Most organizations set this up based on an RBAC solution, whereby the ‘R’ in R-Based Access Control can stand for a variety of approaches. These are:
Role-based – this explanation of the term RBAC comes to mind by far the most frequently. Here, access depends on the person’s role. For example, a manager may have access to all of an organization’s information systems, while an employee in the finance department only has access to those systems that he or she genuinely needs.
Rule-based – here, one or more rules determine who has access, based on attributes. For that reason, the term attribute-based is also used sometimes. A rule may determine that a certain department’s accounts can always be accessed at the office, but not from home or some other place unless with additional approval. In this case, the attributes are ‘department’ and ‘location’.
Request-based – here, a user must submit a request for access rights, upon which a manual or automated approval procedure is initiated.
Risk-based – here, one considers how critical the data in a system is for the organization. The greater the risk of harm through misuse, the stricter the access control. This also depends on the context of the access (context-based), which is dynamic. Consider, for example, time, location, or logging of ‘normal’ use.
Most organizations use a combination of these approaches. They frequently apply RBAC by means of roles, but usually allocate these based on rules, risks and requests.
Importance of data governance
Understandably, organizations try to automate their access control insofar as possible. For effective access control, that means that the right data must be available at any given moment to decide whether an identity should be given or denied access rights. With information systems, ‘rubbish in, rubbish out’ is a familiar concept. The same applies to access control. Whichever variant your organization uses, if the underlying data is not of the right quality you soon tend towards rubbish-based access control. And that doesn’t lead to the desired result, i.e. being in control of who has access to what, and why. To improve the required data and be able to guarantee it, it is important to devote attention to data governance when you start using RBAC.
Data governance, as the basis for data quality (correct, complete, timely, relevant and reliable) of RBAC systems, involves the following aspects:
The organization’s vision with regard to data. This is about an organization’s strategic approach to its data.
The organization’s policy with regard to data. The policy must lay down how the data may be used, inside and outside the organization.
Ownership and responsibility. This covers the question of which people or departments are accountable for the quality of certain data sets.
These days, data is a business asset, just like buildings and means of production. This calls for awareness, on the part of employees, of the value of data.
Processes dictate what needs to be accomplished in accordance with established policy.
All the foregoing aspects have to be supported by the right technology; all this is not just a one-off exercise, but a continuous process that can be continually refined.
Approach to RBAC
When the data governance is in order, and an organization is certain that the data required to feed an RBAC system is usable, an authorization model with a hybrid approach can be established. With that, we mean that we consider the perspective both of the business (‘top-down’) and of the application (‘bottom-up’). ‘Top-down’ raises such questions as who does what, which applications are used, and which functions of those applications are used. ‘Bottom-up’ covers questions such as what someone can do with this application, what distinctions can be made in access rights, and what rights employees currently have.
In this respect, it is important for an organization to be set up around authorization management. This means you need people who are responsible for the various steps in processes such as:
Based on this, the authorization model – including allocation rules and application processes – can be set up (in suitable technology), giving the organization control over authorization management.
Tessa Schlief is Team Lead Business Consultancy at Traxion, supplier of Identity Centric Security Services in the Netherlands and Belgium employing over 130 highly qualified professionals. Traxion is a division of the Swiss IT Security Group.