Apidays New York 2024 - The value of a flexible API Management solution for O...
David Doret (2019) IDM Conference, London, IAM - Getting the basics right - Revisiting Role-Based Access Control (RBAC)
1. IAM: Getting the basics right
David Doret
david.doret@me.com
https://ch.linkedin.com/in/daviddoret
https://twitter.com/daviddoret
Revisiting Role-Based Access Control (RBAC)
IDM Conference - June 2019
5. What is a role?
It is not just a
group of users
and permissions
Primarily, it has
business meaning
(…) security requirements are mostly social
requirements rather than technical solutions (…) To
understand the problem of security engineering we
need to model and analyze organizational settings, in
terms of relationships between relevant actors,
including the system-to-be. Modeling only digital
protection mechanisms is not sufficient. Indeed, several
studies have revealed how security is often
compromised by exploiting weaknesses at the interface
between procedures and policies adopted by an
organization and the system that support them (…)
(Massacci et al. 2007)
Role: a job or function “with some associated semantics
regarding the authority and responsibility conferred on
a member of the role.”
(Ravi Sandhu et al., 2000)
7. Role Engineering
“So role engineering is the application of engineering
principals and techniques to create a set of roles that
implements a security policy and that is organized into
a structure that reflects the nature of the enterprise or
organization. The role structure will be optimized for
effectiveness and efficiency using engineering
principles and techniques.”
(Coyne and Davis 2008)
12. Permission Drift
“If deprovisioning does not occur, it
may not affect a user’s
productivity, but it results in the
user maintaining unnecessary or
inappropriate permissions. This
phenomenon is referred to as
permission drift and results in
‘overentitled’ users.”
Reference: Alan C. O’Connor and Ross J. Loomis (2010)
13. SoD
“(…) the allocation of work so
that an employee cannot
both perpetrate and conceal
errors or fraud in the normal
course of performing their
duties” (Stone, 2009)
16. Foundational Metric: RBAC Efficiency
• Easy to collect and compute
• If you don’t measure this indicator, you
don’t know if RBAC is implemented or not
• Minimum level to claim RBAC: 80%
• Should reach an optimal plateau
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
RBACEfficiency
Cost / Time / Effort
Law of diminishing returns
𝒂𝒄𝒄𝒆𝒔𝒔𝒊𝒏𝒉𝒆𝒓𝒊𝒕𝒆𝒅
𝒂𝒄𝒄𝒆𝒔𝒔 𝒕𝒐𝒕𝒂𝒍
17. There’s much more to it…
• Role explosion.
• When and how to initiate your RBAC program.
• Limitations of RBAC for PAM (Privileged Access Management).
• How RBAC may be complemented with other access control models (e.g. ABAC).
• Role hierarchies and role transitivity.
• Temporary roles (e.g. in projects).
• Temporal and dynamic roles.
• Relationship-based roles.
• Federation and cross organizational roles.
• Standards: OASIS, PERMIS, SAML, XACML, ANSI INCITS 359-2004.
• Roles delegation.
• Role ownership / role stewardship.
19. «If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676
• Anderson (1994) Liability and computer security: Nine principles
• ANSI. (2004). ANSI INCITS 359-2004: Role Based Access Control.
• Benantar (2006). Access control systems: security, identity management and trust
models.
• Bertino and Takahashi (2011) Identity management: concepts, technologies, and
systems.
• Barker, S. (2009). The next 700 access control models or a unifying meta-model
• Brink (2015) How Managing Privileged Access Reduces the Risk of a Data breach.
• Coyne, E.J. and Davis, J.M. (2008). Role engineering for enterprise security management.
• Coyne, E., Weil, T.R. (2013). ABAC and RBAC: Scalable, Flexible, and Auditable Access
Management
• Crook et al. (2002) Security requirements engineering: when anti-requirements hit the
fan.
• Donaldson et al. (2018) Enterprise Cybersecurity Study Guide.
• Elliott, A.A. and Knight, G.S. (2010). Role Explosion: Acknowledging the Problem. , p.7.
• Ernst & Young (2013) Key considerations for your internal audit plan - Enhancing the risk
assessment and addressing emerging risks.
• Feltus, C., Petit, M. and Sloman, M. (2010). Enhancement of Business IT Alignment by
Including Responsibility Components in RBAC.
Bibliography (1/3)
20. • Ferraiolo, D.F., Barkley, J.F. and Kuhn, D.R. (1999). A role-based access control model
and reference implementation within a corporate intranet.
