Role Discovery and RBAC DesignA Case study with IBM RaPM

Alex Ivkin, ProlificsGrey Thrasher, IBM

April 10, 2023

Agenda

Introductions

Role Based Access Control

Reality Check

Process and Technology

Results and Discussion Q&A

Alex Ivkin, CISSPPractice Director

Security Line of BusinessProlifics

Grey ThrasherSenior Software EngineerL2 Technical Team Lead

IBM SWG Client Support – Software

$0$10$20$30$40$50$60$70

2004 2005 2006 2007 2008 2009 2010 2011

Gro

ss

Re

ve

nu

e

(millio

ns

)

Prolifics at a Glance

W h o A r e W e ?

Off-Shore Development CenterHyderabad, India

Application TestingSanta Clara, CA USA

A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM Solutions

New YorkBostonPhiladelphiaWashington DC

OrlandoSan FranciscoLondonHamburg

Over 30 years in business, Prolifics is an end-to-end systems integrator specializing in IBM technologies

S o l u t i o n L e a d e r s h i p

Serviced over 1600 IBM software accounts in the past 11 years

Prolifics boasts over 110 Security certifications for architecture, development, administration.

IBM Tivoli “AAA Accredited” – First For Security WW

IBM Cloud Certification – First of 5 Partners

Authorized for SVP in 5 Industry Capabilities – First in Utilities

Also in SOA, Information Management and BPM solutions and appliances for Business Process Management and Integration

S t a b i l i t y, L o n g e v i t y & G r o w t h

Business challenges

• Difficulty in the business understanding of security information causing a rubber stamp process, or simply too much data to sort through for the business 

• Challenges in the quarterly attestation cycle• Challenges for supervisory personnel understanding how "least

privilege" works in their business unit • Onboarding (new hire user adds) requests requiring additional

time and effort becuase access requests are submitted on a case by case basis using individual forms 

• Challenges in managing the access of persons who transfer between jobs, creating complex modification requests for access on a case by case basis 

• Risk due to inappropriate access, which could be misuse or simply audit findings - this is due to mirrored access (make John's access look like Mary's) that may grant too much permission, or through job transfers where old access is not removed properly

Role Based Access Control

• RBAC is a methodology to align security entitlements to persons through an abstraction of organizational responsibilities using job function and relationship to the organization. The idea is to use roles to represent common access rights for users as sets of privileges on different systems.

Before

AfterRole Based Access Control (RBAC) offers an effective operational model to drive IAM Governance

• Simplify roles and access assignments• Ability to handle growth and scale

• Facilitate accountability and compliance

Direct access assignments today are complex, difficult to track and change when needed

Business Benefits of RBAC• Reduce risk by ensuring people are limited to the required

access dictated by their job function• Reduce dormant time for new hires during onboarding

because their well defined access can be instantiated automatically

• Simplify the attestation and audit process by reviewing privileges that are exceptions to the roles instead of reviewing every entitlement

• Increase accuracy in the attestation process due to an easier to understand business interface to information security data

• Simplify the cross boarding process and reduce the risk of personnel dragging inappropriate entitlements to their new job function

• Address compliance requirements through the inherent linkage to organizational definitions of least privilege and separation of duty

Reality check

How many companies want to do RBAC? How many companies are doing RBAC? How many companies successfully completed RBAC in

2011?

Our study showed: 97% of IdM customers in 2011 agreed that Role Based Access

Control is a solid approach to tackle problems of compliance and security control

A third has engaged in RBAC design and implementation, internally and externally

Less than a tenth achieved the goals

Why?

