Role-based access control can improve enterprise security, reduce employee downtime and improve the efficiency of resource provisioning and access control policy administration. Here's expert advice on implementing RBAC in your enterprise.
Is your company thinking about implementing role-based access control? When RBAC is done right it can improve enterprise security, reduce employee downtime and improve the efficiency of resource provisioning and access control policy administration. However, an endeavor of this nature can be complex and, unfortunately, as many as 70% of the attempted projects don't meet their goals.
Understanding the paths to success and potential points of failure are essential. Our friends at Wisegate, the social networking site for information security and IT executives, have a few pointers to share on this topic. Wisegate has just published its latest report, "Role Based Access Control: How-to Tips and Lessons Learned from IT Peers." The report is available for free download here.
Wisegate recently assembled the members of its Identity Access and Management micro-community for an RBAC-themed sharing session. The discussion was led by Wisegate member Tom Malta, who is a senior technology risk executive in the financial services industry. Malta has extensive experience with implementing RBAC at several large financial firms. In addition to sharing his expertise, Malta also leads the LinkedIn group called the Role Based Access Control Executive Forum.
The report is a good primer for those who are just learning RBAC principles, such as role inheritance. The report provides examples on how to set up basic roles and assign assets to those roles, and how to create parent/child relationships and reuse roles and assets. It further provides examples of business role models and polyarchy, which is the collection of roles an individual holds across different hierarchies or relationships. Some of the common business role models include: organization based roles, people-to-people based roles, and approval based roles.
Within the group discussion, Malta brought out the "top 10" questions he gets asked by people working on RBAC projects. This is the most valuable portion of the Wisegate report, as an experienced practitioner answers questions such as:
• When should we introduce RBAC into our access management program?
• How do we get started? What is the simplest way to start our project?
• What comes first, role mining or role management?
• Should the creation of roles and their associated management be centralized or decentralized?
• How often should we validate the contents of roles and what it enables?
• How many roles should we deploy?
Malta further shares his expertise with his advice on the high-level functional requirements to look for in a role management system, regardless of whether it is being built in-house or purchased off the shelf.
The Wisegate report offers a few tips and best practice considerations for RBAC projects:
• Build in RBAC when your identity and access management (IAM) program is mature.
• Utilize role mining before you try to do role management. Invest and spend some time in the role mining space to understand what you are currently doing today.
• Roles can be used for many purposes beyond provisioning. Business roles tied to basic privileges are what a lot of companies are after with RBAC. Roles also have huge value in the attestation of privileges.
• Keep it simple when you first get started. Most project failures stem from companies trying to do too much at once.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.