Role Engineering: The Cornerstone of Role- Based Access Control DECEMBER 2009



Similar documents
CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

How Technology Supports Project, Program and Portfolio Management

CA Clarity PPM. Overview. Benefits. agility made possible

Business Service Management Links IT Services to Business Goals

agility made possible

CA Process Automation for System z 3.1

how can I improve performance of my customer service level agreements while reducing cost?

How To Use Ca Product Vision

how can I comprehensively control sensitive content within Microsoft SharePoint?

Orchestrate IT Process with an Integrated Workflow Management

CA Chorus Helps Reduce Costs, Improve Productivity and Assist With Mainframe Skills Retention

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

agility made possible

IT Financial Management and Cost Recovery

The Benefits of Data Modeling in Business Intelligence

Asentinel Telecom Expense Management (TEM)

5 Pillars of API Management with CA Technologies

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Sallie Mae slashes change management costs and complexity with CA SCM

TECHNOLOGY BRIEF: CA ERWIN SAPHIR OPTION. CA ERwin Saphir Option

The Eight Dimensions of Customer Experience for Financial Services

can I consolidate vendors, align performance with company objectives and build trusted relationships?

Choosing the Right Project and Portfolio Management Solution

CA Clarity PPM for Professional Services Automation

How To Model Data For Business Intelligence (Bi)

CA Technologies optimizes business systems worldwide with enterprise data model

Achieve Your Business and IT Goals with Help from CA Services

Nordea saves 3.5 million with enhanced application portfolio management

Enterprise Report Management CA View, CA Deliver, CA Dispatch, CA Bundl, CA Spool, CA Output Management Web Viewer

How Can I Deliver Innovative Customer Services Across Increasingly Complex, Converged Infrastructure With Less Management Effort And Lower Cost?

CA SiteMinder SSO Agents for ERP Systems

Improving Service Asset and Configuration Management with CA Process Maps

are you helping your customers achieve their expectations for IT based service quality and availability?

BancoEstado achieves greater data efficiency and system development agility with CA ERwin

Genesis Energy delivers IT projects faster with standardised processes and CA Clarity PPM.

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.

Service Catalog Management: A CA Service Management Process Map

CA Service Desk Manager

we can Automating service delivery for the dynamic data center of the future Brandon Whichard

CA Telon Application Generator r5.1

The Benefits of Data Modeling in Business Intelligence.

Oracle Role Manager. An Oracle White Paper Updated June 2009

Integrating Records Management and ediscovery Processes for Greater Efficiencies

CA Repository for z/os r7.2

how can you stop sprawl in your IT infrastructure?

CA Mobile Device Management 2014 Q1 Getting Started

how can I deliver better services to my customers and grow revenue?

CA Technologies Healthcare security solutions:

assure the quality and availability of business services to your customers

CA Tape Encryption Key Manager

The Rise of Service Level Management. Gary Case

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

SOLUTION BRIEF CA Cloud Compass how do I know which applications and services to move to private, public and hybrid cloud? agility made possible

A FinCo Case Study - Using CA Business Service Insight to Manage Outsourcing Suppliers

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

The National Commission of Audit

agility made possible

CA Workload Automation

Transforming IT Processes and Culture to Assure Service Quality and Improve IT Operational Efficiency

CA Oblicore Guarantee for Managed Service Providers

Data Governance Tips & Advice

Web Admin Console - Release Management. Steve Parker Richard Lechner

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

SOLUTION BRIEF BIG DATA MANAGEMENT. How Can You Streamline Big Data Management?

agility made possible

CA Business Service Insight

Work Smarter, Not Harder: Leveraging IT Analytics to Simplify Operations and Improve the Customer Experience

Next-Generation Performance Testing with Service Virtualization and Application Performance Management

accelerating time to value in Microsoft Hyper-V environments

CA Automation Suite for Data Centers

CA Top Secret r15 for z/os

SOLUTION BRIEF CA SERVICE MANAGEMENT - SERVICE CATALOG. Can We Manage and Deliver the Services Needed Where, When and How Our Users Need Them?

