Role Discovery and RBAC Design

A Case study with IBM RaPM

Alex Ivkin, Prolifics
Grey Thrasher, IBM
9/17/15

Agenda

Alex Ivkin, CISSP

Practice Director
Security Line of Business
Prolifics

Introductions

Role Based
Access
Control

Grey Thrasher
Senior Software Engineer
L2 Technical Team Lead
IBM SWG Client Support Software

Reality Check

Process and
Technology

Results and
Discussion

Q&A

Prolifics at a Glance
W h o Ar e W e ?

A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery

of end-to-end IBM Solutions

Over 30 years in
business, Prolifics is an
end-to-end systems
integrator
specializing
in
Orlando
New York
San Francisco

IBM
Boston
technologies
Philadelphia

London

Washington

Hamburg

Application Testing
Santa Clara, CA USA

DC

S t a b i l i t y, L o n g e v i t y & G r o w t h

Off-Shore Development Center

Hyderabad, India

Solution Leadership
Serviced over 1600 IBM software accounts in the
past 11 years
Prolifics boasts over 110 Security certifications for
architecture, development, administration.
IBM Tivoli AAA Accredited First For Security
WW
IBM Cloud Certification First of 5 Partners
Authorized for SVP in 5 Industry Capabilities First
in Utilities
Also in SOA, Information Management and
BPM solutions and appliances for Business Process

Business challenges
Difficulty in the business understanding of security information
causing a rubber stamp process, or simply too much data to sort
through for the business
Challenges in the quarterly attestation cycle
Challenges for supervisory personnel understanding how "least
privilege" works in their business unit
Onboarding (new hire user adds) requests requiring additional
time and effort becuase access requests are submitted on a case
by case basis using individual forms
Challenges in managing the access of persons who transfer
between jobs, creating complex modification requests for access
on a case by case basis
Risk due to inappropriate access, which could be misuse or
simply audit findings - this is due to mirrored access (make
John's access look like Mary's) that may grant too much
permission, or through job transfers where old access is not
removed properly

Role Based Access Control

RBAC is a methodology to align security entitlements to persons
through an abstraction of organizational responsibilities using job
function and relationship to the organization. The idea is to use roles to
represent common access rights for users as sets of privileges on different
systems.

Direct access assignments

today are complex,
difficult to track and
change when needed

Before

After

Simplify roles and access assignments

Ability to handle growth and scale
Facilitate accountability and compliance

Role Based Access Control

(RBAC) offers an
effective operational
model to drive IAM
Governance

Business Benefits of RBAC

Reduce risk by ensuring people are limited to the required access
dictated by their job function
Reduce dormant time for new hires during onboarding because their
well defined access can be instantiated automatically
Simplify the attestation and audit process by reviewing privileges
that are exceptions to the roles instead of reviewing every
entitlement
Increase accuracy in the attestation process due to an easier to
understand business interface to information security data
Simplify the cross boarding process and reduce the risk of personnel
dragging inappropriate entitlements to their new job function
Address compliance requirements through the inherent linkage to
organizational definitions of least privilege and separation of duty

Reality check
How many companies want to do RBAC?
How many companies are doing RBAC?
How many companies successfully completed RBAC in 2011?
Our study showed:
97% of IdM customers in 2011 agreed that Role Based Access Control

is a solid approach to tackle problems of compliance and security

control
A third has engaged in RBAC design and implementation, internally
and externally
Less than a tenth achieved the goals

Why?

