Permission To Enter (Or Logon)

May 1, 2007 12:00 PM, By Kenneth L. Davis

Large corporations today find themselves managing information access for a constant tide of vendors, contractors, customers and temporary employees. They also see a bombardment of internal and external audit requests stemming from state and federal privacy and security regulatory requirements — audit requests that do not always result in pleasant findings. Too often audits find that many in the rolling tide of users have inappropriate access or permissions resulting from missteps such as these:

• Access or permissions are not deleted when users leave the corporation;

• User access is not updated for the new position when the user changes departments;

• Too many conflicting access and permission provisioning and de-provisioning processes;

• Paper-oriented processes;

• Too many departmental hand-offs for provisioning and de-provisioning access requests; and

• No periodic re-validation of user access.

Results like these have made security professionals very aware of the need to ensure that user access is being managed appropriately across their enterprise.

Role-based access control (RBAC) focuses on provisioning user access and/or permissions to groups of individuals with similar access requirements, instead of administering access and/or permissions on an individual basis. RBAC can help medium and large corporations centrally manage user access and permissions changes, additions and deletions, which can result in reduced audit findings, and the automation of access and permission provisioning and de-provisioning.

To understand if role-based security is the right choice for your organization, you should be prepared to spend a lot of time up front studying:

• business expectations;

• internal and external audit expectations;

• current processes (what is and isn't working);

• cultural climate for enterprise change;

• how it will affect individual and organizational roles and responsibilities;

• possible efficiencies to be gained; and

• what state and federal mandates will be satisfied.

A corporation should be ready to spend a significant amount of time carefully reviewing RBAC technology solutions.

Implementing RBAC can be resource-intensive and time-consuming. Once an organization has decided on an RBAC technology solution, the information security director should communicate solution expectations throughout the organization and continue to do so as the project moves forward.

Many uninformed individuals often perceive RBAC as the “nirvana” solution that resolves all access and audit regulatory mandates. However, organizations should not expect their RBAC solution to be a silver bullet for addressing network access control needs. Successful implementation of an RBAC solution may require a high level of customization, in-house development, process changes and implementation of additional supporting systems.

---

Kenneth L. Davis is chief information security officer for the Barnier & Davis Group, an IT governance and information security consulting firm. This article is presented in cooperation with the Security Executive Council, www.csoexecutivecouncil.com

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue