Wednesday, July 27, 2016

Sylvester McMonkey McBean's Role Mining Machine



Many vendors promise that they have the best tool that will perform role mining, consolidation, and will fix all that is wrong with your RBAC approach.  I think this pitch is akin to Sylvester McMonkey McBean’s promise to the Sneetches in the Dr. Seuss classic:


Each role now has a star on thar’s!  For those unfamiliar with The Sneetches by Dr. Suess, Messrs. McBean makes a tidy profit taking stars on and off Sneetches as perception of whether the star is good waxes and wanes.   Enterprises often trade in their inefficient RBAC models for a newer model that, like a new automobile, starts to deprecate quickly.  A couple of years later, they are back at McMonkey McBean’s table.  

One of the tools a recent client was considering was an Older Identity Analytics product that featured the ability to generate a confusion matrix as part of its role consolidation.  I found that feature rather appropriate for the output of this particular McMonkey McBean Role Machine.  Rather than getting visualization of the performance of the algorithm, it should be used to measure the business’ reaction:


As Alessandro Colantonio writes, “Automatically elicited roles often have no connection to business practice.”    Role mining is as much art as it is tech, and crafting a role model that works for the business requires iteration, buy-in, flexibility and visualization.  The assertion that a tool can spit out a new role model that can be put into practice and maintained over time is a fallacy.  Companies are trying to address the symptoms (too many roles, hard-to-understand entitlements), rather than the root causes, which I think is primarily that RBAC cannot properly model access without a role permutation problem beyond the most rudimentary scenarios.

Context-driven and attribute based (ABAC) models, in conjunction with RBAC, offer a modern approach that can limit role explosion and prevent the need to restructure your role and entitlement model frequently.  A simple example from a recent client is that they would model seniority as separate roles, Analyst and Senior Analyst, for instance.  The Senior Analyst would have additional entitlements.  Seniority is contextual, as it could be based upon not just years of experience in an area, but the amount of training and how recent that training was conducted.  A policy model that leverages the one logical role (Analyst) with the delta set of entitlements driven by policy governed by the data in LMS (training) systems for example, would be a more dynamic policy model that would reduce the number of roles being managed.

Security Administrators understand giving access to someone by putting them in an Active Directory group.  However, until the Executives realize they are in a spiral of filling McMonkey McBean’s coffers, invests in the software and experience for proper policy modeling, they will continue to re-learn the lesson that the Sneetches unfortunately did not.

No comments: