Hacking the Hacks

August 18, 2015 by Dean Wiech

Role-based access control (RBAC) can significantly increase security of an organization’s network, especially against internal hackers. Companies are often hesitant about implementing RBAC, though, because of the fear of the lengthy, complex implementation, and that it will have a negative effect on their productivity. There are several ways to ensure that RBAC can be implemented in a timely manner to ensure security, while also not negatively affecting the productivity of employees.

There are many different types of hacks that can occur to an organization’s network. Often, companies tend to focus on the most popular type of hack – unknown intruders from the outside of the network accessing the companies secure data. There is another type of hack, which is a security breach from the inside of the organization from the companies own employees. This often happens more often than an organization realizes. It is actually much easier for a security breach to happen from the inside, which is why organizations should take measures to mitigate this issue. A recent example of this was an ex-employee who stole 30,000 credit records from his employer in New York, committed over a two-year period after he left the company. Overall, the cost of his crime was estimated at more than $100 million.[1] According to one study, a staggering 59 percent of ex-employees admitted to stealing company data when leaving their jobs.[2]

Access Right Issues

While you often hear about the larger more publicized hacks, smaller hacks happen all the time. So how can this happen? Often when the employee is on boarded, specific authorizations are assigned to them. In most cases the same rights are granted as an employee in a similar job, the so-called template user. When copying the rights from a template user, the new employee may sometimes accidentally be granted too many rights, since perhaps the template user may have additional access rights. Another issue that is common is that employees tend to lend each other access rights. Say one employee is going on vacation but needs something to be completed while they are away. Often they will be lent credentials to complete the task, but that access is never revoked.

Additionally, the organization often does no know about these incorrect access rights that employees have, so they cannot easily correct the issue. The organization is unaware of who has which authorizations, and most likely does not investigate it or perform an audit on a regular basis. The IT department often knows, more or less, who has and needs which rights, but because of time constraints, they only add rights, and usually do not revoke any. They are not able to see easily exactly who has access to secure applications, so they often don’t realize if there is a security risk in their network.

Lastly, the most common security issue is when ex-employees are not disabled in the company’s network. Often the organization simply does not remove access rights when an employee leaves the organization. This is usually because a manager needs to go into each system and manual disable the user. You can see how this can be a major security issues, especially if a disgruntled employee leaves the organization. 

Role-based access control 

So how can this issue be mitigated to ensure that an inside breach does not happen? Several identity and access management solutions can be used to help an organization better understand their security problems that they have, as well as easily correct any issues, and ensure that they are less likely to occur in the future. One of these is a role-based access control (RBAC) system.

RBAC allows the organization to assign employees authorizations based on the job, role and location an employee fulfils in the organization. The organization draws up an authorization matrix, which records in detail which systems/applications and rights within applications an employee should have. Then when an employee is hired he or she is entered into the HR system, and with user provisioning, a functionality of an identity management system, a network account is created automatically for that employee. The identity management software reads the authorization matrix for this, and knows exactly which authorizations must be assigned to the account. RBAC ensures that employees are given the correct rights from the beginning and don’t receive too many rights.

RBAC can also provide additional benefits. It can also ensure that secure systems and applications are kept that way and that employees don’t wrongly accumulate too many rights during their employment. It is possible, with an IAM solution; to generate a report that shows who exactly in the organization has access to each of the secure systems, and changes that have been made. If there are errors in these access rights, the organization can then easily remove those access rights.

Another way that access rights can be monitored is with an attestation or verification module. This type of module scans network and applications on a regular basis, or real time, for the current access rights that are compared against the RBAC matrix, which contains the standard or accepted rights; basically verifying that everything is correct on the company’s network. If any differences are found, the attestation module will alert a manager and system owner for review. If this difference is approved, an electronic signature should be obtained verifying this fact and possibly an expiration date for the rights set as well. If the rights are found to be unauthorized, a workflow process can automatically administer the removal of the rights with notifications emails to all of the appropriate parties involved.

