Role Based Access Control

Question 1

What is RBAC

Answer 1

• It is a method for controlling access based on roles assigned to users and it is most commonly used within organisations
• Organisations can decide which user gets what role, and then each of them gets their own privileges.

Question 2

What is a role

Answer 2

Roles are a collection of pre-defined privileges or permissions bound to a resource.
It follows that a users assigned role determines the permissions that the individual is granted.

Question 3

RBAC Benefits

Answer 3

• Improving operational efficiency
• Enhancing Compliance
• Giving Administrators Increased Visibility
• Reducing costs
• Decreasing Risk of breaches and data leaks

Question 4

Applying RBAC steps

Answer 4

1 Understanding business needs
2 Planning the scope of implementation
3 Defining Roles
4 Implementations

Question 5

RBAC Issues

Answer 5

• Role Explosion
• Security risk tolerance
• Scalability and Dynamism
• Expensive and difficult implemenation

Question 6

RBAC alternatives

Answer 6

• Access control list
• Attribute based access control

Question 7

Understanding business needs

Answer 7

• A comprehensive analysis should be conducted to examine job functions
• Regulatory or audit requirements should be considered and current security posture of the organisation assessed.

Question 8

Planning the scope of implementation

Answer 8

• The requirements should be identified and implementation planned to align with organisational needs.
• Scope should be narrowed to focus on systems or applications that store sensitive data

Question 9

Defining roles

Answer 9

• Roles are defined once needs analysis has been performed and how individuals perform their tasks is understood.

Question 10

Implementation

Answer 10

• Rolling out the RBAC within systems.
• Best done in stages to avoid disruption to business.

Question 11

Access control list (ACL)

Answer 11

• It is a table listing permissions attached to computing resources.
• Tells OS what users can access an object.

Question 12

RBAC vs ACL

Answer 12

RBAC is more effective on a large organisational level, but ACL is better at an individual level and for low-level data.

Question 13

Attribute Based Access Control (ABAC)

Answer 13

• It evaluates a set of rules and policies to manage access rights for specific attributes.
• Applies Boolean logic to grant and deny access to users based on a complex evaluation of the users attributes

Question 14

RBAC vs ABAC

Answer 14

• RBAC relies on pre-defined roles, ABAC is more dynamic and uses regulation-based access control
• ABAC executes a more complex search and requires more power an time, only used when RBAC is insufficient.
  e.g RBAC gives access to all managers but ABAC policy will only grant access to managers in the financial department.

Question 15

Role Explosion

Answer 15

• This occurs when the difference in roles becomes too detailed.
• Difficult to manage and costly to manage as new roles require more monitoring
• This creates more issues: a user has too many roles assigned to them

Question 16

Security risk tolerance

Answer 16

• RBAC is not ideal if your organisation is susceptible to security risks
• Once RBAC is deployed it difficult to react to changing security risks.

Question 17

Scalability and Dynamism

Answer 17

• When RBAC is first deployed, it arguably knows what roles need to be defined and what users they should be defined to.
• Issues occur with organisations growing and more people joining
• May require a redesign to get back on track

Question 18

Expensive and difficult implementation

Answer 18

• If an organisation does not have RBAC and decides to implement it, it requires duplication of servers and infrastructures which support RBAC. This is a very complex and thus becomes a costly process.
• Migrating users contains a variety of difficulties and challenges. This can result in security holes, unplanned downtimes and data loss.