Monday, September 24, 2007

A primer on roles

Network World

Security: Identity Management




Network World's Security: Identity Management Newsletter, 09/24/07

A primer on roles

By Dave Kearns

Last time, we discussed roles and I promised some more about that subject. In particular, it's the whole definition of roles – what are they, what are they useful for – that I wanted to talk about. So here it is.

Roles are an administrative tool.

Roles allow identity and security administrators to grant privileges (or entitlements) using a layer of abstraction that allows for easier management. By using roles to administer rights, we can cut down significantly on the number of transactions needed to initially assign those rights as well as to maintain, modify and remove them.

Straight Talk from Security Experts

Leading security experts share their advice, secrets and real-world experiences in Network World's latest Executive Guide, "The Security Treadmill." Learn how to get inside users' heads, fight for a bigger security budget and much more.

Click here to download this Executive Guide.

Let’s say that Jane Doe is a technical writer for the Jupiter, Thor and Zeus Technology Co. She works in Building 7 of its Palo Alto campus. Even before her first day of work, she could be assigned the following roles:

Employee – all badged employees of Jupiter, Thor and Zeus
Marketing – all marketing dept. employees
TechWriter – all technical writers in marketing
PaloAlto – all employees (badged and contract) at the Palo Alto campus
Bldg7PA – all employees (badged and contract) who work in Bldg 7

This should be enough to get her access to buildings, rooms, parking lots, networks, servers, applications, benefits, and much more with a minimum of effort on the part of the identity and security administrators of the company. Some of these privileges may need to be augmented for her particular case, but only minimally. In fact, a lot of this could be self-provisioned by Jane the first time she accesses the network – which could be during an orientation session even before she begins work.

This works because almost everything Jane has rights to, almost all privileges she has both on the network and within the physical plant of the enterprise are not a result of who she is personally (although that may have played a part in her being offered the job in the first place). It’s almost entirely a result of the role(s) she fills. It isn’t “Jane Doe” who needs access to PageMaker, but a technical writer. It isn’t “Jane Doe” who needs access to the printer with the asset tag “JTZ54$127”, but the Bldg 7 employees on the third floor east wing. And it isn’t “Jane Doe” who is allowed to park in lot No. 5 of the Palo Alto campus, but badged employees of grade C2 or below.

Now, as I said last issue, the NIST (the National Institute of Standards and Technology) documents about roles do seem to spend a lot of time talking about separation of duties (a subject dear to the heart of government regulators, but also of importance to chief security officers). While we certainly wouldn’t want someone whose role is “payroll clerk” to also hold the role of “check approver,” there is no way to simply look at the names of roles and determine if there should be separation. A thorough examination of the actual privileges is needed, and rules discerning which privileges cannot be held need also to be instituted and enforced automatically. Someone who can create a check for payment (whether in the role of payroll clerk, accounting clerk, or administrative assistant) cannot also be allowed to approve the payment. Roles might possibly help, but shouldn’t be relied on for this important security operation.

Upcoming events:

* Oct. 22: OASIS Identity and Trusted Infrastructure Workshop, Barcelona, Spain.
* Oct. 22-25: Catalyst Europe, Barcelona, Spain.
* Nov. 5–6: Defrag, Denver, Colo.

Check the upcoming events calendar at the Identity Management Journal and let me know of any I’ve overlooked.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Daylight saving time issue reappears on IT radar
2. Gartner: Open source impossible to avoid
3. How much does the store owe this PC buyer?
4. Nortel replaces Enterprise chief
5. The end of booth-babe culture?
6. One less reason to adopt IPv6?
7. New Nortel Enterprise boss talks game plan
8. Obsolete WEP Wi-Fi gets new security shield
9. Cisco's risky business of acquisitions
10. Ameritrade leak started earlier than reported

MOST-DOWNLOADED PODCAST:
NW Panorama: 5 Cool iPod Tips and Tricks


Contact the author:

Dave Kearns is the editor of IdM, the Journal of Identity Management as well as a consultant to both vendors and users of IdM technologies. He's written a number of books including the (sadly) now out of print "Complete Guide to eDirectory." His other musings can be found at the Virtual Quill, an Internet publisher which provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more by e-mail. Comments to this newsletter can be e-mailed to Dave here



ARCHIVE

Archive of the Security: Identity Management Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment