One of the biggest challenges facing organisations today, and especially large corporates, is the effective management of user access to sensitive applications and data. According to Gary Lawrence, MD of CA Southern Africa, governance and compliance mandates are further driving the importance of user access control.
The problem, however, is that organisations often implement Identity and Access Management (IAM) systems without due consideration of roles. To minimise deployment effort or to avoid project scope creep, role definition is often not considered part of the initial project. In addition, according to Lawrence, businesses frequently don’t invest enough time to define roles in sufficient detail; instead defining high-level roles that do not reflect actual organisational job functions. Permissions mapped to high-level roles are usually generic in nature.
The result of this random process is that additional efforts are required to manage job- and function-specific permissions manually, outside the IAM system, often resulting in IAM systems not delivering the expected business value, like adherence to compliance and reduced entitlement management costs.
“Role-based Access Control (RBAC) is becoming the norm for managing entitlements within commercial systems and applications. RBAC can play a significant role in establishing a model for enforcing security within organisations. It simplifies entitlement management by using roles (as opposed to users) as authorisation subjects. A holistic approach to role definition can help alleviate certification-related regulatory compliance challenges, and should be considered an integral part of any IAM initiative,” Lawrence says.
It is Lawrence’s experience that, in practice, role management can be a thorny road, especially at enterprise level. He says many businesses find it difficult to package their unique business requirements into a standardised role model, and those that attempt to do so frequently never make it past the role definition phase.
"Role management is a means to an end, so I believe it’s important to begin with the end in mind. All project stakeholders should agree on business goals up front. If operational efficiency is your primary goal, then you should target those systems and applications with the highest number of users and with the highest number of changes. When governance and compliance are the primary drivers, organisations should focus on the applications and data that are the focal point of security and privacy mandates, like financial systems and systems that store sensitive data.”
In conclusion, Lawrence says maintaining a role model over time can be as challenging as creating the model in the first place. Whatever the scope of the project, it is critically important to review the accuracy of roles on a periodic basis so that you have a process to refine and adapt roles as the business changes.
“At CA Southern Africa, we believe the right approach to role management is a pragmatic one. Success stories come from those companies that set achievable goals and define a step-wise path to reach those goals. In addition, demonstrating incremental progress in weeks instead of months helps to ensure that both business and IT users embrace the changes that are required and carry these forward.”