Identity and Access management is the foundation of any secure network. Preventing unauthorised access from external threats is one thing. Ensuring access is restricted on need to know basis while enforcing segregation of duties is another. However, as an organisation gets larger there are more staff and more applications to choose from. The issue becomes more and more complex, as does the need to get it right.
Since it is was proposed by the National Institute of Standards and Technology (NIST) in 1992, Role Based Access Control (RBAC) has stood the test of time as the most practical method of restricting access in the corporate world. RBAC is a type of Non-discretionary access control. It provides for access control based on a worker’s role. Conceptual roles are created based on actual job roles and position in the organisation. Entitlements for each system also need to be translated into the roles available in the organisation. Staff can then be assigned a role in each system which matches their role in the organisation. Simple.
Most RBAC systems are now mostly automated. For example, When a new user is onboarded, the manager should be able to raise a request for a ‘new hire’. That request will include adding to the employee list, provision to various basic network resources, new mail account and windows account. Once the new hire joins he/she should be able to request access to additional systems & resources in order to perform daily duties. The manager would authorise any new requests, and should be able to perform periodic entitlement reviews and remove any unnecessary entitlements. When the person leaves the organisation the manager should be able to raise a request to revoke all access on the leaving date.
The problems arise when the working landscape no longer follows a strict hierarchy or divisions. There are many other factors such as other needs such as matrix reporting, cross border, break-glass, temp-workers, guests, joiners & leavers, single-sign-on etc. In an environment where the focus is on delivery & getting the job done this could easily put RBAC into disarray.
From experience, we have learnt that getting the foundations of RBAC system are the most important:
- Uptodate feed of the current staff is essential
- Robust inventory of all systems feeding into the RBAC system
- Meaningful entitlement data feeding into the RBAC system
- Working with departments to define Roles
- Automated Access Request System
- Robust Joiners, Movers, Leavers Process
- Robust Entitlement Review Process
Our consultants have worked in implementing RBAC systems into the worlds largest banks & institutions. We have migrated entitlement reviews from excel templates to fully automated online RBAC systems. We have managed projects to review 1000s of applications with the view to onboarding to online RBAC system. We have performed GAP analysis work to identify and correct issues. We have worked with developers to provide meaning full entitlement data feeds. We have worked with businesses to define meaning full roles.We have identified gaps and proposed corrective action plans to the Joiner, Mover, Leaver Process. We have audited the entitlement review process within top tier banks.
If you think your RBAC model could do with a review, or if you need to onboard applications onto RBAC then contact us right away.