Can a stolen password get you the keys to the entire kingdom? Well, it turns out that 81% of data breaches in 2017 used stolen or weak passwords to get onto the network.
We need to be better than that in 2018. We need to go back over our permissions standards and implement Role Based Access Control (RBAC) to keep users within their assigned seats on the network.
What is Role Based Access Control (RBAC)?
Role Based Access Control (RBAC) is a network security paradigm where the network grants users permissions based on their role in the company. It’s dead simple: the Finance department donesn’t get to look at HR data and vice versa.
Each user on the network has an assigned role, and each role has a set of access permissions to resources across the organization. For example, our Finance humans have access to the CRM based on their use cases, access to email, and access to the Finance share on the network. And that could be it.
When implemented correctly, an RBAC implementation will be transparent to the users. Role assignment happens behind the scenes, and each user has access to the applications and data that they need to do their job.
Why Implement RBAC?
Implementing Role-Based Access Control helps maximize operational efficiency, protects your data from being leaked or stolen, reduces admin and IT support work, and makes it easier to meet audit requirements.
Users should have access to the data they need to do their job – granting access to data they don’t need is a security liability, increasing the risk of that data getting leaked, stolen, corrupted, or compromised. Hackers love to access a single account and move laterally around the network looking for the sellable data. If you have a good RBAC implemented, the hackers will get stonewalled as soon as they try to get outside the bubble of their hacked user’s role.
Sure it’s bad that someone’s account got hacked, but it could be so much worse if that user has access to all of the sensitive data. Even if the affected user is in HR and has access to personally identifiable information (PII)o, the hacker won’t be able to easily move to the Finance team’s or Executive team’s data.
RBAC also reduces IT and administrative load across the organization and increases the productivity of the users. While this seems counterintuitive, if you think about it for a second, it makes sense. IT doesn’t have to manage personalized permissions for every user, and it’s easier for the right users to get to the right data.
Managing new users or guest users can be time consuming and difficult, but if you have RBAC that defines these roles before a user joins the network, it’s a fire and forget situation. Guests and new users join the network, and their access is pre-defined.
Lastly, implementing RBAC is proven to save lots of dollars for your company. RTI published a report in 2010, “The Economic Impact of Role-Based Access Control” that indicates there is a substantial return on investment in an RBAC system. For a hypothetical financial services firm of 10,000 employees, RTI estimates that RBAC will save IT $24,000 in labor, and employee downtime will save the company $300,000 per year. Automating the user access process will save you even more than that in IT labor reduction alone. That’s big-time-get-you-a-raise money.
At the end of the implementation, your network will be vastly more secure than it was, and your data will be much safer from theft. And you get the other benefits of increased productivity for your users and IT staff. It’s a no-brainer if you ask us.
RBAC: 3 Steps to Implement
What’s the best way to implement Role-Based Access Controls? Consider the following steps to get started:
- Define the resources and services you provide to your users (i.e., email, CRM, file shares, CMS, etc.)
- Create a library of roles: Match job descriptions to resources from #1 that each function needs to complete their job
- Assign users to defined roles.
The good news is that you can automate this process: Varonis DatAdvantage provides data about who actively uses the file shares on a regular basis, and who doesn’t. While assigning file permissions to roles, you will also designate a data owner for the shares. This data owner is responsible for access to their data in the long term, and can easily approve or deny access requests from the Varonis DataPrivilege interface. Varonis also provides modeling capabilities as you are assigning roles, so that you can see what happens if you revoke access to a folder from this role, before committing.
Once the implementation is done, it’s imperative to keep the system clean. No user should be assigned privileges outside of their role on a permanent basis. DataPrivilege allows for temporary access to file shares on a per request basis, which doesn’t break the first rule. It will be necessary, however, to have a change process in place to adjust roles as needed.
And of course, you want to have regular auditing and monitoring on all of these critical resources. You need to know if a user is trying to access data outside of their assigned seat, or if a permission gets added to a user outside of their role.
There are several methods bad actors will use to break through your security. A good monitoring and data security analytics platform will enforce the rules set in your RBAC, provide your security team alerts and details to discourage hacking attempts and prevent data breaches before they get off the ground.