Roles-Based Access Control:
The demands of regulatory compliance are driving corporate IT and security managers to improve their access governance processes. Compliance audit failures related to access controls must be addressed. But IT organizations are struggling to manage this process. Without a unified view of access privileges across all users and IT resources, it has proven difficult to govern access to their systems with efficiency.
What the most knowledgeable among them worry about most of all, however, is not just regulatory compliance but the entire array of serious problems that can result from their inability to see who has access to which applications and functions and to ensure that all users have the right access – no more, no less – than they need to perform their jobs. Without this capability, it is virtually impossible to eliminate access-related vulnerabilities before they lead to costly incidents or malicious events.
Senior executives worry about access-related security vulnerabilities for good reasons. The potentially catastrophic impact of poor access governance has been illustrated by a host of well-publicized disasters with costs running into tens of millions of dollars. According to a May 2007 presentation by the Gartner Group, four of “The Top 10 Security and Risk Audit Findings You Need to Avoid” are access-related. One of the key lessons to come out of these problems and from accumulated experience with regulations including Sarbanes-Oxley, PCI, HIPAA, GLBA, PIPEDA, EU Data Directive, and others is that access governance is a strategic challenge, not merely a troublesome task that can be handled effectively with an ad hoc solution cobbled together over time on an incident-by-incident basis. The predominantly manual systems that many organizations are using to review and manage roles are typically not scalable, nor are they able to keep up with the pace of changing user roles within an organization.
Manual systems are also increasingly costly, both in terms of time and human capital. Automating these systems can reduce expense levels, but the resulting cost savings are only a fraction of the real value of sound access governance. Technology that simply automates a flawed system may offer short-term savings while preserving or masking vulnerabilities that can eventually prove to be far more costly.
Many companies have learned the hard way that a poorly designed or poorly managed access governance system can become not only a security problem but an encumbrance that interferes with company operations and absorbs an excessive amount of the organization's technological, financial, and human resources. A properly designed and managed access governance system is the key to successfully managing regulatory compliance and risk challenges.
Roles-based Access Governance
Although roles-based access control (RBAC) has been the subject of much interest in the past, experience with it has been mostly disappointing. The challenge of discovering established roles, defining new roles according to business need, connecting roles properly to the IT infrastructure, ensuring that they meet all compliance requirements, and managing roles through their natural lifecycles has, until now, proven to be too complicated and cumbersome to be practical.
The role lifecycle issue has proven to be especially challenging, and the principal reason for this is the dynamic nature of roles themselves. In most large organizations people, functional responsibilities, departments, and information assets are constantly changing, which can quickly cause role definitions to get out of sync with the everyday realities of the business.
Systems based on the RBAC model have been unable to keep up with this pace of change. They may be able to provide a “snapshot” of what role-based access entitlements are appropriate at any given time. But such a static approach won't enable business managers to maintain roles that accurately reflect the functional responsibilities of the people assigned to them.
It is essential to understand that role lifecycle management is not a project with a beginning and an end. It is a continuing process. In order to achieve complete lifecycle management, an organization must have continuously current, enterprise-wide visibility into changes to entitlements, information assets, and personnel, and some way to react to these changes quickly and easily – all while conforming to security policies and meeting compliance objectives.
Real-world attempts to implement roles-based systems have shown that unless roles fit into a context that ties together existing entitlements, company policies, regulatory requirements, and current business process realities, they simply don't work.
