At Standard Insurance, a diversified financial services company, we are modeling and analyzing role-based access control (RBAC) to uncover residual risks and develop mitigation strategies. We use TOGAF and ArchiMate as our core EA methodology, and are introducing elements of SABSA, which is focused on enterprise security architecture and service management. We will present views of RBAC based on TOGAF, ArchiMate and SABSA concepts and show how we use these three paradigms to justify and explain systematic, scalable and transparent access control. Delivered at July 2011 Open Group Austin Conference

1. July 19, 2011 Modeling RBAC with SABSA, TOGAF and ArchiMateCreating a Foundation for Understanding and Action Iver Band, CISSP - Open Group Conference, Austin, Texas

2. About The Standard The RBAC standard Modeling motivations and objectives Framework analysis and comparison Modeling approach Diagrams that justify and explain RBAC Conclusion References Agenda July 17, 2011 2 Thanks to Kevin Graham, CISSP and enterprise security architect at The Standard, for his partnership in this work

3. Financial services company Founded in 1906 Our purpose: To help people achieve financial security so they can confidently pursue their dreams Expertise: Group Life & Disability Insurance Individual Disability Insurance Retirement Plans Individual Annuities Commercial Mortgages Headquarters in Portland, OR 3,100 Employees 3 The Standard July 17, 2011

4. 4 IT at The Standard July 17, 2011

6. Insufficient understanding of identity and access management best practices

8. Four standard and cumulative levels (1) Core, (2) Hierarchical, (3) Constrained, (4) Symmetric All levels support Restriction of user permissions to those acquired through roles Many-to-many user-role and role-permission assignment Review of user-role assignments Simultaneous user access to permissions of multiple roles Level 2 adds variants with differing hierarchy support Support for an arbitrary partial order (reflexive, transitive, anti-symmetric) Any restriction on the structure of the role hierarchy, for example: Tree or inverted tree, limited inheritance or activation, depth limits Level 3 adds separation of duty (SOD) support Level 4 adds permission-role review with performance comparable to user-role review 7 RBAC Concepts July 17, 2011

9. Business drivers Increase the efficiency, agility and transparency of access control Support strategic requirements for enterprise-wide and federated identity and access management IT drivers Increase RBAC understanding of both IT and key user personnel Derive greater value from existing identity management investments and justify further investment Support identity and access management for enterprise initiatives such as CRM and Contact Center Reduce administrative burden on IT by making access control comprehensible to the broader business community Demonstrate relevance of TOGAF and ArchiMate to security architecture 8 RBAC Modeling and Knowledge Transfer Motivations July 17, 2011

10. Desired State 9 Well-Designed RBAC Is Easy to Understand July 17, 2011 All-Too-Typical State Local roles aligned with system context Local roles aligned with business context

11. This effort is not fundamentally about technology It is about getting people to think differently about access control Change behavior immediately and measurably Systems and access administration requests and configurations Lay the groundwork for successful investments in identity and access management solutions It requires two types of communication to a range of business and IT stakeholders Justification:Demonstrate the need for systematic access control Explanation: Explain how RBAC works and how it satisfies the need 10 Modeling Objectives July 17, 2011

12. 11 How Can Our Chosen Frameworks Help? July 17, 2011

13. 12 TOGAF and SABSA Have Comparable Methods for our Purposes July 17, 2011 SABSA Lifecycle TOGAF ADM

15. Governance

16. Process

17. Data

18. Services

19. Infrastructure ConsolidationBusiness Motivation Conceptual Business Application Logical Information Systems Technology Physical Technology Implementation and Migration Component Realization

20. Select cells from SABSA Matrix for RBAC justificationand explanation Strength:Comprehensive treatment of enterprise security architecture Select best fitting TOGAF catalogs, matrices and diagram types Strength: Comprehensive treatment of enterprise architecture (EA) Select best fitting ArchiMate diagram types Strength:General EA visual modeling language with broad coverage of TOGAF, particularly in the 2.0 draft specification Adapt viewpoints as necessary to express SABSA objectives Create catalogs and matrices Straightforward based on TOGAF 9 guidance This presentation will instead focus on diagrams Create ArchiMate diagrams based on selected TOGAF and ArchiMate viewpoints 14 Our Modeling Approach Leverages Strengths of Each Standard July 17, 2011

21. 15 The Top Two Rows of the SABSA Matrix Have Relevant Content July 17, 2011 Explain RBAC Justify RBAC

22. Each Selected SABSA Matrix Cell Corresponds to Multiple TOGAF and ArchiMate Viewpoints

23. 17 TOGAF Value Chain Diagram Justify RBAC Explain RBAC RBAC resulted in $6 billion in US economic benefits from 2002-2009, according to 2010 economic analysis commissioned by US NIST, from which this diagram was adapted

24. 18 Justify RBAC ArchiMate Motivation Diagram July 17, 2011

25. 19 Justify RBAC ArchiMate Actor Cooperation Diagram July 17, 2011

26. 20 Justify RBAC ArchiMate Landscape Map July 17, 2011 Enterprise CRM Application Mortgage Solution Plan Admin App Policy Admin App Hosted Advisor Work-bench Hosted Vertical Industry Solution Claims App A Document Mgmt System B Document Mgmt System A

27. 21 TOGAF Solution Concept Diagram July 17, 2011 Explain RBAC

28. 22 ArchiMate Product Diagram July 17, 2011 Justify RBAC Explain RBAC

29. 23 Review: RBAC Levels July 17, 2011

30. 24 Explain RBAC ArchiMate Application Behavior View July 17, 2011

31. TOGAF, ArchiMate and SABSA each provide broad and deep value for enterprise architects, regardless of their specialty Integrating these three paradigms today requires significant effort, since they cover much but not all of the same ground, often with similar but not strictly equivalent concepts Fortunately, there are Open Group efforts underway to integrate TOGAF and SABSA The TOGAF and ArchiMate content frameworks Architects can use RBAC to improve the effectiveness, scalability, transparency and agility of access control Architects can use SABSA, TOGAF and ArchiMate To model, portray and analyze planned or actual RBAC solutions As a rigorous foundation for a wide range of stakeholder communications 25 Conclusion July 17, 2011

32. The NIST Model for Role-Based Access Control: Towards a Unified Standard http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf ANSI INCITS 359-2004 Information Technology Role-Based Access Control http://www.techstreet.com/standards/incits/359_2004?product_id=1151353 Sherwood Applied Business Security Architecture (SABSA) http://www.sabsa.org/publications.aspx Executive White Paper on Enterprise Security Architecture Enterprise Security Architecture: A Business-Driven Approach TOGAF 9 standard online http://pubs.opengroup.org/architecture/togaf9-doc/arch ArchiMate Version 1.0 standard online http://www.opengroup.org/archimate/index.htm Economic Benefits of Role-Based Access Control http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf Speaker contact:Iver.Band@standard.com 26 References July 17, 2011