At Standard Insurance, a diversified financial services company, we are modeling and analyzing role-based access control (RBAC) to uncover residual risks and develop mitigation strategies. We use TOGAF and ArchiMate as our core EA methodology, and are introducing elements of SABSA, which is focused on enterprise security architecture and service management. We will present views of RBAC based on TOGAF, ArchiMate and SABSA concepts and show how we use these three paradigms to justify and explain systematic, scalable and transparent access control.
Delivered at July 2011 Open Group Austin Conference
QCon London: Mastering long-running processes in modern architectures
Enterprise Security Modeling and Analysis with TOGAF®, ArchiMate® and SABSA
1. July 19, 2011 Modeling RBAC with SABSA, TOGAF and ArchiMateCreating a Foundation for Understanding and Action Iver Band, CISSP - Open Group Conference, Austin, Texas
2. About The Standard The RBAC standard Modeling motivations and objectives Framework analysis and comparison Modeling approach Diagrams that justify and explain RBAC Conclusion References Agenda July 17, 2011 2 Thanks to Kevin Graham, CISSP and enterprise security architect at The Standard, for his partnership in this work
3. Financial services company Founded in 1906 Our purpose: To help people achieve financial security so they can confidently pursue their dreams Expertise: Group Life & Disability Insurance Individual Disability Insurance Retirement Plans Individual Annuities Commercial Mortgages Headquarters in Portland, OR 3,100 Employees 3 The Standard July 17, 2011
8. Four standard and cumulative levels (1) Core, (2) Hierarchical, (3) Constrained, (4) Symmetric All levels support Restriction of user permissions to those acquired through roles Many-to-many user-role and role-permission assignment Review of user-role assignments Simultaneous user access to permissions of multiple roles Level 2 adds variants with differing hierarchy support Support for an arbitrary partial order (reflexive, transitive, anti-symmetric) Any restriction on the structure of the role hierarchy, for example: Tree or inverted tree, limited inheritance or activation, depth limits Level 3 adds separation of duty (SOD) support Level 4 adds permission-role review with performance comparable to user-role review 7 RBAC Concepts July 17, 2011
9. Business drivers Increase the efficiency, agility and transparency of access control Support strategic requirements for enterprise-wide and federated identity and access management IT drivers Increase RBAC understanding of both IT and key user personnel Derive greater value from existing identity management investments and justify further investment Support identity and access management for enterprise initiatives such as CRM and Contact Center Reduce administrative burden on IT by making access control comprehensible to the broader business community Demonstrate relevance of TOGAF and ArchiMate to security architecture 8 RBAC Modeling and Knowledge Transfer Motivations July 17, 2011
10. Desired State 9 Well-Designed RBAC Is Easy to Understand July 17, 2011 All-Too-Typical State Local roles aligned with system context Local roles aligned with business context
11. This effort is not fundamentally about technology It is about getting people to think differently about access control Change behavior immediately and measurably Systems and access administration requests and configurations Lay the groundwork for successful investments in identity and access management solutions It requires two types of communication to a range of business and IT stakeholders Justification:Demonstrate the need for systematic access control Explanation: Explain how RBAC works and how it satisfies the need 10 Modeling Objectives July 17, 2011
12. 11 How Can Our Chosen Frameworks Help? July 17, 2011
13. 12 TOGAF and SABSA Have Comparable Methods for our Purposes July 17, 2011 SABSA Lifecycle TOGAF ADM
19. Infrastructure ConsolidationBusiness Motivation Conceptual Business Application Logical Information Systems Technology Physical Technology Implementation and Migration Component Realization
20. Select cells from SABSA Matrix for RBAC justificationand explanation Strength:Comprehensive treatment of enterprise security architecture Select best fitting TOGAF catalogs, matrices and diagram types Strength: Comprehensive treatment of enterprise architecture (EA) Select best fitting ArchiMate diagram types Strength:General EA visual modeling language with broad coverage of TOGAF, particularly in the 2.0 draft specification Adapt viewpoints as necessary to express SABSA objectives Create catalogs and matrices Straightforward based on TOGAF 9 guidance This presentation will instead focus on diagrams Create ArchiMate diagrams based on selected TOGAF and ArchiMate viewpoints 14 Our Modeling Approach Leverages Strengths of Each Standard July 17, 2011
21. 15 The Top Two Rows of the SABSA Matrix Have Relevant Content July 17, 2011 Explain RBAC Justify RBAC
22. Each Selected SABSA Matrix Cell Corresponds to Multiple TOGAF and ArchiMate Viewpoints
23. 17 TOGAF Value Chain Diagram Justify RBAC Explain RBAC RBAC resulted in $6 billion in US economic benefits from 2002-2009, according to 2010 economic analysis commissioned by US NIST, from which this diagram was adapted
25. 19 Justify RBAC ArchiMate Actor Cooperation Diagram July 17, 2011
26. 20 Justify RBAC ArchiMate Landscape Map July 17, 2011 Enterprise CRM Application Mortgage Solution Plan Admin App Policy Admin App Hosted Advisor Work-bench Hosted Vertical Industry Solution Claims App A Document Mgmt System B Document Mgmt System A
31. TOGAF, ArchiMate and SABSA each provide broad and deep value for enterprise architects, regardless of their specialty Integrating these three paradigms today requires significant effort, since they cover much but not all of the same ground, often with similar but not strictly equivalent concepts Fortunately, there are Open Group efforts underway to integrate TOGAF and SABSA The TOGAF and ArchiMate content frameworks Architects can use RBAC to improve the effectiveness, scalability, transparency and agility of access control Architects can use SABSA, TOGAF and ArchiMate To model, portray and analyze planned or actual RBAC solutions As a rigorous foundation for a wide range of stakeholder communications 25 Conclusion July 17, 2011
32. The NIST Model for Role-Based Access Control: Towards a Unified Standard http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf ANSI INCITS 359-2004 Information Technology Role-Based Access Control http://www.techstreet.com/standards/incits/359_2004?product_id=1151353 Sherwood Applied Business Security Architecture (SABSA) http://www.sabsa.org/publications.aspx Executive White Paper on Enterprise Security Architecture Enterprise Security Architecture: A Business-Driven Approach TOGAF 9 standard online http://pubs.opengroup.org/architecture/togaf9-doc/arch ArchiMate Version 1.0 standard online http://www.opengroup.org/archimate/index.htm Economic Benefits of Role-Based Access Control http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf Speaker contact:Iver.Band@standard.com 26 References July 17, 2011
Notes de l'éditeur
This is a rapid-fire presentation with lots of detail. You may not retain all of it the first time through. Afterwards, I encourage you to review the slides—email me for a copy with speaker notes–and speaker notes and email me with any questions. Note that the information in this presentation about The Standard’s systems and processes are simplified examples that may or may not reflect our current or future states.
