Although roles-based access control (RBAC) has been the subject of much interest in the past, experience with it has been mostly disappointing. The challenge of discovering established roles, defining new roles according to business need, connecting roles properly to the IT infrastructure, ensuring that they meet all compliance requirements, and managing roles through their natural lifecycles has, until now, proved to be too complicated and cumbersome to be practical.
W H I T E P A P E R Enterprise Roles-based
Access Governance
OCTOBER 2007AbstractAlthough roles-based access control (RBAC) has been the subject of much interest in the past, experiencewith it has been mostly disappointing. The challenge of discovering established roles, defining newroles according to business need, connecting roles properly to the IT infrastructure, ensuring that theymeet all compliance requirements, and managing roles through their natural lifecycles has, until now,proved to be too complicated and cumbersome to be practical.
However, a new roles-based model of access governance has evolved that overcomes these problemswith an approach that provides a bottom-up perspective of roles (the reality of current user access)and connects it to a top-down business perspective (how a role works in conjunction with a businessprocess.) As a result, roles can now be implemented in a manner that both simplifies access controland makes access governance, risk management, and compliance easier.
IntroductionThe demands of regulatory compliance are driving corporate IT and security managers to improvetheir access governance processes. Compliance audit failures related to access controls must be addressed. But IT organizations are struggling to manage this process. Without a unified view of access privileges across all users and IT resources, it has proven difficult to govern access to their systems with efficiency.
What the most knowledgeable among them worry about most of all, however, is not just regulatorycompliance but the entire array of serious problems that can result from their inability to see who hasaccess to which applications and functions and to ensure that all users have the right access - nomore, no less - than they need to perform their jobs. Without this capability, it is virtually impossibleto eliminate access-related vulnerabilities before they lead to costly incidents or malicious events.
Senior executives worry about access-related security vulnerabilities for good reasons. The potentiallycatastrophic impact of poor access governance has been illustrated by a host of well-publicized disasterswith costs running into tens of millions of dollars. According to a May 2007 presentation by the GartnerGroup, four of "The Top 10 Security and Risk Audit Findings You Need to Avoid" are access-related.
One of the key lessons to come out of these problems and from accumulated experience with regulationsincluding Sarbanes-Oxley, PCI, HIPAA, GLBA, PIPEDA, EU Data Directive, and others is that access governance is a strategic challenge, not merely a troublesome task that can be handled effectively withan ad hoc solution cobbled together over time on an incident-by-incident basis. The predominantlymanual systems that many organizations are using to review and manage roles are typically not scalable,nor are they able to keep up with the pace of changing user roles within an organization.
Manual systems are also increasingly costly, both in terms of time and human capital. Automatingthese systems can reduce expense levels, but the resulting cost savings are only a fraction of the realvalue of sound access governance. Technology that simply automates a flawed system may offershort-term savings while preserving or masking vulnerabilities that can eventually prove to be farmore costly.
Many companies have learned the hard way that a poorly designed or poorly managed access governancesystem can become not only a security problem but an encumbrance that interferes with companyoperations and absorbs an excessive amount of the organization's technological, financial, and humanresources. A properly designed and managed access governance system is the key to successfullymanaging regulatory compliance and risk challenges.
2 | Enterprise Roles-based Access GovernanceRoles-based Access GovernanceAlthough roles-based access control (RBAC) has been the subject of much interest in the past, experiencewith it has been mostly disappointing. The challenge of discovering established roles, defining newroles according to business need, connecting roles properly to the IT infrastructure, ensuring that theymeet all compliance requirements, and managing roles through their natural lifecycles has, until now,proven to be too complicated and cumbersome to be practical.
The role lifecycle issue has proven to be especially challenging, and the principal reason f... [download for more]
