E-RBAC Development - A Risk Based Security Architecture Approach


Published on

Deploying Enterprise based RBAC across disparate business applications using SABSA to define and support strategy for development.

Published in: Technology, Business

E-RBAC Development - A Risk Based Security Architecture Approach

  1. 1. A Risk Based Security Architecture Approach By Femi Ashaye Developing Enterprise Role Based Access Control
  2. 2. Introduction Business Operating Model Business Roles RelationshipsPeopleInformation Flow New Business Processes Customer Application Manage Customer Account Manage Error Transaction Terminate Customer Manage Credit New Business Applications CRM ERP BI SCM Legacy Online Service  Business driver to improve an organizations’ customer payment experience through new business processes and technology.
  3. 3. Requirement and Challenge  Provide rapid and reliable access to business support users across the disparate and new business applications (CRM, ERP, SCM; etc) supporting the business processes.  IT challenges identified: • Operational risk arising from new business processes and use of supporting application • Consideration for data privacy laws and regulatory requirements typically SoX and PCI-DSS.  Proposed a security strategy for developing an Enterprise based RBAC (Role Based Access Control), as part of security services, using a Risk Based Security Architecture to address major part of the challenges.
  4. 4.  Enterprise Role Based Access Control • Regulates access to IT resources based on business functional roles and control requirements.  Risk Based Approach • Risk management process identifies, assess and prioritize risk based on understanding of likelihood of events occurring and impact to the business. • Risk assessment provides initial understanding of type and level of control requirements to address risk.  Enterprise Security Architecture • Risk driven strategic approach to align business goals, objectives and drivers with security requirements. • Security Architecture proposed is SABSA. • Based on Zachman Framework • SABSA incorporates ISO27000s; ITIL; CoBIT etc. to drive strategy. • Development process covered by SABSA Lifecycle: Strategy & Concept > Design > Implement > Manage and Measure Strategy Overview
  5. 5. Enterprise Role Based Access Control  Enterprise RBAC Model Relationship User Role Role Hierarchy Participates In Executed by Includes Supportedby M :N M :N 1 : M M:N M:N Performs Ownedby Assignedto User/Role Constraint (SoD; Hierarchy) Organisation Business Process Job Function (Task Level) Permission (Access Operations On Resources) 1 : M
  6. 6.  Example IT risk management process (based on ISO 27005:2008) including risk assessment. Context Establishment Risk Assessment RiskCommunication Risk Treatment Plan (inc Acceptance) MonitorRiskandImprove RiskManagementProcess Risk Based Approach
  7. 7. Data Privacy Laws • PCI, HIPAA • ISO 27001:2005 • ISO 27002:2005 • ISO 27005:2008 • ISO 27035:2011 • CobiT • DPA, SoX.. Enterprise Security Architecture Design • Develop security service and solution based on risk output Manage & Measure • Review risk output from solution against business objectives and security performance targets. Strategy & Concept • Establish Context • Risk Assessment • Derive Control Objective Implement • Implement and operate security service and solution •Contextual •Conceptual •Logical •Physical •Component •Operational Output: Security service is agreed as part of risk treatment plan. Output: Information relevant to output of the acceptable risk against business requirements is captured Output: Risk is prioritised after evaluation of its impact to the business goals and objectives Output: Successful and failed output from risk treatment plan is captured  SABSA lifecycle process
  8. 8. Business Drivers. Select Business Attribute(s) Define Business Attribute Define Metric Type Define Measurement Approach Define Security Performance Target Assess Risks and Define Control Objective Define Security Strategies Design Security Services Implement Security Controls, Processes and Systems Collect, Report & Evaluate Metrics SABSA Delivery Strategy and Concept Design Implement Manage & Measure
  9. 9.  Security strategy for developing Enterprise RBAC SABSA Layer SABSA Approach SABSA Lifecycle Enterprise RBAC Development Contextual Business Strategy Strategy and Concept Business Drivers (e.g. PCI-DSS Requirement 7.1); Business Role; Business Processes; Risk Assessment; Business Attributes Conceptual Security Strategy Strategy and Concept Control Objectives (e.g. ensure data-integrity); Business Attributes Profile Logical Security Service Design Security Policies; SoD process; AuthZ Service; Functional Role Mapping Physical Security Mechanism Design Identity and Access Management process and mechanism. Component Security Products & Tools Design Application RBAC System; Operational Security Service Management Design User and Access Management Support Enterprise RBAC Strategy  Implement covers enterprise to application role mapping and permission implementation.  Manage and Measure covers RBAC effectiveness against control objectives and compliance requirement.