7

Challenges

Time consuming Correlating massive data

High skill required Not business user friendly

Inaccurate results Requires business change – the 60/40 mix Requires proper tooling

Identity and Access management platform Modeling Tool Role life-cycle tool

Requires understanding, communication and motivation It’s a process, not a state

How it is done (the secret recipe)

Strong business processes Clever technical instrumentation Effective review procedures Tight enforcement and integration

RBAC

Business

IT Review Process

Integration

Introducing Role and Policy Modeler

IT Management

IT Systems and Applications Owners

Lines of Business

• Governance Goals

• Scope• Business Policies• Interview data

• Approvals/certification

• Risk Analysis• Collaboration• Compliance Reports

CIO, CSO, Compliance Officers, Business

Owners

• Resources• Identities• Entitlements• Roles and

policies

ModelingTools

• Role and Policy Templates

• Reports

BUSINESS VIEW

TECHNICAL VIEW

ISIM (ITIM)

ISIM (ITIM)

VALIDATE

TSPM Enterprise

Systems

DEP

LOY

ROLE AND POLICY MODELER

Indepth report

Intuitive UI

Extensible Data Layer

ExceptionalAnalytics

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

The beginning

SizingScoping and size control

Focusing on stable business units•Customer service•Financial department

Focusing on well understood applications•Core business applications

Product targeted at the business analystEngaging the sponsors and LoB managersInvolving IT Asset custodians

Aggregating existing data Business View

Technical View

RaPM: Home Page

Designed for Business Analyst

Simple View Model:

Projects Role Mining/Modeling

Reports Import

RaPM

 Modeling

Top-down:Business interviewsExisting model

Bottom-up:Data aggregationSystem stateExisting knowledgeIT Systems and

Applications Owners

• Governance Goals• Scope• Business Policies• Interview data

CIO, CSO, Compliance Officers, Business

Owners

• Resources• Identities• Entitlements• Roles and

policies

ModelingTools

BUSINESS VIEW

TECHNICAL VIEW

ISIM (ITIM)

ROLE AND POLICY MODELER

Indepth report

Intuitive UI

Extensible Data Layer

ExceptionalAnalytics

RaPM: Model Roles and Policies Project Creation

User selection Permission selection

RaPM

18

RaPM: Generating roles Artificial intelligence algorithms

Poor performance vs over-fitting Analytics IBM Research

Parameters: Hierarchy Ownership Compatibility constraints

Modeling flexibility

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Role and Policy

Modeler

RaPM: Role Generation IBM Research-created algorithms automatically generate

Roles/Hierarchies Options affect number of roles and depth of hierarchy

RaPM

RBAC Modeling

Role Definition processes Role Management Review for HR Updates (Reorg, New job codes,

etc) Role Review for Application changes (New system, retire system,

new features) Iterative approach and instant feedback 

ROLE A ROLE B

ROLE C

ROLE Z

ROLE X ROLE Y

ROLE A ROLE B

Split RolesCombine Roles Rules for Roles

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Role Lifecy

cle

Business View

Role and Policy

Modeler

RBAC Definition Lifecycle

Role Definition IterationsOrganizational

Role Definition -Business View

Application Role Definition – System View

Cleanup Define Test Publish

Examine

Empowerment and Knowledge Transfer

Structured steps of interviews, data gathering, engineering, and tests to produce roles

Role Quality

RaPM: Role Analysis Analysis Catalog provide different analyses to help determine

potential role members/permissions Ensure Membership/Permissions are accurate Ability to view granular user/permission details in analysis results

RaPM

A single RBAC statically assigned role can be associated to a specific specific set of entitlements (permissions)- VPN Access- Access to GL

An RBAC dynamic role can inherit collection of Roles that can relate to a Job Family, which can be Organization wide, Divisional, or Location – represented by person type

ROLE

Application / System Entitlements

Application / System Entitlements

Application / System Entitlements

BUSINESS ROLE

ROLE

ROLE

ROLE

Dynamic Role

Dynamic and Adaptive Access Control

Analytics Engine

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Role Lifecy

cle

Technical View

Role and Policy

Modeler

RaPM: Membership Qualifier Configure multiple Conditions Automatically associated users with Role Use analysis results to help build out Qualifiers Membership View indicates members assigned directly or by qualifier

RaPM

Separation of Duties

Separation of duty constraints and policies, both static and dynamic in a role model

users Roles Permissions

Role Hierarchy

Sessions

SODConstraints

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

RaPM: Separation of Duties (SOD) Alert when users are in disallowed combination of Roles Indicates SOD configuration problems (inevitable conflicts) Details Users/Roles in conflict

RaPM

RBAC Administration Lifecycles

HR

IT

RBAC

ROLE

ROLE

ROLE

ROLE

ROLE

ROLE

Info. Sec.

