Securing the Digital World

Yin and Yang: Two Views on IAM - Success with Roles

Oct 11, 2017 | by Stephen Mowll, Chris Williams |

Point: Success with roles is all in the timing.
Chris Williams, Advisory Solutions Architect, RSA Identity

At its core, role-based access is designed to make access request and approval easier, simplify provisioning, and improve governance and auditing. So why do so many information security teams dread hearing, “We’re starting a role-access project”? All too often, what that sounds like is, “Let’s enter into another year-long effort that we’ll partially implement and overcomplicate, and will eventually lead to a lot of resume-writing.”

Why the disconnect? After all, if we agree that roles are merely coarse-grained entitlement groupings providing a bridge between users and required resources, rendered in consumable business terms to achieve simplification and policy adherence, then it just doesn’t make sense that the effort required would outweigh the benefits.

I’d like to suggest that the problem with many role-based access projects is that people start them after they’ve rolled out governance, access request and provisioning solutions. That’s akin to building a house and then thinking about putting in plumbing. If you assess roles when policies are still being developed, the burden of determining role membership is minimized.

Starting early isn’t the only way to be successful with role projects, and it doesn’t absolutely guarantee success, but it definitely accelerates downstream role adoption and eases ongoing maintenance. Even more important, it allows roles to be a natural extension of policy and compliance, thus creating more secure request-and-provisioning controls.

Counterpoint: It’s not just when to do roles; it’s whether to do them at all.
Steven Mowll, Product Manager, RSA Identity Governance & Lifecycle

Ultimately, roles should make secure access easier to achieve and maintain. If it doesn’t, why use them? Consider a retail environment—anything from financial services to consumer goods or groceries—and think about how the business works in the stores and in the head office. In the stores, you have high staff turnover and a seasonally changing workforce. Meanwhile, in the head office, you need to manage these with a minimum number of people.

Now, think about identity and access management for this type of business model. Stores typically only have a handful of different jobs, all of whom need access. What matters is the ability to easily change access; if a deputy manager phones in sick, for example, it should be fast and easy to give an assistant that role. Or if a new store opens, it should be easy to give access to people who move from other stores. This fits well with a role-based model, which provides the ability to quickly change access based on a relatively simple set of needs.

It’s different in the head office. People within the same team might have different access even if they have the same job title, because they’re doing different tasks. In this dynamic environment, changes in user access aren’t the exception, but the rule. This demands a policy-based approach to dynamically determine the access needed for a particular role—or the potential access needed to make a self-service process as simple as a role-based one.

Conventional wisdom may say you need to figure out everything else before you address roles, or that role-based access is always the best approach to access management. But by thinking beyond conventional wisdom, you can increase your chances of success with roles. Learn more about how RSA identity solutions can help with your next role-based access project.