Role-Based Access Control (RBAC)
Approach for Defense-in-Depth
• Peter Leight and Richard Hammer
• August 2006
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Role-Based Access Control (RBAC)
Approach for Defense-in-Depth
• What is Role-Based Access Control (RBAC)?
• What are the advantages to implementing
RBAC?
• What are the challenges to implementing
RBAC?
• How can RBAC be used as a framework for
defense in Depth?
• How will the RBAC implementation standard
help?
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
What is RBAC?
• Role-Based Access Control
• Permission to perform an operation on an
object is assigned to roles, not to users
• Users are assigned to roles
• Roles are assigned permissions
• Users acquire their permissions based on
the roles they are assigned
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC is Many-to-Many
•
•
•
•
•
•
Users may be assigned many roles
Roles may have many users assigned to them
Roles may be assigned to many other roles
Roles may be assigned many permissions
Permissions may be assigned to many roles
Permissions may be granted to perform many
different types of operations on an object
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC Flow Diagram
Financial
Data
Read
Mary
Role:
Engineer
Member
M
em
be
r
Member
Role:
Engineer
Team
Leader
Member
Joe
ber
Mem
Member
Role:
Finance
Department
Role:
Team
Leader
r
Membe
/Writ
e
a d/
Re
Read/Write
ly
On
Project
Data
Sam
Jim
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Jill
What are the Advantages of
RBAC?
• Once implemented RBAC simplifies
system administration
• Strong support for separation of duties
• Good auditing support
• Considered best practice by many
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC Simplifies System Administration
• When a user changes positions
– Her roles are changed to reflect her new position
– Her replacement is assigned her old roles
– No need to remove user’s old access on each
object
• If roles are well defined, the system administrator
only needs to add a user to their assigned roles and
the user has access to all the resources they require
to complete their job
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Separation of Duties
• Manages conflict of interest policy
• Reduces chances of fraud
• Spreads critical duties across roles and
in turn users
• RBAC has built-in support for:
– Static Separation of duties (SSD)
– Dynamic Separation of duties (DSD)
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC Improves Auditing
• User, role, and permission reviews are
built into RBAC
• Much easier to determine if an object
should be accessed from a role instead
of a person
– Should Jane access the payroll object? ???
– Should the hotdog vendors role access the
payroll object? NO !
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Challenges Implementing RBAC
• Policy must be clearly defined or RBAC breaks
down completely
– Roles must be created that reflect business needs
– Permissions for roles to access objects must be
determined
– Membership is each role must be determined
• Up-front work requires a lot of time and effort
• RBAC standards have not resulted in
compatible vendor implementations
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC as a DiD Framework
• Extend the concept of a user to include:
– Computers or networks
– Agents (ex. Web front end accessing a
database)
• Permission is approval to access or perform
some action on an object
• Objects extended to include:
– Data, databases or information container
– Computers, networks or network resources
– Programs or applications
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC for Network Design
• Use RBAC as the access mechanism for your entire network
infrastructure
– Routers
– Firewalls
– VPNs
– VLANS
– Servers
• Granular access controls can ensure all parameters are correct
before access is granted
– Joe might have access to financial data, but not from the wireless
VLAN (Sensitive finance data should only be accessible from the
office VLAN)
– Sally might have access to all external Internet sites, but only from
her assigned IP address (HR determines lewd content of website
but not from out in the cubicles)
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Server Access Control
• RBAC allows granular access control to
server resources based on roles
• Servers can use RBAC to control access
– Documents or document containers
– Resources (Printers, CDs, USB Ports, etc.)
– Applications (Database, WWW, FTP, etc.)
• Applications can restrict what data or
reports a role can access
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
RBAC Standards
• Proposed NIST Standard for Role-Based Access
Control (2001)
–
–
–
–
Users, roles, permissions, operations, objects
Core and Hierarchical RBAC
Separation of duties
Administrative functions, supportive System
functions, review functions
• ANSI/INCITS 359 - 2004
• Draft NIST Role Based Access Control
Implementation Standard - 2006
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
How the Standard Will Help
• It will give vendors a common model
and language
• Will supply functional requirements that
vendors must implement to become
RBAC compliant
• Will help consumers choose products
• Will help products become interoperable
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Conclusion
• RBAC is a great defense in depth model
• RBAC requires policy to be clearly defined
before implementation
• RBAC does reduce system administration
duties once implemented
• RBAC improves auditing and facilitates
separation of duties
• An implementation standard is required
before RBAC can fully realize its potential as a
approach to defense-in-depth
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS