E-RBAC Development - A Risk Based Security Architecture Approach
1. A Risk Based Security Architecture
Approach
By Femi Ashaye
Developing Enterprise
Role Based Access Control
2. Introduction
Business Operating Model
Business Roles RelationshipsPeopleInformation Flow
New Business Processes
Customer
Application
Manage Customer
Account
Manage Error
Transaction
Terminate
Customer
Manage
Credit
New Business Applications
CRM ERP BI SCM Legacy
Online
Service
Business driver to improve an organizations’ customer payment
experience through new business processes and technology.
3. Requirement and Challenge
Provide rapid and reliable access to business support users across the
disparate and new business applications (CRM, ERP, SCM; etc)
supporting the business processes.
IT challenges identified:
• Operational risk arising from new business processes and use of
supporting application
• Consideration for data privacy laws and regulatory requirements
typically SoX and PCI-DSS.
Proposed a security strategy for developing an Enterprise based RBAC
(Role Based Access Control), as part of security services, using a Risk
Based Security Architecture to address major part of the challenges.
4. Enterprise Role Based Access Control
• Regulates access to IT resources based on business functional
roles and control requirements.
Risk Based Approach
• Risk management process identifies, assess and prioritize risk
based on understanding of likelihood of events occurring and impact
to the business.
• Risk assessment provides initial understanding of type and level of
control requirements to address risk.
Enterprise Security Architecture
• Risk driven strategic approach to align business goals, objectives
and drivers with security requirements.
• Security Architecture proposed is SABSA.
• Based on Zachman Framework
• SABSA incorporates ISO27000s; ITIL; CoBIT etc. to drive strategy.
• Development process covered by SABSA Lifecycle: Strategy &
Concept > Design > Implement > Manage and Measure
Strategy Overview
5. Enterprise Role Based Access Control
Enterprise RBAC Model Relationship
User Role
Role
Hierarchy
Participates In
Executed by
Includes
Supportedby
M :N
M :N
1 : M
M:N
M:N
Performs
Ownedby
Assignedto
User/Role Constraint
(SoD; Hierarchy)
Organisation Business
Process
Job Function
(Task Level)
Permission
(Access
Operations On
Resources)
1 : M
6. Example IT risk management process (based on ISO 27005:2008)
including risk assessment.
Context Establishment
Risk Assessment
RiskCommunication
Risk Treatment Plan (inc
Acceptance)
MonitorRiskandImprove
RiskManagementProcess
Risk Based Approach
7. Data Privacy Laws
• PCI, HIPAA
• ISO 27001:2005
• ISO 27002:2005
• ISO 27005:2008
• ISO 27035:2011
• CobiT
• DPA, SoX..
Enterprise Security Architecture
Design
• Develop security
service and solution
based on risk output
Manage & Measure
• Review risk output from
solution against business
objectives and security
performance targets.
Strategy & Concept
• Establish Context
• Risk Assessment
• Derive Control Objective
Implement
• Implement and operate
security service and
solution
•Contextual
•Conceptual
•Logical
•Physical
•Component
•Operational
Output: Security
service is agreed
as part of risk
treatment plan.
Output:
Information relevant
to output of the
acceptable risk
against business
requirements is
captured
Output: Risk is prioritised after
evaluation of its impact to the
business goals and objectives
Output: Successful and failed output
from risk treatment plan is captured
SABSA lifecycle process
8. Business Drivers.
Select Business Attribute(s)
Define Business Attribute
Define Metric Type
Define Measurement Approach
Define Security Performance Target
Assess Risks and Define Control Objective
Define Security Strategies
Design Security Services
Implement Security Controls, Processes and Systems
Collect, Report & Evaluate Metrics
SABSA Delivery
Strategy and
Concept
Design
Implement
Manage & Measure
9. Security strategy for developing Enterprise RBAC
SABSA Layer SABSA Approach SABSA Lifecycle Enterprise RBAC Development
Contextual Business Strategy Strategy and
Concept
Business Drivers (e.g. PCI-DSS
Requirement 7.1); Business Role;
Business Processes; Risk
Assessment; Business Attributes
Conceptual Security Strategy Strategy and
Concept
Control Objectives (e.g. ensure
data-integrity); Business Attributes
Profile
Logical Security Service Design Security Policies; SoD process; AuthZ
Service; Functional Role Mapping
Physical Security Mechanism Design Identity and Access Management process
and mechanism.
