Role Based Access Control (RBAC) Best Practices & Tips For Successful Implementation

Size: px

Start display at page:

Download "Role Based Access Control (RBAC) Best Practices & Tips For Successful Implementation"

Shonda Lawson
5 years ago
Views:

1 Role Based Access Control (RBAC) Best Practices & Tips For Successful Implementation Speaker Bhavdip Rathod IAM Solution Architect SailPoint Technologies, Inc 10/18/2018 1

2 Agenda What we will be covering today Why Role Based Access Control (RBAC)? Business Justification for RBAC Key Reasons behind RBAC Implementation Failure Best Practices to follow before you implement the RBAC Program Role mining approaches Where to get started RBAC Implementation Best Practices Role Maintenance Best Practices 2

3 Why RBAC Roles? Group and categorize users based on their job function - Apply common functionality to groups of users based on Identity Attributes or other Assignment Rules - Allows users to request access and managers to approve and recertify access through the use of business-friendly and easily understood roles. Improved efficiency and security - Fewer Items to request, approve, recertify. - Segregation of Duty conflicts can be prevented before they occur. - Simplify auditing 3

4 Why RBAC Roles?... An RBAC implementation and associated process redesign has many benefits for the organization and your team, if done right. 4

Business Justification for RBAC RBAC A shift from entitlement based access to role based access for the organization - Simplified access requests for the users - Addressing the accumulation of

5 Business Justification for RBAC RBAC A shift from entitlement based access to role based access for the organization - Simplified access requests for the users - Addressing the accumulation of entitlements - Enforce a least privilege (which can help eliminate Insider Threat type of attacks) - Provide translation between the IT and Business functions within an organization Ref: 5

6 Key Reasons behind RBAC Implementation Failure Failure to enforce Least Privilege principle - Large roles with many entitlements Role Explosion - Poor designs of roles can lead to more number of roles than identities and hence defeat the entire purpose of RBAC program s objective Lack of extensibility, flexibility and pervasiveness - Role models must be flexible enough to change or adapt with business changes Stale or legacy data - Roles built on legacy data/entitlements often result in low adoption 6

7 So let s go through the recommended best practices and tips for successful RBAC Implementation Project For Your organization. 7

8 Best Practices to follow before implementing RBAC Don t rush Let your overall IAM program mature - Attempting to implement RBAC too early leads to higher failure rate Executive sponsorship and involvement is a key - Deliver the message why RBAC is important from top to down Build a team of experienced Role engineers/analysts - Interview business/application owners and IT staff. - External entity can provide impartial view of clear business requirements Identify and assign business owner to represent each area - Best insider knowledge for their departments - Promotes new IAM tool, delivers training and validate solution. 8

Before implementing RBAC Identify and assign business owner to represent each area - Best insider knowledge for their departments - Promotes new IAM tool, delivers training and validate

9 Before implementing RBAC Identify and assign business owner to represent each area - Best insider knowledge for their departments - Promotes new IAM tool, delivers training and validate solution. - Ideally, this person will be the role owner going forward Start the data clean up process - Identify the bad or legacy data exist in your applications and start cleaning them up 9

10 Planning for RBAC - Considerations RBAC can have many objectives Certification Provisioning Access Request Compliance & Governance - Roles for Provisioning: Drives Automation - Roles for Access Request: create buckets of known entitlements - Roles for Compliance & Governance: assigned access via roles and auditing - Roles for Certification: capture business relevance Utilize role mining techniques before you try to do role management - This will give you something to build upon Keep it simple! 10

IAM Policies Compliance/SOD Role Mining Approaches Role analysis should be performed via both a

with single organization, user community, core apps Define a clear process for each modeling exercise

permissions for in-scope target systems/applications and grouping them into logical functions.

11 IAM Policies Compliance/SOD Role Mining Approaches Role analysis should be performed via both a top-down analysis of organizational structure and business function as well as bottom-up analysis of current system entitlements. Top-Down Approach Keep a company-wide perspective but avoid defining entire model in one project Start with single organization, user community, core apps Define a clear process for each modeling exercise Business Role Bottom-Up Approach A Bottom-Up approach is conducted by analyzing entitlements and permissions for in-scope target systems/applications and grouping them into logical functions. Roles are defined to meet application or system specific access requirements. Role Definition Technical Role Mix of both: Hybrid approach Key to the hybrid approach Join business & IT roles using the model 11

12 Analyzing and Building Roles Entitlement Analysis IT Role Mining Business Role Mining Export to CSV Good ol Pencil and Paper (or Excel) 12

13 How to get started Bottom-up vs. Top-down Getting disoriented Business requirements should drive starting point Long-term goals should provide perspective No reason to only use one approach Compliance and Access Governance Great starting point for governance-driven requirements Focus should be high-risk, SOD type initiatives Defines least privileged role access as a base for provisioning Automated Provisioning Simplify with birth-right roles Access Requests Start with high-traffic Roles and Entitlements 13

14 RBAC Implementation Best Practices Naming Conventions Role Hierarchy Treat RBAC as a subset of IAM yet a parallel program Permitted/Required relationship from IT to business roles 14

15 RBAC Implementation Best Practices Start with basic roles (employee vs. contractor) Focus on quick wins and learn as you go : Birthright (user type) Roles for request (pilot group and/or a specific app's roles) Entitlements and when to use them instead of roles 15

16 RBAC Best Practices Role Maintenance Validate content of roles at least once a year Create processes surrounding Roles (Lifecycle Management of Roles) - Creating - Updating - Deleting/retiring Roles aren t a one time thing Consider establishing role recertification processes to keep them up to date with business changes. 16

17 RBAC Best Practices Testing Be thorough in the QA process UAT with target teams Build training and quick reference materials Get feedback from all sides Work on Roles in a Staging/QA environment, not production Export and promote roles to production only after testing and sign-off from a testing party is done in a Staging/QA environment Test frequently, after every save of a role if possible Review and sanity check the behavior You may want to initially set up roles to be provisioned manually 17

18 RBAC Best Practices Training Defining Roles is half the battle! Develop training material Make it easy to find COMMUNICATE! 18

19 Applied best practices! Had a successful RBAC Prgram! 19

20 The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency Bill Gates 20

21 21

22 22