Centris optimises user support with integrated service desk

Data Modeling in a Coordinated Data Management Environment: The Key to Business Agility in the Era of Evolving Data

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

how can you shift from managing technology to driving new and innovative business services?

agility made possible

Building a Roadmap to Robust Identity and Access Management

CA Gener/OL r7.1. Overview. Business value

How Can Central IT Use Cloud Technologies to Revolutionize Remote Store Operation?

Authentication Strategy: Balancing Security and Convenience

Technology Partner Program

Realizing business flexibility through integrated SOA policy management.

BTC Group improves IT resource utilisation and business alignment with CA Clarity PPM.

Release and Deployment Management: A CA Service Management Process Map

Enterprise On The Go: 5 Essentials For BYOD & Mobile Enablement

CA Cloud Service Delivery Platform

CA Scheduler Job Management r11

CA Explore Performance Management for z/vm

Project and Portfolio Management for the Innovative Enterprise

Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations

The Advantages of Converged Infrastructure Management

CA Compliance Manager for z/os

An Oracle White Paper January Access Certification: Addressing & Building on a Critical Security Control

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

what if you could increase your agility and improve your pace of IT innovation?

CA Workload Automation CA 7 Edition r11.3

Data Model s Role in DaaS...3. The SQL Azure Use Case...4. Best Practices and Guidelines...5

Dynamic Data Center Update:

TECHNOLOGY BRIEF: ENTERPRISE IT MANAGEMENT (EITM) Driving Nation-wide IT Enablement and e-governance Projects Through Enterprise IT Management

Transcription:

WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL Role Engineering: The Cornerstone of Role- Based Access Control DECEMBER 2009 Srinivasan Vanamali, CISA, CISSP CA SERVICES

Table of Contents Executive Summary SECTION 1 2 Evolution of Entitlement Management SECTION 2 2 RBAC 101 SECTION 3 3 Role Engineering SECTION 4 4 Role Engineering Approaches Top-Down Bottom-Up Hybrid SECTION 5: CONCLUSIONS 5 SECTION 6: REFERENCES 6 SECTION 7: ABOUT THE AUTHOR 6 Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Executive Summary Challenge Organizations often implement Identity and Access Management (IAM) systems without due consideration of roles. To minimize deployment effort or to avoid project scope creep, role definition is often not considered part of the initial project. Organizations frequently do not invest enough time to define roles in sufficient detail; rather, they tend to define highlevel roles that do not reflect actual organizational job functions. Permissions mapped to high-level roles are usually generic in nature. The result of this random process is that additional efforts are required to manage job- and function-specific permissions manually, outside the IAM system. This often results in IAM systems not delivering the expected business value, for example, adherence to compliance and reduced entitlement management costs. Opportunity Role-based access control (RBAC) is becoming the norm for managing entitlements within commercial systems and applications. RBAC can play a significant role in establishing a model for enforcing security within organizations. It simplifies entitlement management by using roles (as opposed to users) as authorization subjects. A holistic approach to role definition can help alleviate certification-related regulatory compliance challenges, and should be considered an integral part of any IAM initiative. Benefits While RBAC is not a panacea for all ills related to access control, it has proven to be cost effective 1 for organizations in reducing entitlement management costs and complexity. It also reduces the risks of users having inappropriate access privileges and aggregating entitlements as they change job functions within the organization. As users change their job function, they are assigned new roles and old roles are removed from their profile. This results in users entitlements matching their job functions. WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL 1

