e-rbac development - a risk based security architecture approach
DESCRIPTION
Deploying Enterprise based RBAC across disparate business applications using SABSA to define and support strategy for development.TRANSCRIPT
A Risk Based Security Architecture
Approach
By Femi Ashaye
Developing Enterprise Role Based Access Control
Introduction
Retail Business Organisational Structure
Business Roles RelationshipsPeopleInformation Flow
New Business Processes
Customer Application
Manage Customer Account
Manage Error Transaction
Terminate Customer
Manage Credit
New Business Applications
CRM ERP BI SCM LegacyOnline Service
Business driver to improve an organizations’ customer payment
experience through new business processes and technology.
Requirement and Challenge
Provide rapid and reliable access to business support users across the
disparate and new business applications (CRM, ERP, SCM; etc)
supporting the business processes.
IT challenges identified:
• Operational risk arising from new business processes and use of
supporting application
• Consideration for data privacy laws and regulatory requirements
typically SoX and PCI-DSS.
Proposed a security strategy for developing an Enterprise based RBAC
(Role Based Access Control), as part of security services, using a Risk
Based Security Architecture to address major part of the challenges.
Enterprise Role Based Access Control• Regulates access to IT resources based on business functional
roles and control requirements.
Risk Based Approach• Risk management process identifies, assess and prioritize risk
based on understanding of likelihood of events occurring and impact to the business.
• Risk assessment provides initial understanding of type and level of control requirements to address risk.
Enterprise Security Architecture• Risk driven strategic approach to align business goals, objectives
and drivers with security requirements. • Security Architecture proposed is SABSA.• Based on Zachman Framework• SABSA incorporates ISO27000s; ITIL; CoBIT etc. to drive strategy.• Development process covered by SABSA Lifecycle: Strategy &
Concept > Design > Implement > Manage and Measure
Strategy Overview
Enterprise Role Based Access Control
Enterprise RBAC Model Relationship
User Role
Role
Hierarchy
Participates In
Executed byIn
clud
es
Sup
po
rted
by
M :N
M :N
1 : M
M:N
M:N
Performs
Ow
ned
by
Assign
ed
to
User/Role Constraint (SoD; Hierarchy)
OrganisationBusiness
Process
Business
Function (Task)
Permission
(Access
Operations On
Resources)
1 : M
Example IT risk management process (based on ISO 27005:2008)
including risk assessment.
Context Establishment
Risk Assessment
Ris
k C
om
mu
nic
ati
on
Risk Treatment Plan (inc
Acceptance) Mo
nit
or
Ris
k
an
d I
mp
rove
Ris
k M
an
ag
em
en
t P
rocess
Risk Based Approach
Data Privacy Laws
• PCI, HIPAA
• ISO 27001:2005
• ISO 27002:2005
• ISO 27005:2008
• ISO 27035:2011
• CobiT
• DPA, SoX..
Enterprise Security Architecture
Design • Develop security
service and solution
based on risk output
Manage & Measure• Review risk output from
solution against business
objectives and security
performance targets.
Strategy & Concept • Establish Context
• Risk Assessment
• Derive Control Objective
Implement• Implement and operate
security service and
solution
•Contextual•Conceptual
•Logical•Physical•Component•Operational
Output: Security
service is agreed
as part of risk
treatment plan.
Output:
Information relevant
to output of the
acceptable risk
against business
requirements is
captured
Output: Risk is prioritised after
evaluation of its impact to the
business goals and objectives
Output: Successful and failed output
from risk treatment plan is captured
SABSA lifecycle process
Business Drivers.
Select Business Attribute(s)
Define Business Attribute
Define Metric Type
Define Measurement Approach
Define Security Performance Target
Assess Risks and Define Control Objective
Define Security Strategies
Design Security Services
Implement Security Controls, Processes and Systems
Collect, Report & Evaluate Metrics
SABSA Delivery
Strategy and
Concept
Design
Implement
Manage & Measure
Security strategy for developing Enterprise RBAC
SABSA Layer SABSA Approach SABSA Lifecycle Enterprise RBAC Development
Contextual Business Strategy Strategy and Concept
Business Drivers (e.g. PCI-DSS Requirement 7.1); Business Role; Business Processes; Risk Assessment; Business Attributes
Conceptual Security Strategy Strategy and Concept
Control Objectives (e.g. SoD); Business Attributes Profile
Logical Security Service Design Security Policies; Authorisation Service; Functional Role Mapping
Physical Security Mechanism Design Identity and Access Management process and mechanism.
