Papers & Articles

Active Directory Role based Authorization is Ineffective

Business information is handled in a very torturous way in enterprises today with the result that critically important functions such as search across real-time business information cannot be made available securely to business; and there are more software applications than are truly needed fro elegant, simple enterprise software architecture. There is no excuse today for why business information cannot zip across the business to meet any need in real time, with utmost security, and absolute adherence to compliance regulations

The two main sources of the problem are:

• The confusion created by how ACL (Access Control Lists) are defined from an IT security viewpoint. It does not consider how business processes and departmental functions delegate authority and assign work. The ACL is issued from the central Active Directory or LDAP, or other enterprise identity management systems (See Section 1 on how this works); or disparate applications provide their own access controls lists based on how that particular application is configured for the business process it is intended. But these access lists are disconnected from the other applications used by business and poses great difficulty in separating out content related to a specific project or purpose.
• Application centricity of enterprise software and the infrastructure. IT tends to think of their inventory of applications, access to the content stored by the applications, application licenses and provisining them to people, managing the flow of information from these applications.

But knowledge workers (or white collar workers) come to work to work on defining a new study on a pharmaceutical drug under development; or defining the contract to an oil field service company at an oil well drill site; or whether the portfolio of assets in W. Africa should be cut back in lieu of safer assets in the Gulf of Mexico. None of them are thinking in terms of which document management system they need to go look for the last study done on portfolio breakouts by regions; or whose email folders to look through to find what commitments were made on the study parameters; or who to contact and which repositories to look for previous contract terms. But that is what they are being forced to do everyday – 24+ hours a month looking through emails and document repositories; 12+ hours a month organizing stuff. And, that is the simple stuff. Interaction costs are estimated at 75% in these enterprises (McKinsey).

A key step in simplifying how business information and its access is managed is to consider how security, compliance assurance, and search should work with proper checks and balances within a company. The first step is to recognize that in this context there are two types of stakeholders within the enterprise:

• The core business community that is chartered with promoting, and driving the business purpose forward. They create, publish, and consume information while they execute their work. Their standard for success is the financial and business success of their company
• The stewards for governance (typically IT, legal, CFO), who must make sure that the business activities comply with the policies and the applicable laws; and provide adequate defense against any potential security breach of the company’s IP, its facilities, and its ability to conduct its business. Their standard of success is that the company was provided an environment that was safe, secure, and consistent with its governance standards

Let us look at how the security, compliance, and search levy requirements on these two stakeholders:

• Security:
  • There is the perimeter security related to who, or which entity can enter the company’s information space; and internal security related to what kinds of things the entering people or entities are permitted to do once they are inside. The higher the barriers and stiffer the controls the better secure the company.
  • There is the information security related to the core business which the business community is creating, publishing, and consuming. The lesser the friction and lower the barriers the faster, better and more informed the business.

• Compliance and Compliance Assurance:
  • The business community must make and report their decisions and information with integrity and verifying that they meet compliance rules without prejudice. The lower the barriers for doing these, the better the effectiveness of the company and its business continuity.
  • The stewards for compliance and assurance must make sure that what the business reports is verifiable (auditable) and recorded. The more objective and precise this control, the higher the level of trust that the company will enjoy with its stockholders and regulatory agencies.

• Search, Discovery, and Access:
  • Business must be able to search or discover what they are allowed to access at any time, in real time, and in a convenient manner. The closer a company reaches this goal the faster, better and cheaper it reaches its business goals.
  • The stewards for security and compliance must be able to ensure that information can be classified, re-classified, and de-classified; and they are able to monitor, control and audit the flow and movements of information for assurance while allowing business to find information with speed and convenience and without breach of any business sensitivity or privacy. The less obtrusive this process, the better the company’s agility and success.

Consider some of the problems related to ACL (Access Control Lists), Applications, and the governance around authorization and accountability.

