Many vendors promise that they have the best tool that will
perform role mining, consolidation, and will fix all that is wrong with your
RBAC approach. I think this pitch is
akin to Sylvester McMonkey McBean’s promise to the Sneetches in the Dr. Seuss classic:
Each role now has a star on thar’s! For those unfamiliar with The Sneetches by Dr. Suess, Messrs.
McBean makes a tidy profit taking stars on and off Sneetches as perception of whether
the star is good waxes and wanes. Enterprises
often trade in their inefficient RBAC models for a newer model that, like a new
automobile, starts to deprecate quickly.
A couple of years later, they are back at McMonkey McBean’s table.
One of the tools a recent client was considering was an Older Identity
Analytics product that featured the ability to generate a confusion matrix as part of its
role consolidation. I found that feature
rather appropriate for the output of this particular McMonkey McBean Role
Machine. Rather than getting
visualization of the performance of the algorithm,
it should be used to measure the business’ reaction:
As Alessandro Colantonio writes, “Automatically elicited
roles often have no connection to business practice.” Role mining is as much art as it is tech,
and crafting a role model that works for the business requires iteration,
buy-in, flexibility and visualization.
The assertion that a tool can spit out a new role model that can be put
into practice and maintained over time is a fallacy. Companies are trying to address the symptoms
(too many roles, hard-to-understand entitlements), rather than the root causes,
which I think is primarily that RBAC cannot properly model access without a
role permutation problem beyond the most rudimentary scenarios.
Context-driven and attribute based (ABAC) models, in conjunction
with RBAC, offer a modern approach that can limit role explosion and prevent
the need to restructure your role and entitlement model frequently. A simple example from a recent client is that
they would model seniority as separate roles, Analyst and Senior Analyst, for
instance. The Senior Analyst would have
additional entitlements. Seniority is contextual,
as it could be based upon not just years of experience in an area, but the amount
of training and how recent that training was conducted. A policy model that leverages the one logical
role (Analyst) with the delta set of entitlements driven by policy governed by
the data in LMS (training) systems for example, would be a more dynamic policy
model that would reduce the number of roles being managed.
Security Administrators understand giving access to someone
by putting them in an Active Directory group.
However, until the Executives realize they are in a spiral of filling
McMonkey McBean’s coffers, invests in the software and experience for proper
policy modeling, they will continue to re-learn the lesson that the Sneetches
unfortunately did not.