It is true that Identify management solutions will help in the
"implementation" part.
Coming to defining the roles and responsibilities ---
I feel the central IT team or IT-Security team is best placed to identify
roles which would prevail across applications and identify the access
privileges and segregations relevant for these. This will serve as
guidelines for entire organisation.As an example - What are the roles
involved and how to achieve segregation of roles in activities like
"creating a new application user" or in "monitoring security logs" can be
defined centrally. Certain application specific activities might be
difficult to capture centrally.
The individual application owners should use these guidelines and apply it
in their own environments. The responsibility for implementing the
segregation of roles should be with individual application owners. This will
ensure that implementations are meaningful and app-owners are more
accountable.
-----Original Message-----
From: Dimitrios Patsos [mailto:dpat@space.gr]
Sent: Monday, June 27, 2005 3:59 PM
To: 'Andrew Steingruebl'; security-management@securityfocus.com
Subject: RE: Implementing segregation of duties in an account management
process
Andrew,
I have recently started working on a similar project.
A very interesting paper related with this issue can be found in
http://www.gammassl.co.uk/topics/chinesewall.html
It provides a model and a methodology about how can you implement
segregation of duties.
As far as technology and security services are concerned, identity
management systems with RBAC seems like the only path.
Hope these help.
Regards,
Dimitrios G. Patsos
Ph.D (C), M.Sc. Information Security, CME ΙΤ Security Consultant
=================== Email dpat@space.gr
-----Original Message-----
From: Andrew Steingruebl [mailto:asteingruebl@cccis.com]
Sent: Thursday, June 23, 2005 6:49 PM
To: security-management@securityfocus.com
Subject: Implementing segregation of duties in an account management process
I'm working on a project to change how we implement our segregation of
duties from an account management perspective and I'm exploring two
different approaches. I'm hoping folks have experience with both/either
that will help me determine which way to do.
I have a number of systems, processes, applications, etc. in which I need to
implement segregation of duties. The account administration is performed by
platform and application administrators.
In designing a system of segregation of duties and access control I can
either:
1. Specify what roles/rights/permissions every type of person/user should
have within my environment. Their manager would be responsible for making
sure they are only granted the appropriate access.
2. For a given system/application, specify who/what role should be given
access to what feature. Specify what access would compromise segregation
of duties. The individual system/application owner would be responsible
for determining incompatibilities between certain permissions, and would be
part of the account management process.
In approach #1 the advantages are that when a user changes their job
function, their manager is aware of all of their access, and can modify
it appropriately to maintain segregation of duties. Each manager is
involved in all access control decisions for their employees. This results
in tigher control over what each employee is allowed to access
The disadvantages of approach #1 are that we need to be able to create a
mapping of all possible permissions onto all possible incompatibilities, and
also map all things that are not in conflict. Each manager needs to be
aware of all potential conflcits, and is involved in all access control
decisions for their employees. This could be come a bottleneck.
In approach #2 the advantage is that each data/system owner is responsible
for granting/denying access to their environment. They are better
positioned to know who should (not) have access to their data, and what is
incompatible.
In approach #2 the disadvantage is that there is no central point of control
for what a user can access.
What approaches have you taken for implementing access control policies?
Does each manager decide who should be allowed to access what, or does this
responsibility belong to the data owner?
Hybrid approaches are possible, and we can even use both approaches
simulaneously, but I'm also worried about efficiency.
Thoughts?
--
Andy Steingruebl | e-mail: asteingruebl@cccis.com
Information Security Architect| phone: (312) 229-2409
Unix/Network/App Security | fax: (312) 527-0523
CCC Information Services | post: 444 Merchandise Mart
| Chicago, IL 60654-1005