Challenges
Time consuming
Correlating massive data
High skill required
Not business user friendly
Inaccurate results
Requires business change the 60/40 mix
Requires proper tooling
Identity and Access management platform
Modeling Tool
Role life-cycle tool
Requires understanding, communication and motivation
Its a process, not a state

How it is done (the secret recipe)

Strong business processes

Clever technical instrumentation
Effective review procedures
Tight enforcement and integration

IT

Review
Process

Business

Integration

RBAC

Introducing Role and Policy Modeler

Lines of Business

CIO, CSO, Compliance

Officers, Business Owners

Governance Goals
Scope
Business Policies
Interview data

Modeling
Tools

ROLE
ROLE AND
AND POLICY
POLICY MODELER
MODELER
BUSINESS VIEW

TECHNICAL VIEW

VALIDATE
Extensible
Data Layer

Exceptional
Analytics

Intuitive UI

Indepth report

P
DE

Resources
Identities
Entitlements
Roles and policies

IT Systems and
Applications Owners

LO

ISIM
ISIM
(ITIM)
(ITIM)

Approvals/certificatio
n
Risk Analysis
Collaboration
Compliance Reports

ISIM
ISIM
(ITIM)
(ITIM)
TSPM
TSPM

Enterprise
Enterprise
Systems
Systems
Role and Policy
Templates
Reports

IT Management

The beginning
Sizing
Scoping and size control
Focusing on stable business units

Customer service
Financial department
Focusing on well understood applications

Core business applications

Product targeted at the business analyst

Engaging the sponsors and LoB managers
Involving IT Asset custodians

Aggregating existing data

Business
View
Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integration

RaPM
RaPM: Home Page
Designed for Business Analyst
Simple View
Model:
Projects
Role Mining/Modeling

Reports
Import

Modeling
CIO, CSO, Compliance
Officers, Business Owners

Governance Goals
Scope
Business Policies
Interview data

Top-down:

Business interviews
Existing model

Modeling
Tools

ROLE
ROLE AND
AND POLICY
POLICY MODELER
MODELER
BUSINESS VIEW

TECHNICAL VIEW

ISIM
ISIM
(ITIM)
(ITIM)

Resources
Identities
Entitlements
Roles and policies

IT Systems and
Applications Owners

Extensible
Data Layer

Exceptional
Analytics

Intuitive UI

Indepth report

Bottom-up:

Data aggregation
System state
Existing knowledge

RaPM
RaPM: Model Roles and Policies
Project Creation
User selection
Permission selection

RaPM: Generating roles

Artificial intelligence algorithms
Poor performance vs over-fitting
Analytics
IBM Research
Parameters:
Hierarchy
Ownership
Compatibility constraints
Modeling flexibility
Business
View
Role and
Policy
Modeler

Technical
View

18

Role
Lifecycl
e

Integration

RaPM
RaPM: Role Generation
IBM Research-created algorithms automatically generate
Roles/Hierarchies
Options affect number of roles and depth of hierarchy

RBAC Modeling
Combine Roles

Split Roles

Rules for Roles

Role Definition processes

Role Management Review for HR Updates (Reorg, New job codes, etc)
Role Review for Application changes (New system, retire system, new
features)
Business
Iterative approach and instant feedback
View
Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integration

Role Quality

RBAC Definition Lifecycle

Role Definition Iterations

Organizational Role
Definition -Business
View

Examine

Structured steps of interviews,

data gathering, engineering,
and tests to produce roles

Cleanup

Empowerment and
Application
Role
Knowledge
Transfer
Definition System
View

Define

Test

Publish

RaPM
RaPM: Role Analysis
Analysis Catalog provide different analyses to help determine potential
role members/permissions
Ensure Membership/Permissions are accurate
Ability to view granular user/permission details in analysis results

Analytics Engine

Dynamic and Adaptive Access Control

Dynamic Role

An RBAC dynamic role can inherit

collection of Roles that can relate
to a Job Family, which can be
Organization wide, Divisional, or
Location represented by person
type

A single RBAC statically assigned

role can be associated to a
specific specific set of
entitlements (permissions)
VPN Access
Access to GL
Business
View
Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integration

RaPM
RaPM: Membership Qualifier

Configure multiple Conditions

Automatically associated users with Role
Use analysis results to help build out Qualifiers
Membership View indicates members assigned directly or by qualifier

