How to streamline role-based access control

For information security teams, this has been the year for "getting the house in order" in terms of internal process improvement. For financial services firms, in particular, flat or declining budgets have forced security groups to use this time to tighten processes and gain internal efficiencies.

In our view, the most significant improvements seen among banking and insurance organizations have come in the role-based access control (RBAC) area. In past years, tuning and upgrading the RBAC hardware and software infrastructure is where security teams have found the most improvements across the access control management process. But in 2009 when technology upgrades are unavailable, the art of user role management takes center stage.

"After we put our minds to it, we found we could reduce a lot of complexity and operating cost by trying to get the number of roles we manage as low as possible," said the RBAC director of a large insurance firm in Massachusetts. " With some time to analyze what we were doing this year, we realized we hadn't done the hard work of aligning the roles with the actual work being done, and we ended up with a 'role sprawl' that was costing us far too much to manage."

Like all the security controls required in financial services, RBAC deployments touch virtually all of the high-value people, assets and functions. Financial services firms are unique – the human assets (traders, bankers, salespeople, management) must stay productive, yet also be adequately verified before they gain access to high-value systems. Role sprawl means more unique roles to manage and update, which means more time needed to make routine changes. This then adds to the age-old friction between IT and operating units charged with day-to-day business operations.

"Cleaning up our roles has had two great benefits for our team," said the RBAC director "First, it has engaged us with the operating business in a very credible and meaningful way, which i...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Identity management for financial firms in turbulent times User IDs and passwords, privileges and federation Symark acquires BeyondTrust Audit requirements drive demand for privileged account management Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Privileged password management steps to success Best practices in managing privileged access Integrating biometric authentication with Active Directory Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Google ordered to deactivate Gmail account after bank email error Vendor risk management: process and documentation How to manage security risks in vendor contracts Five considerations for choosing network access control products How to shift to centralized authentication and ease compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary corporate governance  (SearchFinancialSecurity.com) subpoena  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

s great for showing the value of controls to the business. Second, it has reduced our operating costs through lower headcount needed to manage the system."

But, he added, "getting the number of unique roles as low as possible, but not too low" is the balancing act most teams are trying to achieve in access control management.

So, how do you know when you have too many roles, and when you've achieved an optimal number? Here are three steps that can help achieve efficient role-based access control.

Step 1: Find common access patterns within operating units. Generally, IT teams let operating units set their own roles based on job titles and functions. There is no incentive to minimize the number of roles, and everyone thinks their access rights should be as unique as the way they do their jobs. You can grab big efficiencies by showing the common access patterns, and urging the unit to standardize their roles. In return, they experience fewer delays as future changes are made.

Step 2: Find common work processes across operating units. With data from Step 1, you can identify common work processes (and access patterns) across units. Collapsing two identical roles used by two operating units into one can lead to dramatic efficiency gains.

Step 3: Consider a service model. Every organization has one or two operating units that require the majority of attention from information security. Employing a service model where each unit is charged for the RBAC services, perhaps by the number of roles managed (or changed) over time, affords economy of scale and opportunity to allocate costs according to usage.

The key metric emerging within financial services is the number of roles managed per thousand employees in the organization. However, it's too early to publish reliable benchmarks and each enterprise is unique in how it organizes itself. Nevertheless, if you are like most of your peers, role reduction can provide numerous benefits.

About the author:
Jack Phillips, co-founder and CEO, of IANS. IANS assists executives and senior level IT security and risk professionals in making better, faster managerial and technical decisions. IANS serves clients - Fortune 1000, government agencies, and academic institutions - through a "bottom-up" research methodology that capitalizes on IANS world-class faculty members, experts, and closed community of practitioners. Follow IANS Security on Twitter or visit the company's blog

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.