To Implement Effective Role Based Access Control, Know Your Systems and Your Staff
Managing user access privileges is one of the most important ways you can improve your information security. Role based access control (RBAC) helps you simplify privilege management by associating permissions with roles rather than individuals. What do you need to do to implement this approach? The key is to know your systems and your staff.
In order to define appropriate roles and assign them to your employees correctly, you need a thorough understanding of your IT resources and the employees who work with them.
You need to identify resources that should have restricted access. That’s not just about applications but also databases, files, email, physical devices, and all other elements of IT technology that have some kind of security control around them.
Once you’ve listed resources, you need to understand what employees do with them. Typically, permissions are thought of in terms of creating, reading, updating, and deleting data. Think about how these permissions are needed to perform job functions. In particular, note the permissions that need to be restricted to supervisory and administrative personnel.
Depending on your infrastructure, you’ll use different tools to define the roles. You may be able to manage some privileges at a high level across the enterprise, but it’s likely you’ll need to establish roles separately for different resources. Some roles may overlap; some roles may be incompatible. You’ll want to document and enforce the rules for assigning those. For the most part, try to keep roles consistent with how people currently work, making changes only where needed to ensure security.
Now that you’ve created the roles, you can assign personnel to them and delete the individual privileges assigned to users. Managing the roles assigned to people is an ongoing process, as people’s jobs change over the course of a career. You should have a periodic review, typically annually, where managers review their employees’ roles to make sure the privileges match their job function. (You should be doing this annual review even if you don’t use roles, though it’s much harder to verify privileges individually).
Make sure that creating or reviewing roles is part of every application deployment, whether a new application or upgrade, in order to ensure roles are continually updated to reflect current usage of the application.
RBAC is one element of a comprehensive security strategy. Contact Prescient Solutions to learn how our IT consulting and managed services help business in Chicago and Schaumburg achieve high levels of information security.