From Role-Based Access Control to Access Governance

Robert Doswell March 31, 2016

Role-based access control (RBAC) and access governance are two terms that are used interchangeably. Is one then simply synonymous with the other? Or not? What are the differences, and how do you get from RBAC to access governance? Let’s consider the subject in detail.

Role-based access control is a term that has been in use for some time and is considered an effective method of setting up authorization management in an organization. Access governance, on the other hand, is a less familiar term. Access governance is actually a collective term for the professional field of which RBAC only forms part. Access governance is a collection of methods providing full control over issuing and withdrawing authorizations in the network. Together with attestation, re-certification, risk management and compliance policies, RBAC is part of access governance.

I will explain these terms further as we go on.

RBAC is the first step
When organizations want to make a start on – or more often to comply with regulations – the structured management of authorizations, RBAC or ABAC (attribute-based access control) is often a first step. In this first step it is assumed that people have certain ‘attributes’, which then determine that person’s role and the associated authorizations. Attributes might be his position, his department and his location. These attributes can very easily be retrieved from a payroll system. After all, it contains these details for each employee.

In RBAC/ABAC, a model is drawn up with an overview of all attributes, roles and associated authorizations, the so-called RBAC model. Simply put, this model thus states that, “You do this, so you are allowed to do that in the network.” In such cases what’s often involved is ‘birthrights’ – rights a person is assigned by default when beginning employment; for example, access to the Internet, Outlook or perhaps a financial package if the person works in the finance department.

Recertification and attestation
However, the RBAC model that has been created is not sacred. Because the organization is fluid (e.g. reorganizations, mergers, etc.), the composition of the attributes (the payroll system) is in a constant state of change. The network landscape is also subject to change. And this means that the model that was set up has to be reviewed regularly. Validating the RBAC model is also known as re-certification. Re-certification checks whether the authorizations a person receives on the basis of his attributes are still appropriate within the organization.

Alongside validating the RBAC model that has been set up, part of access governance is also to test the reality. This is called attestation. In attestation the organization itself is asked whether the assignment of certain authorizations to employees is in fact correct. Each business unit is asked whether employees are still working there, and if so, is it then correct that they hold authorizations X, Y and Z? These authorizations are often optional rights that are not assigned by default, but have been assigned after a request from, and with the approval of, a manager. This check must be carried out periodically.

Role mining
The RBAC model that has been set up can continue to be elaborated further so that rights can be assigned and again withdrawn automatically at a detailed level. One way to elaborate the model further is through the application of role mining. In role mining, patterns are detected and have been processed in authorizations on the basis of the existing situations. For example, it might be the case that nine out of 10 people in a certain group have employee authorization A. The organization can determine that for this group of employees that authorization will apply as a ‘birthright’.

Risk management
Another addition to the RBAC model is in risk profiles. With risk management it’s possible to add a risk profile based on specific attributes (e.g. department). An employee in the marketing department can thus acquire a lower risk profile than someone in the finance department, because that person can also approve invoices, for example. It can be stipulated that whenever a risk is above a certain value, four-eyes must approve any authorization. The advantage of adding risk management is that a security officer can quickly see who has a high risk profile, and what that person may do in the network in terms of authorizations. Organizations also have the ability to apply extra checks when someone progresses from marketing to the financial department, which entails raising the risk profile.

Compliance policies
Finally, to exercise even more control over authorizations, policies can also be added. These are general rules which an organization must fulfill to be compliant. Rules might be: no more than 25 people may have access to Visio, or there may be no more than 10 domain admin accounts. All these rules must prevent any conflicts occurring. When rules are infringed a security officer or license manager is alerted and can take immediate action.

Role-based access control is, in fact, an initial phase of access governance. Many organizations start with this phase and then work toward a model giving full control over issuing and withdrawing authorizations.

Getting Real About Smart Cities and Open Data

Three attributes a serial technology CEO looks for in a CTO

What You Need To Know About FedRAMP

RBAC’s Not Against the Wall: Role-based access control creates automation opportunities

About Robert Doswell

Robert Doswell is managing director at Tools4ever UK. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign-on and access management.

Gain Decision Advantage With Innovative Enterprise Software

For over 10 years CTOvision has consistently provided strategic context on the nature of technology and how to best leverage it for your personal and business objectives. We maintain the site in a way meant to help you find insights you need as fast as possible. To kick off a search use the search box […]

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton Scalable automated malware analysis has become a critical component of enterprise defense. When properly implemented it can be key to mitigating malware threats that otherwise bypass perimeter defenses. In this post we provide context enterprise architects and security […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

The Short Story From Arthur C. Clarke Every Officer in The Military Should Read and Heed

Like so many others in the national security domain I am tracking what I can about the new US Space Force, the newest US military force. I believe their mission is important and establishing Space Force was the right move. Space is, by definition, a domain that will require deep technological expertise to enable mission […]

This One Little Configuration Change Will Make It Harder For People To Steal Your Information

Editor’s note: We are aiming this tutorial at the non-technical person. Please share with anyone in your life who could benefit from this. -bg Cyberspace is a complex domain and our adversaries are always seeking new ways to steal information or spread their malicious code or hold our data for ransom. This is the big reason […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

Related