Role Up-Role Up

At 3 separate meetings this week I have been posed the same questions, “who looks after this roles stuff when its deployed and you guys leave site?” Its a really good question, after all its not just role management (normally part of the IAM team) we are talking about, but also identity compliance (normally part of the audit team).

Its possibly best to work out where this technology and the responsibilities best sit. In my opinion it should be firmly within the Identity Management Team/Practice. Most of the larger organisations now have fully esatblished teams that are dealing with the challenges of IAM, roles are a logical extension to their remit. Additionally the IAM teams are already interfacing with the whole business not just the IT folks and that’s particularly relevant with roles and identity compliance.

So great we can firmly place the person within the IAM team reporting to head of practise, but what about a person profile? The person will be a strange and unique mix of skills, they must understand IAM, not necessarily on a technical level but all the concepts and challenges, they must be fully aware of security concepts, someone CISSP or of that ilk. The individual must have a sound business mind and be capable of interfacing with the business on all levels. They must have a very good understanding around compliance, in finance be SOX aware, in health be HIPPA aware, etc, etc. Technical ability of the person is very subjective, a grounding and high level appreciation would be sufficient as my perception is this person would direct the technicalities of things and employ a hands on technical resource to facilitate the data crunching side.

The right calibre of person is out there, they might not have all the skills as the technology is relatively new, but an individual with the right aptitude and attitude will easily adapt to the challenges of the roles animal.

Dr. Horst Walther has written about the rigidity of roles “Roles are the Organisation“. It’s an interesting piece and one that I do not totally agree on, He writes:

“If you run a company merely ad hoc and a role model is considered as an unnecessarily rigid structure imposed on top of a fluid ecosystem that reinvents itself at every very moment-O.K, in this case forget about role models”.

In my opinion all organisations have their own ecosystems, they appear to be and indeed are organic dynamic entities, in today’s highly competitive commercial environments they have to be. So as Dr. Walther writes, if we apply a rigid role structure to an organisation it can start to become restrictive and could be potentially damaging to the organisation.

At Vaau we have taken a much more flexible pragmatic approach that enables an organisation to continue to be fluid whilst at the same time offers the ability to adopt a hybrid ad-hoc approach to role management with a role model that works and is manageable. Using Pareto law(80/20) and proven experience you bank on 80% of roles within an organisation to be pretty much static and may only need re-visiting as and when applications are introduced or retired or post some kind of re-org, that is to say entitlements, permissions, resource allocation(terminology) for that role will not change.

The issue becomes more profound for that 20% of roles that will be constantly moving targets, Vaau offer the ability for dynamic roles and further to that have the ability to add context restraints to a role based on a certain time period for example. This approach enables entitlements to be granted or removed from a user on an ad-hoc basis without massive time lags and more importantly without breaking anything.

The natural assumption is that dynamic roles disrupt the entire automation process and as such would create huge compliance issues for most constraints for global competition. To negate this very issue Vaau have developed a process called summarisation. It sounds complex but it is very logical and extremely well thought out.

As and when users are given additional entitlements or have entitlements revoked, this information is captured in the RBACx Identity Warehouse, when the time comes for attestation the information in the Identity Warehouse is compared against that within the role management module, attesters are then presented with the role that the user has sufficient entitlements to qualify for a role the attester is presented with a breakdown of entitlements, without role association.

This approach allows for dynamic ecosystems within organisations and also ensures full compliance via summarisation by certifying “who has access to what” and capturing “who says they can have access”.

Regardless of the dynamics of an organisation, a good solid role management tool should be considered a business enabler rather than a restrictive disabler.