Security Role Management Best Practices

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what if I could show you a way that would reduce the size and complexity of managing user identities by two or even three orders of magnitude it would cut down on cost it would make the operation more efficient and it would make it more secure because it was more simple and as I mentioned in other videos complexity is the enemy of security so let's think about managing these identities without user roles and then with user roles and I'll show you the advantages of using roles so what we think about first is we've got a bunch of users here who need access to Applications simplistically it sounds like this I'm going to give this guy access here and here and I give this guy this access and that's all they really need that's what it seems like but in fact it's more complicated than that what happens is inside of these applications there may be individual permissions that are necessary for instance it could be an administrator access it could be read only access it could be read write access there could be a lot of different underlying permissions that need to be granted so in fact instead of this gross level of permissions that I'm giving in fact what I really need to do is give this guy these access rights and this guy needs these and this guy needs these and it continues before long you end up with a spaghetti mess that you've got to manage every user is a one-off every user is unique every user is complex and when I have to unroll all of these access rights when the user leaves the organization it gets even more complicated and more costly and more difficult to accomplish so let's look at a different approach where instead of doing individual user to permission or entitlement accesses I'm doing those mappings I'm going to introduce another concept we are now in the middle I'm going to have this idea of user roles so I'm going to create a set of roles at a business I'll call these business roles for instance there's a role uh let's talk let's say this is a hospital so we have a doctor we might have a nurse we might have a lab technician those are the business roles so business roles are a collection of users I'm also going to create a second abstraction of application roles and in this case these are going to be high level functions that need to be performed so maybe the high level function is admit a patient or discharge a patient or update a patient record so those are high level things in fact those high level features might involve multiple underlying permissions in different applications so now you see it gets a lot more complicated but what I'm trying to do is reduce that complexity so once I've created these two different tiers of roles business role is a collection of users application rolls a collection of entitlements or access rights then all I have to do is come back and say okay to admit a patient what do I need to be able to do well I need to be able to have access to these two features along with this one which is actually in a different application imagine in a complex organization there might be six or seven applications that need to be involved in performing a high level function so to discharge a patient maybe I need these and to update a patient record I need these now I've mapped out the application entitlements up here all I need to do is say which ones are these people are doctors okay here are my doctors here are my nurses and here's my lab tick now I've created the collection of business roles and those users the collection of application entitlements and all I have to do is connect the dots I'm just going to say doctors can admit patients discharge patients and update patient records nurses cannot admit and discharge but they can update records and lab techs when they get in the lab results can update patient records that's all I have to do the beauty of this then is the flexibility that happens over time let's say later I need to add in a new entitlement here and this now is required anytime I update a patient record then all I have to do is add in this and the update capability now involves that entitlement and all the people who have the update capability in this case it's all of these users now have this new capability and if later I decide for whatever reason I'm not going to allow uh nurses to perform a perfect particular function I just take that function out of the nurse role and all the nurses now lose that capability or add something in all of those users instantly gain that capability by separating these two different layers I don't end up with a spaghetti I end up with something that is much simpler to manage and it feels like now instead of managing what might be 5 000 users it feels like I'm managing three users if I've got three roles so I've taken the the magnitude of the problem and reduced it dramatically so let's think about what are some of the best practices then in role management if we want to carry this through and there's a number of things you can do here for instance don't make the mistake of letting the perfect become the enemy of the good in doing so I've seen organizations that try to Define this in a perfect way that will meet all the needs for all time and the fact of the matter is we don't need to do that it needs to be flexible it will change over time one organization I worked with took a year to Define their roles that was a delay on the process because they were letting the perfect become the enemy of the good the second best practice is related to that first aim for more like an 80 20 split try to cover your role entitlements and accesses with about eighty percent of the cases with something like this and then let the other 20 be exceptions and we can handle them as one-offs more like this but I've still reduced the problem space dramatically other things I can look at is role design or role engineering where I sit down as I've done here kind of as a tabletop exercise and envisioned how these roles should should be I can Envision that these are the different types of users these are the different access rights and we do that kind of an exercise this is more of a top-down approach the bottom up approach is more of a role Discovery process and there are tools that will allow you to go out and see all of the entitlements that a user has and what function they perform and then you can go through and see all of these users who are peers seem to have the same access rights so let's create a role around that and therefore we're essentially discovering the roles that already exist in the organization that just have not been explicitly stated I would actually recommend using both of those the top down and the bottom up the design and the engineering and let them meet in the middle and then we apply some of these other principles principles that I've talked about in addition to these uh we also should use good tools that allow us to do this discovery and there are Enterprise class identity governance tools that will allow to do this allow you to manage it and manage this over time as these roles need to change we'll need to make those kind of changes and then finally the thing that I've Illustrated here and that is use multiple tiers of roles because if we try to use a single roll structure we'll overload it here I separated out the groups of users from their entitlements that way I have more separation I can change the entitlements without changing the users I can change the organization of users without having to change their underlying entitlements that gives me the maximum level of flexibility and it keeps me from that sort of analysis paralysis that I mentioned the other organization I talked about hit so you can see I hope with this that I can take a very complex space reduce it to a much more manageable space therefore with this more manageable space it's cheaper it's more efficient and I'll argue even more secure because complexity is the enemy of security and this is simpler thanks for watching please remember to like this video And subscribe to this channel so we can continue to bring you content that matters to you
Info
Channel: IBM Technology
Views: 5,284
Rating: undefined out of 5
Keywords: IBM, IBM Cloud
Id: 5v4v-MPoEOs
Channel Id: undefined
Length: 9min 5sec (545 seconds)
Published: Fri Dec 09 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.