Component Security Products & Tools Design Application RBAC System;
Operational Security Service Management
Design User and Access Management Support
Enterprise RBAC Strategy
Implement covers enterprise to application role mapping and permission implementation.
Manage and Measure covers RBAC effectiveness against control objectives and compliance requirement.
Business Process
Business Process
Activities
Jobs
Control ObjectivesAssessed Risk
Business Drivers
Functional
Roles
(Application
resource
permission)
Business Process
Activity Tasks
supported by
Application
Business drivers supported by any one of identified high level business processes.
Specific departmental jobs (Business roles) created as part of organisation structure to support business process activities.
Risk assessed against business process to obtain likelihood of threat and impact to business
Functional roles created to carry out specific activity tasks/permissions based on business process and control (i.e. RBAC) objectives.
Control objectives obtained from assessed Risk.
Enterprise RBAC Development
Enterprise RBAC Development (cont’d…)
Transaction To Payment
Manage Error
Transactions
Ensure all our customers transactions are
correctly processed (Integrity-Assured)
Transaction Analyst
• Manage Disputed
Transactions
(Role X)
• Perform Dispute
Resolution
(Role Y)
Action to resolve error
transaction is unauthorised
leading to potential fraud
• Open Error
Transactions screen
• Search for relevant
transaction
• Submit transaction
for Validation
• Reinstate
Transaction
• Write Off Transaction
An enterprise RBAC developed through interplay between control objectives and
business drivers, using risks analyzed against existing business processes.
Employee validating the
transaction cannot authorise
changes to the same
transaction.
Protect against deliberate, accidental or negligent corruption of personal information that is processed by the systems.
Integrity-Assured
Integrity of information should be protected to provide assurance it has not suffered unauthorised modification.
Hard Metric – Reporting of all incidents of compromise. Number of incidents per period, severity and type of compromise.
Measure the number of incidents per period and classify each incident by type and severity.
Set targets for risk appetite. Max # of allowable modification (=0); Set reporting & analysis of incidents by type and severity.
Greenfield Exercise. Risks to assets is identified. Integrity based control objectives derived from business attributes and risk.
Define access controls against control objectives to protect against unauthorised modification of information
Test and execute the security services and access controls to enforce integrity assurance requirements.
Monitor control effectiveness based on targets. Number of actual modification; Reporting time for, & analysis of, incidents.
Enterprise RBAC Delivery
Strategy and
Concept
Design
Implement
Manage & Measure
Assess existing security state against control objectives. Measure security state against risk appetite and desired state.
Conclusion
Retail Business Organisational Structure
Business Roles RelationshipsPeopleInformation Flow
New Business Processes
Customer Application
Manage Error Transaction
Terminate Customer
Manage Credit
Manage Customer Account
New Business Applications
CRM ERP BI SCM LegacyOnline Service
Risk AssessmentFunctional Roles
Test Role
Audit Role
Control Objectives
Audit Access
RBAC Development and Management
Risk AssessmentFunctional Roles
Test Role
Audit Role
Control Objectives
Audit Access
Business able to determine acceptable risk treatment plan to treat RBAC
control objectives (constraints) like Separation of Duty conflicts based on
business risk level and business impact.
Business process change or improvement enabled through risk
assessment exercise.
Build team able to quickly deploy application capability to manage control
requirements or compensating controls as alternative.
Quick and correct on boarding of business users into appropriate
application groups for business readiness.
Service user access determined using similar strategy through alignment
with Service Design.
Real-time risk analysis and security performance target measurement
through security event monitoring supported by:
• IDAM deployed for controlling role and user life cycle management.
• Ability to capture role and user access related events enables
feedback for risk assessment and incident report and analysis.
Conclusion (cont’d...)
Risk Driven Security Architecture for Enterprise RBAC:
• Strengthen risk posture of the organisation in relation to data
access and compliance requirements.
• Traceability of RBAC requirements to address business goals,
objectives and drivers through risk assessment, risk treatment
plan and risk improvement.
Thank You.
Conclusion (cont’d...)