Separation of Duties
Separation of duty constraints and policies, both static
and dynamic in a role model
SOD
Constraints
Role Hierarchy

users

Roles

Permissions

Business
View

Sessions

Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integration

RaPM
RaPM: Separation of Duties (SOD)
Alert when users are in disallowed combination of Roles
Indicates SOD configuration problems (inevitable conflicts)
Details Users/Roles in conflict

Role-Based Access Control

RBAC Administration Lifecycles
Attestation (tactical)
Request Based (mid range)
IdM Integrated (strategic)

A re-org, new data such as org

type, physical location, job title,
cost center, or the retirement
of any of these

A new application or
system, a new group is
added, a group or system
is consolidated or retired

Roles are analyzed,

changes are proposed,
and a draft is circulated

Roles are published and ready for use

RaPM
RaPM: Reports

TCR/Cognos based reports

Operations report
Permissions report
Roles report
User Access report

RaPM
Role Lifecycle Manager
Business Process Manager
Approval request sent to Role Owner(s)
Attach Role Reports to Approval request for more details

Real World Role Automation

Data
Role and Policy Modeler

Feed

tion
Integra

Automatic Permission Assignment

Manual Permission Assignment
Business
View

Relationship between RBAC and

Identity Provisioning - Mature

Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integratio
Integration
n

RaPM
RaPM: Export Project
Generates XML containing:
Roles
Separation of Duty constraints
User to Role assignments (optional)

Immediately consumable by ITIM Load utility

RaPM
RaPM: ITIM Load
Utility to load exported Roles/SODs/User-to-Role assignments
Preview option shows number of:

New or Modified Roles

Modified Hierarchies
New or Modified Separation of Duty Constraints
User-to-Role assignments to be added or deleted

Role and Policy Modeler Highlights

Role Management capabilities are integral to
Security Identity Manager

the

Integrated built-in functionality in one package, rather than 2 or 3 from

competitors. Costs less than comparable solutions in the market.
Integration and automation provide immediately effective operations

Simple and yet sophisticated role modeling helps accelerate results

Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in
analytics guide role analyst in generating a timely role structure. IBMs solid technology
and experience with roles built-into a product

Flexibility to adapt to the client-specific IT processes

Handles scale and large access data sources with project based approach. Extensible policy
& graphical role model to analyze particular enterprise scenarios. Offer business process
automation platform to quickly get stakeholder validation

Ability to drive IAM Governance beyond role

management
Customers can easily deploy and integrate run-time enforcement
(entitlement management) with IBMs Identity and Access Management
Governance strategy. Security Intelligence: Identity Analytics in role
modeling provide valuable business insight, helping customers achieve
the next level of security alignment with the business

Business
View
Role and
Policy
Modeler

Technical
View

Role
Lifecycl
e

Integration

Summing up
Role Based Access Management improves compliance postures
and reduces cost of administration in an evolving IT environment,
.
but there are still challenges achieving this

goal
Face to
Face Collect
Consult

Face to face
Approvals
Reject
Certify
Written
Report

The traditional solution for Role

Modeling generates results that
are obsolete by the time they are
ready
ABAC, RuBAC, ZBAC
This is about 60% business
process consulting and 40% tool.

Manual
Data
Collect
Spreadsheet
Evaluation

Written
Reports
Manual
Enforcemen
t

You need both to be strong to get

to the 100%
Business
View
Role and
Policy
Modeler

Technical
View

37

Role
Lifecy
cle

Integrati
on

RBAC Change Control and Notification Processes

Foundational processes will

allow business to keep
organizational structure up to
date on systems.

Foundational processes will

allow business to keep system
entitlements clean up to date

After foundational processes are implemented, and RBAC is in place, these processes can be
leveraged and integrated with RBAC Management Processes

Business
View
Role and
Policy
Modeler

Technical
View

39

Role
Lifecy
cle

Integrati
on