 

• Identification is an enterprise or department wide security control process to set up and verify the credentials, biometrics and other data of an individual which together form a unique identity for authentication of this individual when this individual present him/herself to either the network, or other access control points of the company. An Identity may contain one or more levels, zones, or purpose(s) of entry which limits the authorized access to the enterprise’s facilities and properties. It is to an enterprise’ security control what a passport would be to the Department of State or the Foreign Office that issues it to its citizens. PointCross takes a more comprehensive view that this identity can be created for people who interact with the “enterprise” thereby including people other than employees such as visitors, contractors, regulators, customers or vendors. The analog would be an “identity card” issued by a country to an individual who is not its citizen

• Authentication is a security control verification process for the identity, and credentials, issued by the Identification process as presented by an individual at the entry point of the enterprise network, or security control point for the specific purpose of entering such a secure environment. It is to an enterprise what the immigration control at the border is for a country. The authentication process also confirms the indicated purpose of the entry and both the individual and the security regime accept that there may be checks and barriers in place to prevent the individual from straying beyond the indicated purpose

 

• Authorization – Typically this is defined as the security control process that allows access to specific categories of information or to carry out defined tasks.
  
  This definition is troubling because it is implicitly used to cover a privilege that is controlled by two different parts of the enterprise driven by two separate set of business objectives. Again, let us first look at the analogy which has uncanny relevance. Just as the immigration officer allows entry to people based on their status – citizens, visitors with a business visa, or a tourist visa – which are clearly stamped on the passport (identity); so too it is possible for the security control of an enterprise to allow entry into the networks or physical facilities based on their “Authorization” (their visa).  The requirement is that people conduct themselves in accordance with their visa or citizenship status. But, the immigration officer has no realistic ability to control on a business visitor over which commercial building or business premises this individual can enter once in the country. If they try to enter a secure defense facility, the security at that facility will stop this visitor because they are not authorized to enter. If they go the IBM office, the IBM security will verify their identity and decide if they are authorized to enter IBM based on IBM’s need to see this business visitor. On the other hand, if they go to a local restaurant they do not need to show their “papers” and they get free entry to transact business. Immigration just doesn’t figure in all of this.
  
  Therefore, we now see two important nuances – the entry to actual facilities within the country is actually decided (a) by the local security control systems of the actual facility being visited, or the federated security control system of a branch of the government; (b) the basis for entry (into IBM in this case) is not determined by the visa or the fact that the individual is in the country legally – it is determined by the need of the business to see that visitor.
  
  Now, consider the enterprise side of this analog. The authorization defined by security control is really not sufficient to determine if a specific facility can be entered or an application accessed. Business must decide if this access should be granted. To streamline this process, departments and business functions in most enterprises will grant licenses or access to their applications by creating sufficient granularity to the authorization levels by breaking down the title and positions down with sufficient granularity – regions, business functions, pay grade or pecking order.
  
  Enterprises are not concerned with applications as much as they are with applications that have their own data stores. This is because it is the data that is sensitive and subject to security and scrutiny. So, Microsoft Office and other applications are generally distributed to people based on their general need to access that class of applications – like access to the restaurants. However ERP data bases, document repositories, management reports and data warehouses are subject to a high level of security, scrutiny and control. But these access privileges are determined by the business people based on a delegation of authority. A project manager might need her key staff to have access to certain classes of information. An engineer may need certain technical staff to have access to technical data and information on that project as well as similar projects.
  
  Complicating matters is the fact that these local access privileges must be repeated for multiple data stores and their applications. A project manager may need to give access to all the document and spreadsheets in a document management system, and then ensure that some of these people are also given access to the drafting systems, or the databases that contain experimental or analytical results.
  
  Next – people come in and out of projects and as they do they need to be disallowed access to what they used to have and be given access to the new content they now need access. So there is a transience issue to be dealt with. Business person are used to doing these kinds of assignments through their delegation of authority. Without it, people will have too much or too little access to the information stores.
  
