1 / 16

Role-Based Access Control (RBAC) Approach for Defense-in-Depth

Role-Based Access Control (RBAC) Approach for Defense-in-Depth. Peter Leight and Richard Hammer August 2006. Role-Based Access Control (RBAC) Approach for Defense-in-Depth. What is Role-Based Access Control (RBAC)? What are the advantages to implementing RBAC?

whitneyosborne
Download Presentation

Role-Based Access Control (RBAC) Approach for Defense-in-Depth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Role-Based Access Control (RBAC) Approach for Defense-in-Depth • Peter Leight and Richard Hammer • August 2006

  2. Role-Based Access Control (RBAC) Approach for Defense-in-Depth • What is Role-Based Access Control (RBAC)? • What are the advantages to implementing RBAC? • What are the challenges to implementing RBAC? • How can RBAC be used as a framework for defense in Depth? • How will the RBAC implementation standard help?

  3. What is RBAC? • Role-Based Access Control • Permission to perform an operation on an object is assigned to roles, not to users • Users are assigned to roles • Roles are assigned permissions • Users acquire their permissions based on the roles they are assigned

  4. RBAC is Many-to-Many • Users may be assigned many roles • Roles may have many users assigned to them • Roles may be assigned to many other roles • Roles may be assigned many permissions • Permissions may be assigned to many roles • Permissions may be granted to perform many different types of operations on an object

  5. RBAC Flow Diagram

  6. What are the Advantages of RBAC? • Once implemented RBAC simplifies system administration • Strong support for separation of duties • Good auditing support • Considered best practice by many

  7. RBAC Simplifies System Administration • When a user changes positions • Her roles are changed to reflect her new position • Her replacement is assigned her old roles • No need to remove user’s old access on each object • If roles are well defined, the system administrator only needs to add a user to their assigned roles and the user has access to all the resources they require to complete their job

  8. Separation of Duties • Manages conflict of interest policy • Reduces chances of fraud • Spreads critical duties across roles and in turn users • RBAC has built-in support for: • Static Separation of duties (SSD) • Dynamic Separation of duties (DSD)

  9. RBAC Improves Auditing • User, role, and permission reviews are built into RBAC • Much easier to determine if an object should be accessed from a role instead of a person • Should Jane access the payroll object? ??? • Should the hotdog vendors role access the payroll object? NO !

  10. Challenges Implementing RBAC • Policy must be clearly defined or RBAC breaks down completely • Roles must be created that reflect business needs • Permissions for roles to access objects must be determined • Membership is each role must be determined • Up-front work requires a lot of time and effort • RBAC standards have not resulted in compatible vendor implementations

  11. RBAC as a DiD Framework • Extend the concept of a user to include: • Computers or networks • Agents (ex. Web front end accessing a database) • Permission is approval to access or perform some action on an object • Objects extended to include: • Data, databases or information container • Computers, networks or network resources • Programs or applications

  12. RBAC for Network Design • Use RBAC as the access mechanism for your entire network infrastructure • Routers • Firewalls • VPNs • VLANS • Servers • Granular access controls can ensure all parameters are correct before access is granted • Joe might have access to financial data, but not from the wireless VLAN (Sensitive finance data should only be accessible from the office VLAN) • Sally might have access to all external Internet sites, but only from her assigned IP address (HR determines lewd content of website but not from out in the cubicles)

  13. Server Access Control • RBAC allows granular access control to server resources based on roles • Servers can use RBAC to control access • Documents or document containers • Resources (Printers, CDs, USB Ports, etc.) • Applications (Database, WWW, FTP, etc.) • Applications can restrict what data or reports a role can access

  14. RBAC Standards • Proposed NIST Standard for Role-Based Access Control (2001) • Users, roles, permissions, operations, objects • Core and Hierarchical RBAC • Separation of duties • Administrative functions, supportive System functions, review functions • ANSI/INCITS 359 - 2004 • Draft NIST Role Based Access Control Implementation Standard - 2006

  15. How the Standard Will Help • It will give vendors a common model and language • Will supply functional requirements that vendors must implement to become RBAC compliant • Will help consumers choose products • Will help products become interoperable

  16. Conclusion • RBAC is a great defense in depth model • RBAC requires policy to be clearly defined before implementation • RBAC does reduce system administration duties once implemented • RBAC improves auditing and facilitates separation of duties • An implementation standard is required before RBAC can fully realize its potential as a approach to defense-in-depth

More Related