InsuranceLife, Accidental Death and Dismemberment, Disability, Dental, Vision and AnnuitiesRetirement plansPublic and private-sectorDefined benefit (pension) and defined contributionVisit www.standard.com
In both diagrams, the Manager business role aggregates a number of system-specific roles. In the All-Too-Typical state, these relationships may seem arbitrary, but in the Desired State the relationships are clear. ArchiMate concepts and relationships are in italics.All-Too-Typical StateBusiness roles are not always defined consistently across organizationsBusiness roles have varying relationships with system rolesIndividual initiative is required to enforce many routine role transitionsBusiness-driven access control rule changes often require significant investigation and manual workDesired StateBusiness roles are clearly defined in a companywide context System roles clearly correspond to business rolesBusiness role changes trigger timely and accurate system role changesAuthorized administrators can alter access control policies quickly, efficiently, reliably and verifiably.
For our purposes, a visual modeling language for enterprise architecture allows the creation of unambiguous diagrams that fulfill the requirements of our chosen paradigms. Only ArchiMate includes such a language, for which we will demonstrate its applicability to expressing selected TOGAF and SABSA deliverables.SABSA contains just development procedures, verbal descriptions of relevant content and examples, but not explicit viewpoint definitionsTOGAF contains verbal descriptions of catalogs, matrices and diagramsArchiMate contains both verbal descriptions of diagrams and explicit meta-diagrams and examples
The SABSA Matrix has six rows, and only the top two are shown here.
This presentation includes examples of diagrams listed in boldface.
RBAC resulted in $6 billion in US economic benefits from 2002-2009, according to 2010 economic analysis commissioned by US NIST, from which this diagram was adaptedThe RBAC value chain is a series of processesthat each have a number of rolesassigned to them. The “Theory and Standards Development” process is associated with four goals. The final “Incorporation and Usage…” process is associated with three kinds of value identified in the NIST-sponsored analysis.
Here we use the ArchiMate 2.0 draft Motivation Extension to illustrate stakeholders and their concerns, along with assessments and requirements related to those concerns. Nesting of symbols is used here to show aggregation. ArchiMate concepts and relationships are in italics.
Nested organizations modeled as business actors are assigned to collaborations with each other and with external roles, This justifies RBAC by illustrating the complexity and criticality of shared activities across organizations.Nesting of symbols is used here to show composition. ArchiMate concepts and relationships are in italics.
This diagram shows how a number of lines of business use a variety of applications for different business functions. It contains example data only.
The RBAC System Support application functions are associated with the Session Creation event, which triggers an Access Check event. These events are a part of a longer sequence that begins with an access request and ends, assuming the request is allowed, with authorized access. The session is associated with an Active Role Set data object. Each user business actor aggregates an active role set for each session in progress, and is associated with all of the events. The Administrator business actor is assigned to the “Manage User, Role and Permission Relationships" business function. The RBAC Administration application function is used by “Manage User…”, and data flows from RBAC Administration to RBAC System Support. ArchiMate concepts and relationships are in italics.
RBAC for Target Applications is a product that aggregates a number of business services and application services, is associated with a number of infrastructure services, and delivers value in the form of security, scalability, agility and transparency. Each type of service is aggregated by a group. ArchiMate concepts and relationships are in italics.
Both the RBAC Administration and RBAC Systems Support application functions aggregate a number of more specialized applicationfunctions, which in turn access a number of data objects. The Session data object aggregates a number of roles and an authenticated user identity, and also contains (composition relationship) the Active Role Set. Two of the application functions at the top of the diagram share a constraint, and the Manage Role Hierarchy application function is associated with a requirement.The application functions, requirement, constraint and objects that are not required by all RBAC levels have numbers in parentheses to indicate where they are required.ArchiMate concepts and relationships are in italics.
The presenter has delivered this material to TheStandard’s information security director, who requested additional sessions with his staff.