  10. 10. Business Process Business Process Activities Jobs Control ObjectivesAssessed Risk Business Drivers Functional Roles (Application resource permission) Business Process Activity Tasks supported by Application Business drivers supported by any one of identified high level business processes. Specific departmental jobs (Business roles) created as part of organisation structure to support business process activities. Risk assessed against business process to obtain likelihood of threat and impact to business Functional roles created to carry out specific activity tasks/permissions based on business process and control objectives. Control objectives obtained to address Risk. Enterprise RBAC Development
  11. 11. Enterprise RBAC Development (cont’d…) Transaction To Payment Manage Error Transactions Ensure all our customers transactions are correctly processed (Integrity-Assured) Transaction Analyst • Manage Disputed Transactions (Role X) • Perform Dispute Resolution (Role Y) Action to resolve error transaction is unauthorised leading to potential fraud • Open Error Transactions screen • Search for relevant transaction • Submit transaction for Validation • Reinstate Transaction • Write Off Transaction  An enterprise RBAC developed through interplay between control objectives and business drivers, using risks analyzed against existing business processes. Employee validating the transaction cannot authorise changes to the same transaction.
  12. 12. Ensure all our customers transactional information are correctly processed in the system. Integrity-Assured Integrity of information should be protected to provide assurance it has not suffered unauthorised modification. Hard Metric – Reporting of all incidents of compromise. Number of incidents per period, severity and type of compromise. Measure the number of incidents per period and classify each incident by type and severity. Set targets for risk appetite. Max # of allowable modification (=0); Set reporting & analysis of incidents by type and severity. Greenfield Exercise. Risks to assets is identified. Integrity based control objectives derived from business attributes and risk. Define access controls against control objectives to protect against unauthorised modification of information Test and execute the security services and access controls to enforce integrity assurance requirements. Monitor control effectiveness based on targets. Number of actual modification; Reporting time for, & analysis of, incidents. Enterprise RBAC Delivery Strategy and Concept Design Implement Manage & Measure Assess existing security state against control objectives. Measure security state against risk appetite and desired state.
  13. 13. Conclusion Business Operating Model Business Roles RelationshipsPeopleInformation Flow New Business Processes Customer Application Manage Error Transaction Terminate Customer Manage Credit Manage Customer Account New Business Applications CRM ERP BI SCM Legacy Online Service Risk Assessment Functional Roles Test Role Audit Role Control Objectives Audit Access RBAC Development and Management Risk Assessment Functional Roles Test Role Audit Role Control Objectives Audit Access
  14. 14.  Business able to determine acceptable risk treatment plan to treat RBAC control objectives (constraints) like Separation of Duty conflicts based on business risk level and business impact.  Business process change or improvement enabled through risk assessment exercise.  Build team able to quickly deploy application capability to manage control requirements or compensating controls as alternative.  Quick and correct on boarding of business users into appropriate application groups for business readiness.  Service user access determined using similar strategy through alignment with Service Design.  Real-time risk analysis and security performance target measurement through security event monitoring supported by: • IDAM deployed for controlling role and user life cycle management. • Ability to capture role and user access related events enables feedback for risk assessment and incident report and analysis. Conclusion (cont’d...)
  15. 15.  Risk Driven Security Architecture for Enterprise RBAC: • Strengthen risk posture of the organisation in relation to data access and compliance requirements. • Traceability of RBAC requirements to address business goals, objectives and drivers through risk assessment, risk treatment plan and risk improvement. Thank You. Conclusion (cont’d...)