Pages

Sunday, January 14, 2007

Survey your access rights –
Get ready for RBAC,
Identity Auditing &
SOX projects

A CSO & CTO that I worked with were curios to learn about the level of the access rights problems in their systems. As they were not aware of any tools that enable them to actually measure the severity and the magnitude of the problem, they needed to refer to external advisors that could tell them of previous experiences about their systems.

If you are reading this article, you are probably wondering what are the best practice steps one should take, prior throwing $100K over a small IdM or RBAC deployment (services only), $2M of services and more…

My best practice on this issue is to survey your system, using your data, and getting analysis of:
  • How much access rights in your business are wrong, or out of business needs. (Industry standard is 40% of your total access rights)?
  • How may users are collectors (Users that collect privileges) . (Industry standard is 10% of your total named users)?
  • How many resources / applications have suspected access?
    What is the best approach for role engineering?
  • How long will it take for my engineers to build roles & certify them? (The roles are discovered by a bottom up algorithm and takes 1-2 days.)
  • Can I quickly build and apply business policies?
  • and much more…

    Keep in mind that this survey will take you out of the dark and into the light, since the analysis will be on YOUR DATA. The information will no longer be unfamiliar. You will be in CONTROL to ask the questions and understand the findings.

    As a decision maker, you will be amazed to hear that you can have your system surveyed in 5-10 days. Usually, 1-2 major systems will be surveyed and the rest will be left to the actual project.

    The results will be presented from high level pie charts – management level, and detailed reports and examples for the security managers.

    For more information about best practices: http://csrc.nist.gov/rbac/RBAC-case-studies.html

    Examples of a high level presentation:
    The left pie chart represents the user’s analysis, and shows how many users are considered collectors, how many have suspected access rights, how many are in the system, but not in your HR file etc.
    The right pie chart does a similar analysis to your resources and applications













    An example of Role Engineering Analysis report:

    This report shows the access rights coverage by different role eng techniques. The roles are discovered by a bottom up algorithm and takes 1-2 days.








    For more information, questions or ideas - send me your comments
    Ilan Sharoni
    isharoni@eurekify.com
    http://www.eurekify.com/
Posted by at