SECTION 1 Evolution of Entitlement Management Traditionally, legacy systems and applications managed user permissions by means of groups. Under this model, permissions are assigned to groups users inherit permissions by being a member of a group. The ability to assign permissions to a group and determine who can inherit the permission is considered discretionary, as these determinations are made by the application and system owners. However, authority to assign members to a group is deemed non-discretionary and usually is performed by the security organization. This construct has evolved in recent times with the adaptation of RBAC in IAM solutions. Assignment of permissions to a role and determining membership of roles is supposed to be non-discretionary. Users inherit a set of entitlements as their birth right, as they are enrolled into the organization as part of the onboarding process. Conventionally, managing entitlements has been considered technical, as they are related to applications and are managed in silos without much business input. With the emergence of various regulatory requirements such as the US Sarbanes-Oxley Act, US Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Biley Act (GLBA) and EU Privacy Protection Directive 2002/58/EC, it is increasingly important to streamline the entitlement management process with business oversight, as it becomes a security governance and compliance issue. SECTION 2 RBAC 101 The fundamental concept of RBAC is that roles aggregate privileges. Users are assigned roles and inherit predefined permissions by being members of roles. They are given entitlements no more than what is required to perform their job function based on the least privilege access principle. The following diagram in Figure A depicts the key building blocks of the core RBAC reference model per the American National Standard for Information (ANSI)/InterNational Committee for Information Technology Standards (INCITS) 359-2004 Standard. FIGURE A This graphic illustrates the key elements of RBAC: Users, Roles, and Permissions. BASIC RBAC 2 WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL

The key elements of RBAC are: USERS By definition, users are individuals who perform one or more job functions within an organization. ROLES In a business context, roles represent job functions and related responsibilities. Responsibilities represent users implicit or explicit authority to execute their job function. In a technology context, roles represent a collection of entitlements that a person inherits from an application perspective to perform a job function. PERMISSIONS In a technology context, a permission is the provision of authority to someone to perform an operation against an RBAC-controlled object within an application or system. SECTION 3 Role Engineering As organizations start deploying IAM solutions, it is becoming increasingly important to devise a common set of roles that can be reused, over and over again, as opposed to defining roles every time an IAM component is deployed. One of the challenges often faced is that, if defined incorrectly, roles are ineffective and fail to meet the organization s requirements 2. Roles can be defined at an abstract level from a business perspective, or context-specific to an application or system from a technology perspective. At an abstract level, roles can be a simple label that defines the job function with a set of responsibilities and authority that goes with it. For example, a bank teller s job function can be a role defined as teller with the responsibility to perform financial transactions with certain limits (authority). At an abstract level, there is no enforcement capability. The role teller in an application has specific entitlements that enable a user to execute transactions with certain limits. How this is configured within the application and how it is enforced is specific to the individual application s capability. Whether an organization looks at defining roles either abstract or specific to a context, the requirements to define roles are important and role definition is a critical step in deploying any RBAC system. Role engineering is the process of defining roles and related information, such as permissions, constraints, and role hierarchies, as they pertain to the user s functional use of systems, applications, and business processes. It is one of the critical steps in deploying RBAC-oriented IAM systems. Organizations often implement IAM systems based on a role-based paradigm without much consideration for roles 3. To minimize deployment effort or to avoid project scope creep, role definition is often not considered part of the initial project. Organizations frequently do not invest enough time to define roles in sufficient detail; rather, they tend to define highlevel roles that do not reflect actual organizational job functions. Permissions mapped to high-level roles are usually generic in nature. The result of this random process is that additional efforts are required to manage job- and function-specific permissions manually, outside the IAM system. This often results in IAM systems not delivering the expected business value, for example, adherence to compliance and reduced entitlement management costs. The process of defining roles should be based on a complete analysis of how an organization functions and should include input from a wide spectrum of users, including business line managers and human resources. WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL 3

Role definition and management requires alignment between business and IT. It requires a strong commitment and cooperation among the business units, as a role engineering initiative could transcend the enterprise. SECTION 4 Role Engineering Approaches Top-Down This approach is primarily business-driven, and roles are defined based on the responsibilities of a given job function. For roles to be effective, there should be a strong alignment between business and IT objectives. Roles are defined by reviewing organizational business and job functions and mapping the permissions for each job function. This approach provides business oversight and alignment of roles with business functions and reusability. FIGURE B This graphic describes the key steps of a top-down role engineering approach. TOP-DOWN ROLE ENGINEERING Following are the key steps for a top-down role engineering approach: For a successful role engineering project, it is pivotal to define the scope and boundaries for the project. If the organization has a large user population, it would be ideal to conduct a pilot to validate the approach and the outcome. The boundaries could be specific business units or applications that are being considered for role definition. It is important to identify enterprise access policies to determine entitlements for a given job function. The objective of this exercise is to define entitlements based on the least privilege access principle. The next step is to group users in a given business unit based on privileges corresponding to their job function. This would provide some basis for determining appropriate criteria to identify and define the user population. 4 WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL

