Download the Role & Access Discovery Workbook
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
StrongDM manages and audits access to infrastructure.
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
It’s a nightmare scenario. You work in a regulated market, like financial services or healthcare. There’s a breach. You know the question is coming, but can you confidently answer it?
“Who at the company could have seen those social security numbers?” What about its follow-up question: “Who actually did see that number?” In other words, who theoretically had access to that information, but also, who actually accessed it?
Often, employees will have access they may not need for their job (over provisioning), and risk is increased because your breach surface just got that much bigger. But that’s the nightmare scenario.
What about the day-to-day activities? The ones where someone in marketing requests access to a production customer database—do you know if that person really needs access to it?
A critical part of embracing zero trust and implementing privileged access management (PAM) is ensuring that each employee’s access to technical tools is as close as possible to what’s needed for their specific role. But creating unique roles for every individual can be expensive, time-consuming, and difficult to do.
For example, data scientists may need access to sensitive data, but because of the complexity associated with access management, many companies simply provide that access to the entire engineering department—even though 80% of the department doesn’t need that access. Suddenly, you have audit and security issues as well, especially if you ever have to determine how an infrastructure breach occurred.
The good news is that there’s a way to avoid the pitfalls of providing too much or too little access—and it all starts with role and access discovery.
Why Access Management Is Hard
Imagine you’re building a house, but instead of having a floor plan or starting with the foundation, you just build it as you go, adding room after room. Over time, you’ll likely end up with a nice house, but not necessarily a functional home (real life example: the Winchester Mystery House in San Jose).
Access can fall into the same trap. Over time, your organization will add new people, new teams, new roles, and new systems. And before you know it, you have no source of truth for who has access to which systems, much less who needs access to them. This inevitably leads to over- and under-provisioning, not to mention that it's now extremely difficult to audit what is happening in each system.
It usually takes a major financial event, like an initial public offering, or a compliance event, such as achieving SOC 2 compliance, to drive these types of projects. But for any team that doesn’t have those compelling events, you’ll likely be forced to deal with the accumulated frustration of multiple teams who just want the access they need.
Enter Role & Access Discovery
To put it simply, if you start without a plan for infrastructure access, you're going to regret it—and yet, many companies are inclined to skip this step. The result is a hodgepodge of access across multiple roles and systems that becomes impossible to manage. Organizations need to shift their mindsets and behavior to proactively think about who needs access to what, document it, and standardize it. That’s where Role and Access Discovery comes in.
Role and access discovery is a collaborative process that defines:
- The structure of the company
- The structure of the teams
- Which roles need access to which systems
- How long is that access needed
The task of role and access discovery and planning often gets assigned to technical staff, like the IT team or infrastructure team. And as discussed above, organizations that don’t take the time to think about their end goals or plan access upfront may end up haphazardly providing too little or too much access to individual employees.
It's critical for those planning access to consider the duration for which access is necessary based on the role an individual plays within the organization.
Standing privileges offer users the ability to access resources from any location at any time without time limitations or additional approvals needed for privileged actions. This level of convenience, though appealing, can pose significant security risks. If these credentials fall into the wrong hands, the potential for harm is considerable. Administrator credentials in particular often grant broad access across many systems and may include the power to modify user permissions extensively.
In contrast, Just-in-Time (JIT) Access presents a more secure alternative. It allows for the provisioning of temporary or single-use access rights that expire once their purpose is fulfilled. This method drastically minimizes the risks associated with standing privileges by ensuring access is granted only when necessary, and without exposing actual credentials to users.
💡Make it easy: Just-in-Time Access works best when it is easy for the end user to request and receive access. It should also be auditing to map the end to end chain of events, who is requesting access, why they are requesting it, and for how long. Play the video below to see how easy StrongDM makes Just-in-Time access and try it for yourself.
Adopting automated JIT access mechanisms provides a balanced solution, mitigating the risks of privilege misuse while avoiding operational impediments. This approach not only enhances security by reducing the organization's exposure to potential threats but also streamlines processes for administrators and minimizes inconvenience for all users.
Starting the Access Conversation
Getting a clear picture of how resources are actually utilized can enhance your security posture and streamline Just-in-Time (JIT) workflows, especially for resources that aren't used all that often.
Even if you have a list of names of employees and systems, tracking and controlling access needs to be granular. That means collaborating across teams—IT, DevOps, HR, Security—to determine how roles should be categorized and how access should be managed for each role.
Document all internal audits of role-based access. And repeat this plan at a consistent cadence, at least every year, if not quarterly or more, based on your needs.
To get the most out of your analysis, consider incorporating these crucial steps:
- Audit who has access to what resources and why.
- Review utilization of users, resources, and access grants.
- Identify vulnerable resources by reviewing standing access grants.
- View access requests and temporary access grants across your entire infrastructure.
💡Make it easy: Understand the secutity risk profile of all standing access grants. Make decisons on how should continue to have access, and where access can be revoked without introducing friction. Try it for yourself.
By closely examining who has access to various resources and when, you'll be able to make decisions based on solid evidence. This approach allows you to tailor access rights perfectly, ensuring team members have the access they need, precisely when they need it.
Getting Started
Curious about how to get started? We have a few resources to help you down the path:
- Download the Role & Access Discovery Workbook - an interactive tool that will help drive the process forward
- Check out our webinar series on Getting Started with Access Management. The first session is focused on Role and Access Discovery—you can register here.
About the Author
💙 this post?
Then get all that StrongDM goodness, right in your inbox.
You May Also Like
If credentials fall into the wrong hands, intruders may enter a network and launch a disastrous attack. In fact, 46% of cybersecurity incidents involve authentication credentials, according to the Verizon 2022 Data Breach Investigations Report. Organizations have two general ways to determine someone’s access rights once past initial authentication: Coarse-grained access control (CGAC), which relies on a single factor, and fine-grained access control (FGAC), which relies on multiple factors. Traditionally, CGAC has been the easier option, while FGAC offers superior security at the cost of more complex implementation.
In this article, we will look at three important types of access control in security. You’ll learn about the different types of access control, how they work, and their pros and cons. By the end of this article, you’ll understand what type of access control will work best for your organization and meet your security needs.
Learn how Remote Identities helps you leverage SSH and k8s capabilities to capitalize on infrastructure workflow investments you’ve already made.
With the release of tighter integrations with Okta and Azure AD (or any SCIM-based directory service for that matter), you now have the ability to manage just-in-time, least-privilege access to your critical infrastructure right from your preferred identity provider (IdP), dramatically reducing the time needed to approve requests and grant access.