RBAC is great, but the migration is a hard slog

Post by Glenn Folkes, Regional Sales Director

Role Based Access Control (RBAC) is an accepted practice to control the risks of inappropriate access in an enterprise environment. No surprise that in IT circles everyone you talk to has had experience on an RBAC project. And almost everyone has strong opinions. In this post I’d like to explore why some of the failures occur and touch on an alternative approach I see organisations adopting.

Logically RBAC takes the approach that the role someone has should define (and limit) their access. It works well in a highly standardised environment, with standardised roles, like the Military or maybe a Call Centre.

In practicality retrofitting RBAC into an organisation is incredibly complex. Most organisations have mature processes for granting and applying access, but have no way of knowing when that same access should be revoked.

Once granted, the access people have even in the same role can be vastly different. And its compounded if inappropriate access is cloned during onboarding for a new team member.

The process of unravelling role based access, even for a single role is a huge task. It quickly becomes a forensic investigation, across multiple team leaders, application owners, sys admins, infrastructure managers and on it goes. 

The complexity grows as we move on from basic access and start to investigate permissions and beyond. Fundamentally the tooling is not often available to correlate dense technical security and access data, back to the air breathing human. 65 spreadsheets later, this is the point where a lot of organisations tap-out and a lot of good BA’s get on SEEK.

Rather than taking a profile based approach I’ve seen a number of organisations focus on cleaning up access for critical systems as a starting point. It’s still a risk based approach but your talking about a single application to a far smaller set of stakeholders.

The first step is always the same – engage with the application owner and the stakeholder group to understand the risks and challenges they face around user access. Using a tool like RightCrowd IQ they then ingest the relevant security data and correlate that with HR information. The result is a clear detailed view of who has access and who can do what.

Now we understand where our risks are, and we can start to prioritise investigation and remedial action. By leaving RightCrowd IQ in place they have enabled continuous reporting of access compliance, improved security and business practices.  Significantly once you’ve made progress you can move onto the next system.

The benefits of RBAC are clear and well documented, but it is difficult and many organisations don’t succeed.  If ever you wanted to talk about our approach, I’d be happy to chat.