In his intriguingly titled blog "How to Eat an Elephant" Simon Moffatt considers the migration from a user centric access platform to an RBAC framework. In his discussion, Moffatt focuses on roles enforcement as an aspect of the evolution of identity management.

Moffatt writes, "With roles, organizations have the ability to manage detailed account entitlements in an automated and security controlled manner, implementing access of least privilege as well as providing entitlement ownership, reporting and accountability. Many organizations see this as a key requisite of any automated account provisioning mechanism, but fail to understand the key components of how to successfully approach or deliver such a project."

Moffatt suggests that users take a bifurcated view of role mining: one perspective should be that from the top down "looking for patterns based on HR or job description data, [and the other from the] bottom up (application specific, entitlement carrying) view point."

The result of such a perspective, the author continues, is that it enables the creation of "a hybrid model allowing roles covering a multitude of job functions and entitlements."

Using RBAC has several business process changes that require non-IT operations to understand and manage various processes in the RBAC lifecycle, writes Moffatt. Without business buy in, RBAC becomes an IT centric tool which will fail to deliver enterprise wide benefit, he notes.

The management thinking behind adoption of an RBAC tool, Moffatt contends, is really based on enabling the business to perform greater and more efficient access governance and identity management. The business must first understand the expected benefits of undertaking such a large project, he writes, the best evidence for which is the outcome of attempting an RBAC framework manually without any automated tools. Moffatt says such an attempt will clearly show the difficult and time consuming process of attempting to cluster users and entitlements together. It also gives a point of comparison between manual delivery and an automated methodology for RBAC access governance, he continues.

The most useful framework to adopt concerning an RBAC framework, Moffatt suggests, is a long-term strategic direction. This is no short-term tactical fix, he insists. Such a long term view must include business ownership of the framework as well as the automated IT mechanisms underpinning this type of a solution such as provisioning, access enforcement, role development and separation of duty monitoring, the author insists.

In addition to a long-term chronological perspective, another essential is agreement among top management (CFO, CISO, audit staff). The CFO should be interested in the long term ROI and lowering TCO. Representatives from Audit (for the increased reporting and access governance ownership gained by RBAC) as well the CEO should also be part of the decision making process due to the enterprise wide impact, according to the article.

Concluding his blog, Moffatt notes that industry analysts such as Gartner and Forrester now regularly comment on the expectation that RBAC frameworks will become the standard offering to large scale organizations intent on increasing access governance whilst lowering TCO for user administration. He says that whether successful RBAC implementations can be made without cross business understanding and buy-in, as with only IT sponsorship any enterprise wide project is destined to fail, is the question to be answered in the outcome.

More Information

OpenSolaris's Role Based Access Control [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter