The world of data has become increasingly less secure as company after company experiences intrusions into their IT systems and theft of intellectual property. Sometimes those thefts include sensitive information about customers; their names, credit card information, and even social security numbers. Those are the breaches that make the news. But far more frequent and less publicized are the attacks that abscond with information that’s more valuable to the company and more liable to lead to financial problems.
Information like customer lists, project documents, marketing plans, and personnel files are of little use to the general hacker community. They are however, prime targets for competitors or even disgruntled employees who want to create chaos or even profit by selling corporate intelligence. Segmenting access privileges to company information based on employees’ roles, otherwise known as role-based access control (RBAC), allows administrators to efficiently allow access to information as appropriate to an employee’s job function. Conversely, employees are restricted from accessing data unnecessary to their work.
There are several reasons to implement role-based security beyond basic security concerns. They include separation of duties, compliance with legal regulations, and preparation for disaster recovery. But possibly the most important for IT is the ease with which RBAC allows assignment of access. Rather than assess each new employee’s need for access based on the desires of their manager, specific role types are established and applied to staff members.
Assigning predefined profiles to employees provides new hires with immediate access to the computing facilities they need while simultaneously keeping them away from what they don’t. The actual assignments can be made by staff that itself has restricted permissions. For example, an HR staff member can be granted permission to assign access based on a new hire’s employment profile even while that HR staffer has a lower level of access than the person they are assigning. Safeguards within the system can alert IT of assignments beyond predefined levels so that the appropriateness of the assignments can be verified before taking effect. These functions should be built into the RBAC as a second level check, but only called into play when certain higher levels of access are being assigned.
When special circumstances require additional access to specific information, those permissions can be added to the existing role’s profile definition. That change can be applied to a single individual only, or propagated to all employees assigned to that level. Similarly, access can be removed from specific roles and affect only an individual or the entire role population.
Every company needs varying levels of security based on the information and the users need to access that information. IT’s best tools to keep information in the right hands and out of the wrong hands is to make use of a role-based access control system.
Scott Koegler is a technology journalist with 20 years’ experience writing about business, computing and technology topics. He publishes the supply chain journal http://ec-bp.com. He was CIO for 3 mid-sized companies for a total of 15 years and that experience has provided an important perspective for his journalistic contributions. His work with developers, marketing, business processes, and C-level executives has allowed him to focus on the intersection of business and technology.