Role Explosion: The Unintended Consequence of RBACOren Harel August 21, 2017
Until quite recently, access control in large enterprises has been predominantly managed with “Role-based Access Control”, or RBAC, a policy neutral access control mechanism defined around roles and privileges, sometimes referred to as role-based security.
The Proliferation of Roles
Under RBAC model, each role is associated with permissions related to the various job functions and responsibilities. Managing these roles, users and their interrelationships is a formidable task that requires continuous maintenance and management of hundreds or thousands of roles across multiple applications. Enterprises that use RBAC’s static role-based model are now experiencing role explosion. This results in difficulty scaling to meet the complex access control requirements associated with today’s dynamic workforce and strict security regulations.
Causes of Role Explosion Challenge
If one employee requires access to ten applications or services with two roles per application, the number of roles being managed for this single employee is twenty. As the number of applications and systems used in enterprises grows across the organization the number of roles can reach hundreds or thousands.
High employee turnover and contracting with other organizations also encourages role explosion. We’re in a fast moving, global world. Enterprises can hire short and long-term contractors or quickly partner with companies across the globe. In turn, to secure shared information using the RBAC model, roles need to be assigned. Depending upon the industry’s regulatory requirements, and those agreed to between the contractors, it’s likely you’ll need to create new roles.
The Consequences of Role Explosion
Reviewing each privilege for every user carries with it extremely large operational costs. Due to the complexity and the extent of the task, compliance and security risks are also greatly increased. When it comes to compliance audits and recertifications, the RBAC model is ineffective and costly, and the difficulty managing thousands of access rights across organization can let insider creep in, leading to unauthorized access to valuable data.
The role explosion makes access management utilizing RBAC model highly complex – thus the term “access management” in relation to RBAC becomes an oxymoron.
Role explosion plagues most IDM projects. Although, RBAC provides a solid foundation for managing information security, the model is not scalable, static models like RBAC cannot be used to efficiently address the ever increasing number of roles.
As the number of connected systems and services grow, the number of roles rapidly increases and difficult problem of managing thousands of employees is transformed to an even more difficult problem of managing a thousands of roles.
Risk and Compliance
Nearly every company, and especially those in highly regulated industries, must perform a periodic review and regular recertification of user access rights. In many situations, each employee’s digital identity under audit could have tens or hundreds of roles and individual access rights that have to be reviewed and updated at each audit.
Security fatigue (e.g. layers of logins, passwords, and other knowledge based access), the various security requirements that need to be followed (regulatory compliance, intellectual property laws, consumer privacy initiatives), and the ever expanding roles in an RBAC framework create a porous system.
Though a majority of cyber-attack threats are still enacted by external hackers, there is a clear pattern of either negligence on the part of employees or intentional internal violation of access management permissions. While the RBAC system is widely used to help prevent data breach mishaps – whether intentional or not – there is a problematic issue with its framework. This is evident by the fact that 60% of insider data breaches occur due to intended theft. Roles and their attached permissions are still being abused. And attempts to detect the probability of an insider based data security breach are weakened as roles are added.
Essentially, RBAC isn’t fully functioning as intended. Notwithstanding the danger or insider creep, managing tens of thousands of roles across organizations is not effective. The Era of Big Data and the Internet of Things requires either a reworking of RBAC or the creation of a new access management model. What can you do to potentially overcome the challenge? We’ll discuss solutions for CISOs in an upcoming blog.