Information Security Today Home

New Books

Digital Privacy
Oracle Identity Management
Information Security Management Handbook, Sixth Edition
Mechanics of User Identification and Authentication
Organizational Crisis Management

Automate Role Management to Avoid Three Major Business Disasters

by John Barco and Sachin Nayyar

Role management: The process of defining roles, assigning them to users, and maintaining the relationship of users to responsibilities and of responsibilities to enterprise resources.

Sometimes, it seems you can't turn around these days without bumping into business roles. According to research results reported by the Burton Group in 2007 ("Understanding Role Management Applications: No Pain, No Gain," May 17, 2007), the number of role management initiatives in a broad range of industries has grown significantly since 2003. The rise is apparently a relatively recent development, with the majority of initiatives just now in process, and many of them representing first-time forays into this area of IT and business development.

Why the intense and seemingly sudden interest in roles? After all, the concept of using roles as a means of defining and determining who can participate in what in an organization can be traced all the way back to the military in the 1940s. But today, dramatic changes in the world's business and technology landscapes have moved role management front and center as a means of addressing critical business concerns.

One of these changes is the radical shift in the way organizations work together today, as evidenced by the explosive growth in networked communications and collaboration. It's a transformation that has made finer-grained roles and access essential to enabling successful growth while protecting enterprise interests. The other factor is the emergence of automation as a means of defining and managing roles effectively on an unprecedented scale. As a result, roles today have evolved from being a mere tactical tool for controlling access to a particular application or platform, to becoming an essential part of how the enterprise meets its most critical business concerns. And cost-efficiency, compliance and security have emerged as particular areas of concern in which role management can play an especially significant, well, role.

Role Management and Identity Management: The Evolving Relationship
There have generally been two schools of thought as to the relationship between role management and identity management: the one that sees role management mainly as a tool for more efficient identity management, and the one that recognizes the value of role management independent of identity management. Somewhere between these two extremes is the notion of an integrated approach - one in which role management and identity management capabilities join together to define and assign roles and then to further refine them based on how individuals interact with resources.

Without an identity management infrastructure that incorporates automated role management, the risk of three major types of business disasters ensues.

1. Untenable Costs of Doing Business
With the staggering growth in business collaboration today, every enterprise faces the challenge of providing more and better controls over access rights and privileges - but without a corresponding increase in the costs and resources required to do so. Role management and identity management reduce the cost and complexity of extending access to more users and providing appropriate controls over that access. For example, an approach that can automatically generate role-mining data based on user access and can then also analyze that data to create roles provides a streamlined, cost-efficient path to more-fine-grained roles and access controls.

Beyond that, the very use of roles lowers costs by reducing the number of objects that need to be managed. Making roles part of the provisioning infrastructure further impacts costs by speeding and streamlining the processes of setting up employees with access privileges, and of monitoring that access and reporting on access violations. Of course, automation is central to all role-driven efforts at access control and reporting. Replacing time-consuming, error-prone manual approaches with automated processes eliminates countless costly hours that would be required to achieve the same results manually.

If a company's identity management infrastructure does not incorporate an automated role management component, the enterprise will have no choice but to find alternate ways to create and manage roles - ways that may not include the benefit of automation. This can lead to a number of financial risks: for example, being unable to respond to audit requests in a timely, cost-efficient manner, or having to incur exorbitant unplanned expenses for proving compliance. That brings us to the next area of potential disaster that automated role management and identity management can avert.

2. Failure to Comply with Regulatory Requirements
In one sense, this disaster can spring from a simple principle of scale: The more users that have access to enterprise resources, the more risk that their access may not be compliant with the current spate of regulations governing the integrity and privacy of enterprise data. This is why it's so important to be able to closely track users' roles and the access associated with those roles - and to be able to quickly determine when that access is in violation of regulatory requirements.

Automated role-based access control, as part of a larger role-management and identity-management infrastructure, reduces the risk of improper access by making it possible to continuously monitor users' actual access versus the access to which their roles entitle them. Additional key areas of scrutiny include segregation of duties (whether a user has roles or accounts that conflict in such a way as to violate internal policies or external regulatory requirements) and terminated-user access (whether a user continues to have access privileges after his or her association with the organization has ended). An integrated approach to role management and identity management can find and report on these various aspects of access to demonstrate compliance. In addition, the ability to look at historical data to see who had what privileges at a particular time is invaluable for demonstrating compliance and avoiding failure.

Another way in which role management can reduce the risk of non-compliance is in the use of roles as a basis for informed requests about what resources employees need to do their jobs when they're about to be provisioned. In a simpler, less complex time, simply asking another employee might have sufficed. Today, however, such an informal approach is not only risky, it's generally unacceptable to auditors. (And with good reason: What if the employee being asked is wrong - and non-compliant access is granted to an individual as a result?) With an integrated, automated approach that clearly defines and applies roles, mistakes that could lead to non-compliance are far less likely, and evidence of compliance is readily available to collect and provide to auditors.

3. Breaches of Security
Threats to the security of enterprise resources have grown dramatically in proportion to the growth in the number and type of users - not just employees, but also partners, vendors, and customers - who have access to resources. The problem here is more complex than a simple case of keeping unauthorized external users out; it's about ensuring that authorized, legitimate users have access only to the specific resources to which they are entitled. The constantly changing nature of roles doesn't make this any easier. For example, suppose a user who has legitimate access to private employee information (such as salary and benefits) in his or her role as part of the Human Resources staff transfers to the Marketing Communications department. It's no longer acceptable for this user to have access to such sensitive information. But that's exactly what can happen if there is any lag between the change in roles and the adjustment to access privileges.

By tying access directly to roles and automating access-related processes, the risk of a breach in the security of enterprise resources under circumstances like these can be significantly diminished. This is because automated, role-based access control as part of a larger identity management infrastructure provides complete visibility into access privileges, with current and constantly available insight into who has access to what enterprise resources. If there is a discrepancy between privileges and actual access that could threaten security, automated access reviews will detect and report on it, so that managers can review and take corrective action to eliminate any risk of a security problem.

Figure 1

Figure 1. Integrating role-based access control with identity-management provisioning capabilities provides the enterprise with complete capabilities to define and assign roles, and to gather information on usage that will enable further role refinement.

Roles and role management have come a long way from serving principally as a means of making it easier to manage access to applications. As the growing number of roles-driven projects indicates, roles are increasingly likely to address critical business objectives such as greater cost efficiencies, improved compliance, and reduced security exposure. Working as part of an integrated, automated role-management and identity-management solution, roles can go a long way toward helping avert potential business catastrophes in increasingly collaborative and complex business environments.

About the Author
John Barco is director of product marketing and product management for Sun Microsystems, where he is responsible for driving product strategy and execution for the Sun Identity Management portfolio. Sachin Nayyar is CEO and founder of Vaau, the premier provider of enterprise role management solutions for Fortune 500 companies. Sun and Vaau have introduced a joint solution that brings together the two companies' identity management and role management capabilities.

Subscribe to
Information Security Today

Powered by VerticalResponse

Share This Article

Mixx it digg

© Copyright 2008 Auerbach Publications