountability for role definition with those most appropriate to validate what a role should have access to. For roles mapped to job functions that means accountability is placed within the business unit or department where that job function exists. Using business friendly terminology to link a system access permission to a job function is also key. Those accountable for making sure people in that role have what they need to need to understand what the underlying components of a role are.
Action: How easily understood is the system access terminology within your organization? Take one application and create business friendly descriptions to describe the access levels. This will kick start the analysis necessary for establishing a framework to maintain these business friendly descriptions.


Risk Mitigation
If it wasn't apparent already, all the of the above are risk mitigation tactics. The easier and more consistently something can be done, the more predictable the outcome. Predictability helps control risk. An RBAC model reduces the risk that inappropriate access is granted to or retained by someone that shouldn't have it. RBAC is a key control in information protection.

What benefits has your organization seen from an RBAC? implementation?

No comments: