RBAC or Role Based Access Control is hot! With increasing frequency, organizations that I meet see the importance in a structured way of managing and granting authorizations in the network. The situation is often, in granting authorization, a copy is made of a colleague who has "about" the same function. This results in many new employees gaining access to systems and applications that they do not need. There is rarely attention paid to the withdrawal of authorizations after copying a user and that has consequences for licensing costs and information security.
RBAC is one of the possible ways to solve this problem. RBAC consists of a matrix of roles, functions and specific access rights. For example, if a new employee joins the organization, utilizing the RBAC matrix determines what the new employee will be allowed to do in the network. That's the theory. In practice it appears the population of such a matrix brings many problems. Because people often feel their needs are one of a kind, this often leads to as many roles as there are employees. Ultimately, that results in an infinite and unworkable matrix. Companies are therefore afraid to implement RBAC within their organization. However, there are organizations that get started and strive to get 100 percent of the employees in the RBAC matrix. I think this is improbable and may takes years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix immediately - . all within a few days! Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may be years before the RBAC matrix is completed 100 percent, but by incorporating existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix is a manageable process with direct result. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents.
How to deal with Role Based Access Control (RBAC) in relation to Identity Management
Monday, August 23, 2010
Subscribe to:
Posts (Atom)