To handle the issue of ensuring that an employee’s access is revoked once they are no longer with the organization, an automated account management solution can easily help. An automated solution allows for any change in a source system to be reflected in all connected systems and applications. For example, when an employee leaves the organization, a manager can easily disable the employees account in the source system, for example, PeopleSoft, and have all of their accounts and access rights revoked with one click.

Implementation of RBAC

Often, though, many organizations are hesitant about implementing RBAC. They are worried about both the lengthy complex implementation, and that it will have a negative effect on their productivity since access rights for employees will be changing. The task of completing an RBAC matrix can be a very complex process that can take some organizations up to few years. According to study as many as 70 percent of the attempted RBAC projects don’t meet their goals.[3]

There are newer methodologies to shorten the process and provide a more immediate benefit. It is possible for the organization to use the HR system as a data source, collect the departments, titles and locations of all employees, basically the organizational hierarchy and use it create roles for each unique level of access required. The next step is to acquire the current rights from Active Directory to on security and distribution group memberships, and data shares associated with employees in the various roles.

The next step is to normalize the data to ensure employees in similar roles have identical access. This can be easily accomplished by compiling the data from HR and AD and distributing reports to the employee’s managers for review and correction. An RBAC application, coupled with an identity management system should have the capabilities to apply the changes made by the managers in an automated fashion. This process can then be repeated over time for other applications in the company network that contain sensitive information and for which it is desirable to insure access rights are accurate.

The data can also be used as a basis for periodic reviews. If employees have had their access rights modified from the norm, for example, on a temporary project or assignment, automated emails can be generated to a manager for review and corrected as needed. By utilizing the steps outlined above, it is conceivable to implement an RBAC matrix to almost full completion in a matter of weeks instead of years.

Ensuring Employees Stay Productive

The other issue that organizations fear is the productivity issue. Implementing RBAC may mean that employees now have fewer access rights, as wells as authorities to their machines. This means they will need to ask for permissions to make changes, downloads or access additional resources, causing productivity issues. One way this can be avoided is by assigning a team lead in each department who has advanced access rights. This can be the manager of each of the departments or someone the manager designates. Instead of needing to contact IT each time an employee needs to make a change to their computer or needs additional access, they can just go to their immediate manager or the designated individual.

Though this can reduce the productivity issue, for a larger corporation with bigger departments it can still be a burden. Another more advanced method to help with this issue is using a workflow management solution. Workflow management is a controlled, automated process with a defined sequence of tasks that can replace an otherwise manual process performed by multiple people. This allows for a streamlined and efficient process for employee requests.

Therefore, if the employee needs to request access to a certain application for a project, they simply access a web portal, request anything they need (applications, computer changes, mailboxes, distribution lists, etc.). A workflow is set up by the organization so that when a user requests a change, the request then goes through a predefined sequence of personnel who need to approve it before the change is implemented. This makes it both easy and secure for any access changes to be made. It also ensures that there is a consistent process, and that nothing is being miscommunicated or lost along the way. Additionally, it ensures that the correct people are giving permission so that there is no misunderstanding and the end user is not receiving something, or gaining access to a system, from which they are restricted.

RBAC in conjunction with workflow management can have a huge positive impact for an organization. The two solutions working together ensure that the company’s network is kept secure without having an impact on employee’s productivity.

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions.


[1] http://www.privacymatters.com/identity-theft-information/identity-theft-computer-hacking.aspx

[2] http://www.go-gulf.com/wp-content/uploads/2013/06/cyber-crime.jpg

[3] http://www.networkworld.com/article/2186904/infrastructure-management/expert-advice-on-implementing-role-based-access-control-rbac.html


Posted: August 18, 2015
Dean Wiech
View Profile

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions. Dean works with businesses, educational entities and municipalities, helping them identify solutions that make their operations more secure, efficient and easier to manage. He is responsible for Tools4ever’s US operations, and has written dozens of articles about identity and access management, security, IT audits, strategy, cloud, BYOD, the cloud and managing IT solutions for small businesses to enterprise systems.