Component Security Products & Tools Design Application RBAC System;
Operational Security Service
Management
Design User and Access Management Support
Enterprise RBAC Strategy
Implement covers enterprise to application role mapping and permission
implementation.
Manage and Measure covers RBAC effectiveness against control objectives
and compliance requirement.
10. Business Process
Business Process
Activities
Jobs
Control ObjectivesAssessed Risk
Business Drivers
Functional
Roles
(Application
resource
permission)
Business Process
Activity Tasks
supported by
Application
Business drivers supported by any one of identified high level business processes.
Specific departmental jobs (Business roles)
created as part of organisation structure to
support business process activities.
Risk assessed against
business process to obtain
likelihood of threat and
impact to business
Functional roles created to carry out specific
activity tasks/permissions based on business
process and control objectives.
Control objectives obtained
to address Risk.
Enterprise RBAC Development
11. Enterprise RBAC Development (cont’d…)
Transaction To Payment
Manage Error
Transactions
Ensure all our customers transactions are
correctly processed (Integrity-Assured)
Transaction Analyst
• Manage Disputed
Transactions
(Role X)
• Perform Dispute
Resolution
(Role Y)
Action to resolve error
transaction is unauthorised
leading to potential fraud
• Open Error
Transactions screen
• Search for relevant
transaction
• Submit transaction
for Validation
• Reinstate
Transaction
• Write Off Transaction
An enterprise RBAC developed through interplay between control objectives and
business drivers, using risks analyzed against existing business processes.
Employee validating the
transaction cannot authorise
changes to the same
transaction.
12. Ensure all our customers transactional information are correctly processed in the system.
Integrity-Assured
Integrity of information should be protected to provide assurance it has not suffered unauthorised modification.
Hard Metric – Reporting of all incidents of compromise. Number of incidents per period, severity and type of compromise.
Measure the number of incidents per period and classify each incident by type and severity.
Set targets for risk appetite. Max # of allowable modification (=0); Set reporting & analysis of incidents by type and severity.
Greenfield Exercise. Risks to assets is identified. Integrity based control objectives derived from business attributes and risk.
Define access controls against control objectives to protect against unauthorised modification of information
Test and execute the security services and access controls to enforce integrity assurance requirements.
Monitor control effectiveness based on targets. Number of actual modification; Reporting time for, & analysis of, incidents.
Enterprise RBAC Delivery
Strategy and
Concept
Design
Implement
Manage & Measure
Assess existing security state against control objectives. Measure security state against risk appetite and desired state.
13. Conclusion
Business Operating Model
Business Roles RelationshipsPeopleInformation Flow
New Business Processes
Customer
Application
Manage Error
Transaction
Terminate
Customer
Manage
Credit
Manage Customer
Account
New Business Applications
CRM ERP BI SCM Legacy
Online
Service
Risk Assessment
Functional
Roles
Test
Role
Audit
Role
Control
Objectives
Audit
Access
RBAC Development and Management
Risk Assessment
Functional
Roles
Test
Role
Audit
Role
Control
Objectives
Audit
Access
14. Business able to determine acceptable risk treatment plan to treat RBAC
control objectives (constraints) like Separation of Duty conflicts based on
business risk level and business impact.
Business process change or improvement enabled through risk
assessment exercise.
Build team able to quickly deploy application capability to manage control
requirements or compensating controls as alternative.
Quick and correct on boarding of business users into appropriate
application groups for business readiness.
Service user access determined using similar strategy through alignment
with Service Design.
Real-time risk analysis and security performance target measurement
through security event monitoring supported by:
• IDAM deployed for controlling role and user life cycle management.
• Ability to capture role and user access related events enables
feedback for risk assessment and incident report and analysis.
Conclusion (cont’d...)
15. Risk Driven Security Architecture for Enterprise RBAC:
• Strengthen risk posture of the organisation in relation to data
access and compliance requirements.
• Traceability of RBAC requirements to address business goals,
objectives and drivers through risk assessment, risk treatment
plan and risk improvement.
Thank You.
Conclusion (cont’d...)