Home » Identity & Access » Identity Management

Industry View

Industry View | Role Management and Risk

Role-based access control is nothing new, but Sarbanes-Oxley and other regulations give it new impetus

By Jackie Gilbert

February 13, 2008 — CSO —

You may have heard recently that your organization needs a role management solution, most likely from your identity management team, an industry analyst, your external auditor or even all three. Role-based access control (RBAC) is not a new concept for IT security professionals, so you may be wondering “Why all the hoopla?”

The National Institute of Standards and Technology (NIST) formalized the RBAC concept – assigning access privileges in logical groups based on a user’s business role – in the early 1990’s. As a means to simplify and reduce the costs of user administration in complex computing environments, RBAC holds the promise for scalable user management in large, complex enterprise environments, which explains why the idea has persisted over the years.

But the renewed excitement about roles has little to do with administrative efficiency. The new driving force reigniting interest in role management is compliance with government and industry regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, PCI, and HIPAA. In the world of compliance, effective role management can provide the business context necessary for non-technical personnel to oversee and verify user access policy. Role management helps organizations manage information security risk and ultimately corporate risk in three key areas: accountability, policy alignment and transparency.

Accountability

In the wake of corporate scandals like Enron and the passage of the Sarbanes-Oxley Act, new demands for accountability require organizations to clearly assign responsibility for oversight and governance to the appropriate individuals in authority. From an information technology perspective, this means that the business owners of information (not IT security) are ultimately accountable for issues like fraud prevention and information integrity. These individuals understand the business risks facing the organization and can make the appropriate tradeoffs between business benefits and risk.

The growing involvement of business managers and business process owners in the information security process is elevating the importance of role management. When business managers are required to attest to the correctness of user access to critical business applications and sensitive data in quarterly access reviews, organizations must find ways to bridge the communication gap between business and IT personnel. By translating cryptic, technical access rights into higher-level business context, role management enables business managers to make more accurate decisions about who should have access to what resources. Roles also improve the efficiency of corporate oversight by reducing the number of items under review from dozens of individual access rights to a much smaller number of business roles.

Policy Alignment

Effectively managing business risk related to IT security requires the active participation of business managers in the definition of access policy and controls. Business personnel understand the risks associated with sensitive applications based on asset value, privacy requirements, or potential for fraud or misuse, and they are best equipped to define the control objectives needed to mitigate business risk. But business managers must collaborate with IT personnel to effectively configure user access permissions (access to transactions, programs, tables, documents, etc.) based on business process rules and organizational restrictions.