Protecting the network and ensuring the integrity of intellectual property rate high on the priority lists of most large organizations. In addition, more stringent privacy laws have imposed new levels of confidentiality on health care and insurance companies and financial institutions. As a result, identity management has become a critical component in ensuring information security and access control.
Many organizations still rely on individual, user-based identity management mechanisms built into the operating system and individual software applications. However, as the number of users and applications increase, supporting such a system becomes time-consuming, unwieldy and expensive. Users quickly become frustrated by the need to remember multiple passwords. Customer service and help desk personnel get bogged down by the sheer volume of requests for lost or forgotten passwords, new registrations and account terminations. A recent analyst study indicates that call center expenses have increased 39% in the past year alone, a trend that cost-conscious organizations cannot afford to ignore.
What's needed is a low-maintenance system that automates routine administration and controls access across the network so that data security is ensured. One option is role-based access control (RBAC). While RBAC can be challenging to design and implement, it can be tailored to a company's business model and security risk tolerance. Once implemented, it scales for growth and requires minimal maintenance, which goes a long way toward stemming the rising tide of IT costs.
Solid security, high business value
Low maintenance costs and increased efficiency are among the key benefits of RBAC as a security strategy for midsize and large organizations. Here's how it works: Once all of the employee roles are populated into the database, role-based rules are formulated and workflow engine modules are implemented. Through these elements, role-based privileges can be entered and updated quickly across multiple systems, platforms, applications and geographic locations -- right from the HR or IT manager's desktop. By controlling users' access according to their roles and the attributes attached to those roles, the RBAC model provides a companywide control process for managing IT assets while maintaining the desired level of security.
However, RBAC systems also can be designed to maximize operational performance and strategic business value. They can streamline and automate many transactions and business processes and provide users with the resources to perform their jobs better, faster and with greater personal responsibility. With an RBAC system in place, organizations are better positioned to meet their own statutory and regulatory requirements for privacy and confidentiality, which is crucial for health care organizations and financial institutions, as well as requirements imposed by external business partners and government agencies. Directors, managers and IT staffers are better able to monitor how data is being used and accessed, for the purpose of preparing more accurate planning and budget models based on real needs.
RBAC also reduces IT service and administrative costs internally as well as externally, if the organization elects to grant role-based access to select external constituencies such as consultants, business partners, suppliers and customers. Entering new hires becomes faster and easier, as does "lockdown" of accounts when employees depart. And employees typically find that the built-in process automation of RBAC systems increases their efficiency and productivity by eliminating most of the redundancy and mindless administrative tasks required under previous "siloed" security systems.
According to a survey of nearly 200 Global 2,000 IT executives and managers jointly conducted by Stanford University and Hong Kong University of Science and Technology, nearly half the companies that responded said they took longer than two weeks to revoke the network access of terminated employees. Survey results also indicated that implementing secure identity management strategies can drive down help desk costs by more than $1 million annually.
Implementation overview
Arguably, the biggest obstacle to RBAC is the initial complexity involved in setting it up. More than just a "one-size-fits-all" technology tool, RBAC is a complex and strategic process that requires expertise far beyond what one can expect from a security software vendor. And, as with most complex projects, RBAC is best implemented by applying a detailed and structured framework that breaks down each task into its component parts. The following steps provide a snapshot of some of these processes.
- Create a master plan. To extract maximum security and business value from RBAC, the master plan should include project design and scope, a realistic timeline and budget, and a set of benchmarks and deliverables against which to measure progress.
- Compile information on systems, hardware and software. This step calls for identification and listing of all servers, databases and applications. Only then can business units and management determine the level of security required for each application and data source, based on the core mission, the level of security and/or confidentiality desired, and the need for regulatory or statutory compliance.
- Define all roles. Compiling a comprehensive list of job functions can best be done in cooperation with the human resources department. Managers and key supervisory staff can then amplify the list with detailed profiles or job descriptions.
- Analyze roles to determine access. The "roles" information must be categorized and analyzed to formulate role-based access rules. An automated workflow strategy should also be planned detailing how roles will be changed or updated, how new users will be registered and how accounts will be terminated in a timely manner when employees leave the company. Once the plans are approved, the data can be populated into an appropriate set of technology tools.
- Integrate RBAC across all applications. Before the system goes live, the IT team needs to transfer each application's embedded security functions into the new centralized system, including those of legacy systems, home-grown applications and customized commercial applications. This step is key to providing a secure, companywide information access system.
- Implement education and organizational change. Education and training, from the top down, are key to the rapid acceptance and user buy-in to RBAC. If employees clearly understand how and why RBAC is critical to the organization's information security and appreciate how it can make them more productive, they are more likely to adapt to the system quickly and enthusiastically.
Today, protecting digital information is a core business function, since a company's information is closely intertwined not only with privacy and confidentiality issues, but also with key business processes that affect the organization's mission and competitive position. So while RBAC may cost more to implement in the short term, over time it can result in long-term savings and ROI.
Trey Guerin is CEO and Richard Lord is vice president of Network Security Consulting LLC in Columbia, Md. NSC provides information security strategies and solutions to government agencies, services organizations and businesses. They can be reached at strategy@nscsecure.com.