Own Your Identity: 10 Best Practices for Role-Based Access
Learn the 10 best practices for access management collaboration.
Who owns role-based access controls?
In many companies, IT maintains the access control technology, the security group and application owners draft roles, business managers revise and assign these roles to employees, and the compliance or audit team reviews all of the above. As that suggests, creating effective role-based access controls requires careful coordination.
According to a recent study, however, 65 percent of firms say these different groups rarely, if ever, coordinate. The survey of 845 compliance professionals worldwide, conducted by Ponemon Institute, also found that 86 percent of organizations still manually audit users' access and permissions, typically at only a departmental or application level. In other words, the vast majority of organizations lack well-designed role-based access controls, or a high-level view of control effectiveness.
What's a regulated company to do?
To produce effective access controls, IT personnel, security staff, application owners, business managers, and audit teams must work together. To foster that kind of environment, begin pursuing these 10 best practices:
1. Don't Start with Technology
Want to scare away business managers, buy the wrong tools, and create a more complex and costly project than is required? Start by selecting technology without first understanding the business requirements.
"People jump into the technical architecture right away, oftentimes, and that is not a good idea," says Ivan Hurtt, product manager for Novell's identify and access management solutions. "You want to focus on the business architecture of who currently owns the data, [and] who needs to have access to the data."
2. Start Small
When creating roles, don't try and boil the ocean. Instead, identify which roles pose the biggest financial and security risks, and start addressing those first. "To gain momentum and gain acceptability throughout the organization," says Hurtt, "you have to start out with the most simple things." In other words, mitigate obvious risks first, and then slowly expand the access controls to lesser threats.
3. Foster Role-Creation Collaboration
Who should own identity management auditing and compliance? According to Ponemon report, businesses say IT operations (36 percent), business or application owners (34 percent), IT security (20 percent), unknown (6 percent), or the audit and compliance group (3 percent).
Experts, however, say effective controls must be built jointly. "A best practice we've seen is that it's driven by the business units, with support by IT, so that things are driven together and become a collaborative process, as opposed to one faction or another taking control," says Kurt Johnson, vice president of corporate development at Courion.
4. Don't Reinvent the Wheel
To define roles, discover what types of role information already exists in the enterprise. "Exploit existing sources of relevant information, such as human resources databases, to populate roles and their relationships to identities and entitlements," says Neil Macehiter, research director of IT advisory firm Macehiter Ward-Dutton.
Is it better to create roles based on actual access, or ideal access? "Some companies do take a data-mining, or bottoms-up approach. They see who has access to what, and go from there," says Johnson. "The other approach is top-down, which is usually business-driven, which starts by determining what you think users should have access to." For best results, he says, blend the two approaches.
5. Restrict the Number of Roles
Base roles on business or organizational requirements, not technology considerations. "Identify what is core to the role, versus what is 'techie' or nice to have," says Johnson. For example, if two Active Directory groups exist for a heath system's oncology physicians, and the only difference is the e-mail server they use, then those two groups equal one role.
Remember ease of management: someone has to maintain every role and rule. "In an ideal world, policies would be defined to reflect exactly the access required—so-called 'least privilege'—specific to an individual and the context of the access," says Macehiter. "However, this can be difficult to achieve since such fine-grained access control policies are complex to administer and enforce." Furthermore, they often change.
6. IT Builds the Baseline; Business Managers Tweak
When it comes to role-building, who does what? Hurtt recommends an 80/20 approach for IT/business, with IT—in conjunction perhaps with security personnel, application owners, and the audit team—using analysis tools to make baseline access recommendations, which business managers then tweak, assign, and update as necessary, without having to later involve IT.
For example, says Hurtt, to define a "bank teller" role, the IT group might study access logs for 20 bank tellers to create a baseline of actual practices. Then application owners, security and audit groups can contribute additional suggestions, which business managers take into account when assigning final access privileges to a role.
7. Employ Good Tools & Plain English
To manage roles in that manner, Macehiter recommends using software designed for both line-of-business as well as IT personnel, which graphically demonstrates how rules and roles line up. In addition, "these tools need to be allied with declarative rules engines … for the definition of access control rules."
Also ensure roles, groups, entitlements, and so on, have clear names. Johnson says he's seen too many companies with Active Directory group names such as Fin12 or Acc6, referring to finance or accounting groups. "The business person is not going to understand that," he says.
8. Talk Business Benefits
When building roles, remember different groups want different results. According to the Ponemon study: "Compliance professionals are much more likely to perceive the business drivers for IAM (identity and access management) compliance to be an edict from upper management. In contrast, IT professionals are more likely to see the potential for improved efficiency as the primary reason for implementing an IAM compliance solution."
In other words, IT managers must emphasize how access controls will help satisfy executives' concerns, and not dwell on the potential efficiency or even regulatory upsides. "What's in it for me, baby? That's what it boils down to," says Hurtt.
9. Equate Access with Risk
IT managers, of course, can couch their security concerns in business terms. In particular, get business users to "think about identity management in the context of risk management," says Macehiter. As access increases, so does the risk of a successful insider attack.
According to the Ponemon study, organizations have ample room for risk-management improvements: only 50 percent of compliance professionals and 41 percent of IT practitioners think their organization currently has an adequately risk-based approach to identity management.
10. Remain Flexible
Above all, role and rule creation must be a balancing act. "Roles should be looked at to ease the burden, but not to solve the problem 100 percent, because you can get so granular with roles—almost to one role per person—that there's no benefit," says Novell's Hurtt.
How might organizations balance business, security, and productivity requirements when building roles and defining rules? Johnson offers this example: one U.S.-based company with a call center on each coast created a single role for all its call center agents. Because the organization handles credit card information, however, it also created a rule specifying that agents could only access the customer data stored at their location. (The company stores customer data at the call center closest to the customer.) By restricting access, the organization lessened the risk— as well as potential extent—of a successful insider attack or data breach.
When a hurricane shut down the company's east coast operations, however, thankfully the role-building team had thought ahead. In particular, the call center manager role had the capability to temporarily suspend (with an executive-level sign-off) the location-based access restriction rule for agents. As a result, the company's west coast call center quickly moved to support all customers, using established business procedures and accompanying audit trails. Most importantly, no one had to rewrite or remap roles and access levels to get customer support back up and running.
As that demonstrates, proper planning and collaboration will help a business define roles which maximize security, yet remain flexible enough to meet a variety business contingencies.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.