Andrew,
I have recently started working on a similar project.
A very interesting paper related with this issue can be found in
http://www.gammassl.co.uk/topics/chinesewall.html
It provides a model and a methodology about how can you implement segregation
of duties.
As far as technology and security services are concerned, identity management
systems with RBAC seems like the only path.
Hope these help.
Regards,
Dimitrios G. Patsos
Ph.D (C), M.Sc. Information Security, CME
ΙΤ Security Consultant
===================
Email dpat@space.gr
-----Original Message-----
From: Andrew Steingruebl [mailto:asteingruebl@cccis.com]
Sent: Thursday, June 23, 2005 6:49 PM
To: security-management@securityfocus.com
Subject: Implementing segregation of duties in an account management process
I'm working on a project to change how we implement our segregation of
duties from an account management perspective and I'm exploring two
different approaches. I'm hoping folks have experience with both/either
that will help me determine which way to do.
I have a number of systems, processes, applications, etc. in which I
need to implement segregation of duties. The account administration is
performed by platform and application administrators.
In designing a system of segregation of duties and access control I can
either:
1. Specify what roles/rights/permissions every type of person/user
should have within my environment. Their manager would be responsible
for making sure they are only granted the appropriate access.
2. For a given system/application, specify who/what role should be
given access to what feature. Specify what access would compromise
segregation of duties. The individual system/application owner would
be responsible for determining incompatibilities between certain
permissions, and would be part of the account management process.
In approach #1 the advantages are that when a user changes their job
function, their manager is aware of all of their access, and can modify
it appropriately to maintain segregation of duties. Each manager is
involved in all access control decisions for their employees. This
results in tigher control over what each employee is allowed to access
The disadvantages of approach #1 are that we need to be able to create a
mapping of all possible permissions onto all possible incompatibilities,
and also map all things that are not in conflict. Each manager needs to
be aware of all potential conflcits, and is involved in all access
control decisions for their employees. This could be come a bottleneck.
In approach #2 the advantage is that each data/system owner is
responsible for granting/denying access to their environment. They are
better positioned to know who should (not) have access to their data,
and what is incompatible.
In approach #2 the disadvantage is that there is no central point of
control for what a user can access.
What approaches have you taken for implementing access control policies?
Does each manager decide who should be allowed to access what, or does
this responsibility belong to the data owner?
Hybrid approaches are possible, and we can even use both approaches
simulaneously, but I'm also worried about efficiency.
Thoughts?
--
Andy Steingruebl | e-mail: asteingruebl@cccis.com
Information Security Architect| phone: (312) 229-2409
Unix/Network/App Security | fax: (312) 527-0523
CCC Information Services | post: 444 Merchandise Mart
| Chicago, IL 60654-1005
