Role-Based Access Control (RBAC) Approach for Defense-in-Depth • Peter Leight and Richard Hammer • August 2006

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

Role-Based Access Control (RBAC) Approach for Defense-in-Depth

• What is Role-Based Access Control (RBAC)?

• What are the advantages to implementing RBAC?

• What are the challenges to implementing RBAC?

• How can RBAC be used as a framework for defense in Depth?

• How will the RBAC implementation standard help?

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

What is RBAC?

• Role-Based Access Control • Permission to perform an operation on an object is assigned to roles, not to users • Users are assigned to roles • Roles are assigned permissions • Users acquire their permissions based on the roles they are assigned Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC is Many-to-Many

• Users may be assigned many roles • Roles may have many users assigned to them • Roles may be assigned to many other roles • Roles may be assigned many permissions • Permissions may be assigned to many roles • Permissions may be granted to perform many different types of operations on an object Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC Flow Diagram

Re ad /W rit e Financial Data nly ad /O Re Role: Team Leader Role: Finance Department be em M be M em Role: Engineer Team Leader Joe Mary Jim Me mb er Project Data Role: Engineer Sam M Jill Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

What are the Advantages of RBAC?

• Once implemented RBAC simplifies system administration • Strong support for separation of duties • Good auditing support • Considered best practice by many Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC Simplifies System Administration

• When a user changes positions – Her roles are changed to reflect her new position – Her replacement is assigned her old roles – No need to remove user’s old access on each object • If roles are well defined, the system administrator only needs to add a user to their assigned roles and the user has access to all the resources they require to complete their job Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

Separation of Duties

• Manages conflict of interest policy • Reduces chances of fraud • Spreads critical duties across roles and in turn users • RBAC has built-in support for: – Static Separation of duties (SSD) – Dynamic Separation of duties (DSD) Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC Improves Auditing

• User, role, and permission reviews are built into RBAC • Much easier to determine if an object should be accessed from a role instead of a person – Should Jane access the payroll object? ???

– Should the hotdog vendors role access the payroll object? NO !

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

Challenges Implementing RBAC

• Policy must be clearly defined or RBAC breaks down completely – Roles must be created that reflect business needs – Permissions for roles to access objects must be determined – Membership is each role must be determined • Up-front work requires a lot of time and effort • RBAC standards have not resulted in compatible vendor implementations Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC as a DiD Framework

• Extend the concept of a user to include: – Computers or networks – Agents (ex. Web front end accessing a database) • Permission is approval to access or perform some action on an object • Objects extended to include: – Data, databases or information container – Computers, networks or network resources – Programs or applications Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC for Network Design

• Use RBAC as the access mechanism for your entire network infrastructure – Routers – Firewalls – VPNs – VLANS – Servers • Granular access controls can ensure all parameters are correct before access is granted – Joe might have access to financial data, but not from the wireless VLAN (Sensitive finance data should only be accessible from the office VLAN) – Sally might have access to all external Internet sites, but only from her assigned IP address (HR determines lewd content of website but not from out in the cubicles) Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

Server Access Control

• RBAC allows granular access control to server resources based on roles • Servers can use RBAC to control access – Documents or document containers – Resources (Printers, CDs, USB Ports, etc.) – Applications (Database, WWW, FTP, etc.) • Applications can restrict what data or reports a role can access Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

RBAC Standards

• Proposed NIST Standard for Role-Based Access Control (2001) – Users, roles, permissions, operations, objects – Core and Hierarchical RBAC – Separation of duties – Administrative functions, supportive System functions, review functions • ANSI/INCITS 359 - 2004 • Draft NIST Role Based Access Control Implementation Standard - 2006 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

How the Standard Will Help

• It will give vendors a common model and language • Will supply functional requirements that vendors must implement to become RBAC compliant • Will help consumers choose products • Will help products become interoperable Security Leadership Essentials – Defense-in-Depth – © 2006 SANS

Conclusion

• RBAC is a great defense in depth model • RBAC requires policy to be clearly defined before implementation • RBAC does reduce system administration duties once implemented • RBAC improves auditing and facilitates separation of duties • An implementation standard is required before RBAC can fully realize its potential as a approach to defense-in-depth Security Leadership Essentials – Defense-in-Depth – © 2006 SANS