One of the critical aspects of role definition is not to have mutually exclusive roles assigned to the same person. For example, a person who creates a purchase order should not be the one who approves it. These types of constraints are defined as part of segregation-of-duties policies. It is important to capture these constraints so that rules can be established to evaluate what types of roles can be assigned to a user for a given job function. Role hierarchies help simplify role definitions by aggregating roles. Role hierarchies usually follow the pattern of organizational hierarchies, where users in the higher organizational structure are able to perform the job functions of their direct and indirect reports. For example, a bank branch manager can perform the job function of a bank teller. Creating role hierarchies simplifies the number of roles assigned to a user. Bottom-Up This approach is based on performing role-mining/discovery by exploring existing user permissions in current applications and systems. Once user permissions are explored, the next step is to perform role normalization and rationalization. In this approach, roles are defined to meet specific application or system access requirements. One of the challenges of this approach is that it requires viable commercial tools to perform role mining. An alternate approach is to select a set of representative users and extract the entitlements that best describe the job function. If the user population is significant, it would be ideal to sample a certain percentage of the population to validate the accuracy of the results. One of the outcomes of this approach is that users often accumulate entitlements based on their previous job functions performed over a period of time; it can become too daunting to extract the entitlements without the business involvement. This is a key aspect of role rationalization to be considered as part of a bottom-up approach. Hybrid This approach combines the previous two approaches. It leverages normalized roles derived from role mining and aligns them to job functions, with the involvement of the business. SECTION 5 Conclusions As organizations embark on various RBAC-oriented IAM initiatives, it is becoming evident that defining high-level roles with basic entitlements will not deliver expected business benefits. It is imperative for a successful role definition to have management support, sufficient funding for the role engineering effort, business unit participation, and resources committed to the project. The importance of roles should not become an afterthought, but should be considered an integral part of any IAM initiative. Organizations also need to address requirements for roles from a compliance standpoint. Entitlement certification is becoming a critical aspect of various regulatory compliance initiatives. Having a holistic approach to role definition helps alleviate certification-related regulatory compliance challenges. WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL 5

It is important for organizations to get the expected business benefits with careful consideration for how roles are going to be defined and managed on an ongoing basis. Defining roles is difficult under any circumstances, but the process could be overbearing without established limits. It is important to define boundaries for user population, applications and platforms, and the number of business units to be covered by the project. Role engineering, in a top-down or bottom-up approach, is a key cornerstone in the process of defining roles that meet the organizational requirements. Once the roles are defined and inventory has been published, it has to be maintained by both the business and IT, as this helps to keep the information current and available for any future IAM initiatives. SECTION 6 References 1. National Institute of Standards and Technology, The Economic Impact of RBAC, USA, http://csrc.nist.gov/rbac/ 2. Kampman, Kevin, The Business of Roles, Methodologies and Best Practices, vol. 1, 1 February 2006, Burton Group, www.burtongroup.com 3. Ibid. SECTION 7 About the Author Srinivasan Vanamali, CISA, CISSP is a Senior Security Architect at CA, Inc. He has more than 18 years experience in a variety of IT management and technical roles. His expertise includes key aspects of security including identity and access management, industry standards, deployment methodologies, compliance, and technology vision. 6 WHITE PAPER: ROLE ENGINEERING AND ROLE-BASED ACCESS CONTROL

CA (NASDAQ: CA), one of the world's leading independent, enterprise management software companies, unifies and simplifies complex information technology (IT) management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT. MP330280608

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information