By Rajat Bhargava Posted January 6, 2016
Guest Post by Mike Lemire
Every security practitioner in the corporate IT world knows: Role Based Access Control (RBAC) is absolutely fundamental to establishing information security. If someone disagrees with that statement, I’d like to hear their argument!
RBAC enables an organization to provision and restrict access to data and applications based on data sensitivity and job function. But new technologies have disrupted RBAC in a big way. If you don’t adapt, you’re not just operating inefficiently – you’re vulnerable to attack.
Below, I’ll explain how RBAC can excel in a cloud-first world.
A Quick RBAC Primer
Every job needs different data and applications. A salesperson requires access to completely different resources than the finance guy or the HR person.
Restricting access is just as important as granting it. Nobody should see the HR folder except HR – and HR should not have access to deploy code. There are exceptions. Sometimes a cross discipline team comes together in order to collaborate. Obviously, they’re going to need a common place to share data.
There are two fundamental requirements of role based access:
- a directory of your users
- groups which correlate to the roles in your company
Permissions to access data and applications are built on this foundation of groups and roles. Membership in these groups determine access to data and applications.
Directory services and RBAC are not only the cornerstone of security and compliance. They also make your organization more efficient. By providing access to applications and data to users based on their role automatically, RBAC allows employees to work more quickly.
RBAC’s Simple Beginnings
20 years ago, RBAC became a standard practice in much of the corporate IT landscape – enabled early on by good old-fashioned Novell’s directory services.
The model established then is still a great practice today:
- Logging into your workstation authenticates your identification against a directory.
- Your access to file shares, databases, and applications is authorized per the permissions which are based on groups in the directory.
- Group membership controls access to the file shares, databases and applications whether they are running right down the hall like in the old days or ‘in the cloud’ as they are today.
After Novell, Microsoft developed Active Directory and companies of all sizes standardized on Windows desktops and Windows AD domains. With AD, most IT shops had a directory and could leverage the directory to establish role based access. And with a VPN you could be on the corporate network while you were on the road, along with all the RBAC based security to corporate assets. You only logged in once (single sign on!) and things were pretty good from a security perspective.
But the world does not exist to make RBAC or security easy. When cloud and mobile took off, RBAC took an absolute beating.
RBAC’s Complex Future
In the mid-2000’s, Salesforce was one of the first outsourced cloud service providers. I remember spending a lot of time integrating Salesforce into our Active Directory and enabling SSO via SAML. We were running servers which were specifically tasked with interfacing between Salesforce and our corporate WAN. We had developers and sysadmins dedicated to configuring and running it.
We were outsourcing an important platform, our CRM, to the cloud, but we still had RBAC!
However, that sort of integration was not scalable. Over the next few years, corporate IT was disrupted as applications, databases, and tools moved from LAN and desktop based software to Internet-delivered cloud service providers. LAN based file shares were abandoned while cloud providers like Dropbox, Box or Google Drive were adopted – often without any IT involvement – and outside of any existing RBAC controls. To make matters worse, end users even began provisioning their own services outside the confines of IT and it’s RBAC framework.
Then there’s mobile. With the proliferation of device types and BYOD, how users authenticate to the corporate directory has been dramatically altered. In many cases, authentication is avoided altogether.
So, how do we establish basic role based access in the new world of cloud and mobile we find ourselves in?
A Cloud-First RBAC Solution
With everything else moving to the cloud, why not directory services? The beauty of the cloud is the same with directory services as it is with other applications: organizations save time and money by leveraging a service provider rather than building and running the platform in house.
With JumpCloud’s Directory as a Service (DaaS), any organization can easily deploy a corporate directory which can join to every workstation, laptop, and server. The location doesn’t matter, whether in the office, on the road, or in a data center. Just like Active Directory and LDAP, JumpCloud manages user accounts and computer accounts, provisioning access to systems based on roles by use of User Groups and Computer Groups.
By extending the JumpCloud directory to other platforms, RBAC can be extended to just about everything in your organization – including your multitude of cloud service providers. JumpCloud has been designed from the ground up to integrate with Google Apps, Radius, LDAP, and just about any other cloud service you can think of.
The JumpCloud directory can even be synced with identity and single sign on providers (Bitium, Okta, etc). These vendors enable single sign on to third-party SaaS platforms via SAML, which is fast becoming a standard for delegated authentication to 3rd party SaaS platforms. Since your users and groups are synced from JumpCloud to your identity provider, those same groups can be leveraged to provision access to third-party SaaS platforms automatically.
The New RBAC
Before the cloud and mobile took off, organizations deployed directory services and leveraged RBAC for security, compliance, and administrative ease.
Today, RBAC and directory services are as important as ever, but a lot has changed. Between BYOD, shadow IT, and the plethora of cloud apps and resources in use, IT departments establishing RBAC have their work cut out for them.
In a cloud-first world, JumpCloud provides a great foundation for building RBAC in modern forward thinking companies.
Mike Lemire is the Information Security Officer at Yesware, a leading provider of sales productivity tools. Previous to Yesware, Mike managed the Information Security and Compliance program at Pearson’s Higher Education division and has held technical and management positions at Acquia, MSCI, JPMorgan and Time,Inc. Mike earned his B.S. from New York Institute of Technology and has attended postgraduate education at Columbia and Boston University.