Role Approver

A re-org, new data such as org type, physical location, job title, cost center, or the retirement of any of these…

A new application or system, a new group is added, a group or system is consolidated or retired Roles are analyzed,

changes are proposed, and a draft is circulated

Business Owner

Audit Review

Roles are published and ready for use

Attestation (tactical)Request Based (mid range)

IdM Integrated (strategic)

Role-Based Access Control

RaPM: Reports TCR/Cognos based

reports Operations report Permissions report Roles report User Access report

RaPM

Role Lifecycle Manager Business Process Manager Approval request sent to Role Owner(s) Attach Role Reports to Approval request for more details

RaPM

Relationship between RBAC and Identity Provisioning - Mature

ROLE PROFILE

ROLE

ROLE

ROLE

Identity Management

Security Administration

User Account

User Account

User Account

HR

Data Feed

User Account

User AccountAutomatic Permission Assignment

Manual Permission Assignment

IntegrationRole and Policy Modeler

Real World Role Automation

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Integration

Role and Policy

Modeler

RaPM: Export Project Generates XML containing:

Roles Separation of Duty constraints User to Role assignments (optional)

Immediately consumable by ITIM Load utility

RaPM

RaPM: ITIM Load Utility to load exported Roles/SODs/User-to-Role assignments Preview option shows number of:

New or Modified Roles Modified Hierarchies New or Modified Separation of Duty Constraints User-to-Role assignments to be added or deleted

RaPM

Role Management capabilities are integral to the Security Identity Manager

Integrated built-in functionality in one package, rather than 2 or 3 from competitors. Costs less than comparable solutions in the market.

Integration and automation provide immediately effective operations

Simple and yet sophisticated role modeling helps accelerate results

Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in analytics guide role analyst in generating a timely role structure. IBM’s solid technology and experience with roles built-into a product

Flexibility to adapt to the client-specific IT processesHandles scale and large access data sources with project based approach. Extensible policy & graphical role model to analyze particular enterprise scenarios. Offer business process automation platform to quickly get stakeholder validation

Ability to drive IAM Governance – beyond role management Customers can easily deploy and integrate run-time enforcement(entitlement management) with IBM’s Identity and Access ManagementGovernance strategy. Security Intelligence: Identity Analytics in role modeling provide valuable business insight, helping customers achieve the next level of security alignment with the business

Role and Policy Modeler Highlights

Integration

Role Lifecy

cle

Business View

Technical View

Role and Policy

Modeler

Role Based Access Management improves compliance postures and reduces cost of administration in an evolving IT environment,…….

37

The traditional solution for Role Modeling generates results that are obsolete by the

time they are ready

ABAC, RuBAC, ZBAC …This is about 60% business process

consulting and 40% tool.

You need both to be strong to get to the 100%

… but there are still challenges achieving this goal

Written Report

Manual Data Collect

Face to Face CollectConsult

Reject

Written Reports

Certify

Manual Enforcement

Spreadsheet Evaluation

Face to face Approvals

Summing up

Integration

Role Lifecycle

Business View

Technical View

Role and Policy

Modeler

RBAC Change Control and Notification Processes

Foundational processes will allow business to keep organizational structure up to date on systems.

Foundational processes will allow business to keep system entitlements clean up to date

After foundational processes are implemented, and RBAC is in place, these processes can be leveraged and integrated with RBAC Management Processes

39

Integration

Role Lifecycle

Business View

Technical View

Role and Policy

Modeler

Integration

Role Lifecycle

Business View

Technical View

Role and Policy

Modeler