  Trying to tie this business oriented delegation of authority to the peripheral security control oriented “visa type” of authorization is practically impossible. Company’s today compromise or they try to merge the two authorizations into a single provisioning system which does not work in practice.
  
  So, we are making the case that the IT security related Authorization (the visa) should be treated differently than the business mission related access privilege assigned to specific data stores. Authorization in the context of peripheral security and entry into the secure environment should be limited to the level of control that is possible for the authenticated entity to assert on systems. For example depending on the classification of the entity, that person or a entity may be permitted to be an administrator or have a root account on certain servers; or be able to conduct spot audits or challenges related to security. Back to the analogy, the citizen who re-enters his country at the border, is able to assert certain rights such as the ability to enter an election booth to vote, while another returning citizen who is a law enforcement officer may have the right to stop someone on the street and question them if there was a reasonable concern for public safety. But neither of them can enter the IBM building or get access to a document within it unless that company chooses to give it to either of them or if a court order is sought and produced.  So, Authorization does not mean that the perimeter security control can bestow access to information – particularly, real-time work-in-process. 
  
  This is the point of debate with the definition that is commonly used in industry today
  
  Once information is archived, its sensitivity to everyday real-time business may no longer be an issue, but it has residual value in terms of knowledge, or in compliance with a retention policy, it is certainly possible to re-classify or de-classify the information into very general levels that can be correlated to the Authorization levels. The information is like the restaurants to the people who enter a country – the regular diners where anyone can go, the exclusive ones that need a reservation, or the special clubs that only accept members.
  
  We propose to limit “Authorization” to mean a security control process that further describes the level of authority and span of control over the use of enterprise systems only, that may be bestowed on an Authenticated Entity.
  
  Enter the concept of “Roles” and why it is the equivalent to Authorization but which is controlled from a day to day business information viewpoint.

• Roles - Roles are relatively low level business titles related to a functional organization, or a project or process activity. Roles fulfill the definition for a “security control process that allows access to specific categories of information or to carry out defined tasks” – as in a project, process, deal, or function.
  
  Remember, Roles are not people, but they are linked to people who will fulfill the responsibilities bestowed on them when assigned to these roles. Attempting to assign people directly to access privileges is unnecessarily complex and difficult to maintain. Roles have the additional benefit that they can be defined once and then matured through re-use as multiple projects go through the same processes.
  
  Roles can be maintained as a hierarchical structure – the organization structure or the “OBS”, Organization Breakdown Structure.  While the assignment of roles do not have any correlation to the Authorization, it is possible that individual systems that have access to the Authorization list for an Entity can use that data in deciding specific role assignments.

 

• Accountability is another security control process that records the linkage between an action and the identity of the individual or role that invoked the action, thus providing an evidence trail for audit or compliance assurance purposes.
  
  In the business context there is another shade of meaning which cannot be discounted. Accountability from a legal and corporate governance point of view also rests at the head of an escalating chain of command. In business processes people occupying a “Role” are accountable for their decisions during their tenancy. From a corporate governance stand point the head of any chain of command is accountable for the business – even though an audit might uncover accountability at a lower level in the chain. Therefore an individual occupying the role of Program Manager is accountable for the program, and therefore is at the highest level of escalation for that program.
  
  This indicates that the stewards for security and compliance must be able to query the key roles which are accountable to business, as well all roles which have their own access privileges.

• Audit is a security control process and a compliance assurance process that can examine data records and their linkage to roles, people, change history, and business decisions and communications around them for the purpose of building a historical retrospective of decisions and events. Audits can be for assurance of compliance, discovery and evidence in litigation.

Prescription

UBIS™ – Unified Business Information Systems and Services is architected to provide this kind of appropriate access control over business information while supporting the vital requirements of Security, Compliance, and Search for both the Corporate IT organization as well as the Business Departments. It works in close inter-operability with legacy applications and platforms. See UBIS™