Role Explosion – How Can You Solve It?

IAM

Every role in an organization plays a vital role. Some may deal with more sensitive information than others like customer’s Personally Identifiable Information. Some interact with customers, some keep the organizational functionalities up and running. Some are even dedicated to managing your brand to the outside world. Some may also be building the core services of your business, and some may help in selling it. Irrespective of the role, an organization is built by stringing these roles together—it cannot function without each one playing its part. This is why there are roles defined for each person, and the responsibilities that role entails are clearly defined.  This enables them to play their part in the organization.

In theory, if everyone plays a part, it all works great. But, there is more to this. Each person requires certain resources, such as applications, to execute their tasks. If there are only a handful of people in the organization, this is a simple undertaking. Assign every role with certain access for applications, and only they have the permission to use it. This is role-based access provisioning. Here, it is even simple to monitor the accesses that one holds, and manually revoke the access when the access no longer serves the purpose. But imagine the number of employees multiplying. More people, more accesses, more montoring, and endless hours peering at the screen looking at accesses resulting in more headache. This is role explosion. The more accesses that exist, the more RBAC gets complicated.

The issues caused due to role explosion

Time-consuming complication:

When accesses are provided manually, it is a time-consuming process. The manager has to go over the role of the users, their entitlements, and then take a call. This causes a lot of downtime with productivity. New hires are often seen waiting for their ‘actual roles’ to kick in once they join an organization. This is because the provisioning of access takes weeks together. HR, IT, and managers often have a tough time coordinating, which in the end, leads to a new employee with a lot of enthusiasm, having nothing to do with that zeal. 33% of the employees know whether they want to stay in a company long-term after the first week itself. That brings in new perspectives on the importance of smoother access provisioning.

Even if an employee is already a part of the company long enough to have the necessary access permissions when he/she needs additional access, a complication arises. Now, how will the access permission be allowed? Based on what criteria? If it is remote, how will they know they are who they claim to be? This is especially challenging for privileged accesses. Sometimes, these accesses are allowed just to get the job done.

This leads to poor management of access rights among employees, complicated documentation processes, and, most importantly, lack of record to revoke it. This brings us to the next point—security.

Security takes a hit:

With manual provisioning, a lot of complications can arise; the biggest one is that of security. According to an IBM report, insider threats are a reason for 70% of all breaches. This should be reason enough to look at the security posture of your accesses.

With such access provisioning, it is not easy to execute tasks seamlessly. There is always room for human error and negligence. A Varonis report stated how 53% of the companies found 1000 sensitive files that were accessible to all employees. Imagine the kind of damage a bad actor could cause!

When roles and access are managed manually, they fail to revoke on time. After an employee leaves an organization, they could violate their access if they went on bad terms. Or, someone else could take over orphan accounts. If these accounts have privileged access, then no good would come out of it.

Contextual attributes to the rescue

Solving RBAC might seem like an overwhelming task, considering the proliferation of roles, and tangled up accesses. But, there is a solution that can solve this conundrum with ease.

Identity and access management solutions that could add context, attributes, and policies to your accesses can manage role explosions and give your IT time to breathe.

Here the accesses are mapped carefully, and even new hires are automatically given accesses on day one. Every access provisioning comes with a set of data about the security of the access powered by a risk engine. When a manager has to allow or disallow access, it comes with contexts. The sensitivity of the data, user attributes such as location, time of the request, and so on are all factors in providing a risk score to the access. Now, with all this information at hand, the manager can make an informed decision.

Not only does it provide live risk scores, but the manager could also provide a time frame for the accesses as well, after which the access is no longer valid. They could run campaigns for access certification, which provides the list of accesses at one go, which makes it easy to revoke the ones that aren’t needed anymore.

Adding context to every access with automated provisioning is an efficient way to manage role explosions. Don’t let security loopholes hamper your productivity or security.

Leave a comment

You must be logged in to post a comment.