For information security teams, this has been the year for "getting the house in order" in terms of internal process improvement. For financial services firms, in particular, flat or declining budgets have forced security groups to use this time to tighten processes and gain internal efficiencies.
In our view, the most significant improvements seen among banking and insurance organizations have come in the role-based access control (RBAC) area. In past years, tuning and upgrading the RBAC hardware and software infrastructure is where security teams have found the most improvements across the access control management process. But in 2009 when technology upgrades are unavailable, the art of user role management takes center stage.
"After we put our minds to it, we found we could reduce a lot of complexity and operating cost by trying to get the number of roles we manage as low as possible," said the RBAC director of a large insurance firm in Massachusetts. " With some time to analyze what we were doing this year, we realized we hadn't done the hard work of aligning the roles with the actual work being done, and we ended up with a 'role sprawl' that was costing us far too much to manage."
Like all the security controls required in financial services, RBAC deployments touch virtually all of the high-value people, assets and functions. Financial services firms are unique – the human assets (traders, bankers, salespeople, management) must stay productive, yet also be adequately verified before they gain access to high-value systems. Role sprawl means more unique roles to manage and update, which means more time needed to make routine changes. This then adds to the age-old friction between IT and operating units charged with day-to-day business operations.
"Cleaning up our roles has had two great benefits for our team," said the RBAC director "First, it has engaged us with the operating business in a very credible and meaningful way, which is great for showing the value of controls to the business. Second, it has reduced our operating costs through lower headcount needed to manage the system."
But, he added, "getting the number of unique roles as low as possible, but not too low" is the balancing act most teams are trying to achieve in access control management.
So, how do you know when you have too many roles, and when you've achieved an optimal number? Here are three steps that can help achieve efficient role-based access control.
Step 1: Find common access patterns within operating units. Generally, IT teams let operating units set their own roles based on job titles and functions. There is no incentive to minimize the number of roles, and everyone thinks their access rights should be as unique as the way they do their jobs. You can grab big efficiencies by showing the common access patterns, and urging the unit to standardize their roles. In return, they experience fewer delays as future changes are made.
Step 2: Find common work processes across operating units. With data from Step 1, you can identify common work processes (and access patterns) across units. Collapsing two identical roles used by two operating units into one can lead to dramatic efficiency gains.
Step 3: Consider a service model. Every organization has one or two operating units that require the majority of attention from information security. Employing a service model where each unit is charged for the RBAC services, perhaps by the number of roles managed (or changed) over time, affords economy of scale and opportunity to allocate costs according to usage.
The key metric emerging within financial services is the number of roles managed per thousand employees in the organization. However, it's too early to publish reliable benchmarks and each enterprise is unique in how it organizes itself. Nevertheless, if you are like most of your peers, role reduction can provide numerous benefits.
About the author:
Jack Phillips, co-founder and CEO, of IANS. IANS assists executives and senior level IT security and risk professionals in making better, faster managerial and technical decisions. IANS serves clients - Fortune 1000, government agencies, and academic institutions - through a "bottom-up" research methodology that capitalizes on IANS world-class faculty members, experts, and closed community of practitioners. Follow IANS Security on Twitter or visit the company's blog