• Ferraiolo et al. (2007). Role-based access control. 2nd ed.
• Ferraiolo, D., Kuhn, R. and Sandhu, R. (2007). RBAC Standard Rationale: Comments on
‘A Critique of the ANSI Standard on Role-Based Access Control’.
• Gallaher et al. (2002). Planning Report 02-1: The Economic Impact of Role-Based Access
Control
• Gartner (2005) Consider Identity and Access Management as a Process, Not a
Technology.
• Gartner (2017) Best Practices for Privileged Access Management.
• Hall et al. (2005) Policies, Models, and Languages for Access Control
• Herda (1995). Non-repudiation: Constituting evidence and proof in digital cooperation.
• Giorgini, P. et al. (2006). Requirements engineering for trust management: model,
methodology, and reasoning.
• Huet (2015). Identity and Access Management - Data modeling.
• Kobelsky, K. (2013). A Conceptual Model for Segregation of Duties: Integrating Theory
and Practice for Manual and IT-based Processes. University of Michigan - Dearborn.
• Kobelsky (2014) Enhancing IT Governance With a Simplified Approach to Segregation of
Duties.
• Li, N., Bizri, Z. and Tripunitara, M.V. (2007) On Mutually-Exclusive Roles and Separation
Bibliography (2/3)
«If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676
21. • Massacci et al. (2007) Computer-aided Support for Secure Tropos.
• Moses, S., Rowe, D.C. and Cunha, S.A. (2015). Addressing the Inadequacies of Role Based
Access Control (RBAC) Models for Highly Privileged Administrators: Introducing the SNAP
Principle for Mitigating Privileged Account Breaches.
• O’Connor and Loomis (2010). 2010 Economic Analysis of Role-Based Access Control - Final
Report. NIST.
• Osborn, S., Sandhu, R. and Munawer, Q. (2000). Configuring role-based access control to
enforce mandatory and discretionary access control policies.
• Osmanoglu, T.E. (2013). Identity and access management: business performance through
connected intelligence.
• Sandhu, R. et al. (1996). Role-Based Access Control Models.
• Sinclair and Smith (2008) Preventative Directions For Insider Threat Mitigation Via Access
Control
• Singleton, T.W., Singleton, A.J., (2010) Fraud Management.
• Stone, N. (2009). Simplifying Segregation of Duties - A targeted approach not only saves
money, but also allows auditors to focus on more high-risk areas. The IIA - Internal
Auditor.
• Wisegate (2012). Role Based Access Control: How-to Tips and Lessons Learned from IT
Peers
• Zhang, D. et al. (2014). Efficient Graph Based Approach to Large Scale Role Engineering
Bibliography (3/3)
«If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676
23. Control Depth
Business App
Report
Middleware
OS
Hypervisor
Out-of-band
Database ETL
Web Server
PAM
Security ServicesInfra Services
Physical Security
SDLC
UEFI
But it is much more rewarding to
embrace complexity and adopt a risk-
based approach
Queuing
Etc. Etc. Etc.
API
You may live a happy life
ticking boxes to scratch
the surface Report
AD LDAP Kerberos Radius
Federation Services
24. Foundational Metric: Unauthorization Detection Time
• Easy to collect and compute
• Must be complemented with: # of
uncontrolled systems
• More difficult but key enhancement:
resolution time instead of detection
time
• Auto-reconciliation is your friend
𝟑𝟔𝟓𝒚 + 𝟗𝟎𝒒 + 𝒅
𝒔
0
50
100
150
200
250
300
350
400
Averageanomalydetectiontime(indays)
Cost / Time / Effort
Law of diminishing returns
25. Ignorance-by-Design
The Need-to-Know Meme
• Not a principle, sometimes a dogma
• An excellent tool for strictly limited use cases
• Burden of proof inversion
• Inhibits collaboration, innovation
• As a general rule, we want information to flow
• What risk?
• What opportunity cost?
26. The Key is the IAM Team and its Skillset
IAM requires highly specialized skills across multiple disciplines
E.g. roles engineering
Aggressively develop the
hell out of your IAM staff!
team by Gwen Stacy, teach by Becris, win by Dev Patel from the Noun Project
27. • 50 years of academic research in
ARM/IAM/IAG/etc.
• Piles of cool books, case studies, articles
• Yet people keep on reinventing the
wheel
• Hypothesis: The NIH Syndrom
https://en.wikipedia.org/wiki/Not_invented_here
• Be lazy and stand on the shoulders of
giants
Are we in love with ignorance?