Granting access in IT is such a simple process, so easy in fact that too much access is generally given and over time that access is never taken away as it should be. IT access should be granted and managed on a Need To Have basis only. But this is rarely the case, why? Because getting to that level of management and process is too complicated and costly plus I trust my people. The ever expanding regulations and compliance standards are going to make your world a very uncomfortable place when penalties start to line up for not being able to get control of your own access processes. This is where Role Based Access comes in.
When I go into companies and talk about IAM, roles eventually come up but the conversation rarely gets beyond group management. Just because you have a good group management process does not mean you are doing role management. A group, whether it is an LDAP group or AD group, a group is just a container. That group may have a business definition like Accounts Receivable Group is the group for the Accounts Receivable Department. So what? Where is the role definition for those people in that group? A group should not determine who should be in it, a business role should be defined and managed to tell the user you need to be in that group.
Look at a VP’s physical office. That office is a group. If you take the group management approach, all you need to do is be in that office to gain all the power of a VP. In the physical world that would never happen. In the physical world your Role within the company dictates your occupation in that VP office. You must have the VP title and all the business rights within to get into that office (group). I don’t understand in IT why it’s so difficult to apply the physical rules to the virtual assets.
The other problem most companies have is they are managing access too close to the individual. They are attaching a single person to what they need. What happens in that person leaves the company? That person may have accumulated all this special, unique access without proper tracking and the replacement now will have to figure out what they need. Roles eliminate this problem. Grant access based on the business role, then you don’t have to worry about the person at the IT level. HR or the department worries about what people have what role which directly ties to a clearly defined matrix of access.
The other huge benefit that business roles get you is tremendous security and auditing improvements. With a role you know what access is granted and that rarely changes unless the business definition of that role changes. Also as a person moves around the company, their business role changes and along with that their access changes. In most companies the person who has been with the company the longest generally has the most access. Because in IT it is far easier to give than it is to take away. If you use Roles to grant access then you get closer to the Need to Have model. Get a promotion and you get new access and the access you had and don’t need anymore goes away.
From a compliance standpoint there are already fundamental rules in place for roles and role conflict. The most obvious one is that a person who is in Accounts Receivables cannot have Accounts Payable too. If they did they could buy and receive on their own. Role management can help implement segregation of duty policies to ensure or at least audit if there are people that have conflicting access. Set the roles in contention with each other and enforce based on those policies, your access gets that much tighter.
As the world becomes more cloud enabled the need to get a grasp around identities and access across these wide ranging systems and applications is becoming more and more critical. From a virtual standpoint, creating a hard tack policy with the IT assets like companies already do with their brick and mortar assets will help significantly in getting to that coverage and visibility that will be demanded.
If you try to manage access for the people you will be chasing a constant moving target, managing with roles and you are defined, clear, concise, and manageable.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.