Identity Governance Blog

How Role Mining Functionality Supports the NIST Role-Based Access Control Model

September 12, 2024

One of the most challenging problems in managing large networks is the complexity of user administration. Role-based access control (RBAC) reduces user access administration costs and is now the predominant model for advanced access control. The National Institute of Standards and Technology (NIST) model for RBAC was adopted as American National Standard 359-2004 by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS).

When administrators specify access control lists for each user on the system individually, they make security more costly and prone to error. RBAC aligns security more closely with how an organization is structured. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and then assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier, less costly, and less prone to error.

In this post, we will explain the principal benefits of the NIST role-based access control model, list the challenges RBAC presents to access managers and explain how role mining in an Identity Governance and Administration (IGA) solution can help overcome them.

 

The Benefits of RBAC in Identity Governance

Simplifies user access rights management

Organizations can use RBAC to simplify assigning user access rights and reduce the associated costs. RBAC enables administrators to review access rights and ensure compliance with industry standards, as well as make it so new employees can be productive more quickly than before by having roles aligned with their job function. RBAC predefines which systems the new employee should have access to, based on their role in the organization.

Improves efficiency in critical business processes

Not only does RBAC harden the security posture enterprise-wide, but it also makes the business operate more efficiently by simplifying onboarding and off-boarding procedures and compliance. RBAC affords the organization more control and insight into who has access to what, and why, as well as unburdening administrators from responsibility for supporting these processes.

Streamlines permission management

Implementing RBAC allows managers to apply sets of roles for simple and consistent permission management across all systems and users in the organization. RBAC supports more efficient change management by automating user permission updates that reflect changes in users’ roles and responsibilities.

Increases access rights visibility

RBAC enables control of access rights at the enterprise level. Users can match permissions with roles, increase visibility (i.e., documenting requests and approvals), and full audit trails to prepare more easily for compliance reporting.

Supports more efficient user administration and audit preparation

Automated policy and role management simplifies processes for assigning privileges to individual users and provides real-time updates of user permissions according to changes as users progress through the identity lifecycle.

RBAC enables access managers to handle exceptions to the standard access management policies with a consistently high level of control. Users can audit process history to ensure robust administrative support for compliance reporting, which helps them prepare for security audits more easily.

 

The Challenges to Implementing the RBAC Model

Maintaining accuracy and consistency

Managing access rights for large numbers of users while retaining consistency across disjointed, siloed systems without automation and role insights is complex and labor-intensive.

Complying with a dynamic regulatory climate

Maintaining control of access rights for a diverse mix of users, IT systems, and organizational structures is difficult at baseline. Local and international regulations and legislation that continually change make the task even harder.

Providing sufficient visibility

Inefficient manual administration processes result in insufficient access rights updating and a lack of transparency. This makes enforcing business-level control of access rights in highly regulated organizations very difficult. Furthermore, focusing on each business unit separately often results in duplication of roles across business units, increasing the burden on the organization to maintain over time.

 

The Ongoing Challenge of Over-Permissioned Access

Unnecessary access and excessive permissions throughout the user identity lifecycle is a significant challenges for the C-suite in most organizations. According to Omada’s research report State of Identity Governance 2024, more than 76 percent of CIOs and CSO/CISOs report that they are “very concerned” that people in their organizations have over-permissioned access to data and applications.

Role mining provides organizations with the necessary insights to mitigate the number of over-permissioned users and reduce the risk of security breaches to accelerate least privilege.

 

What Is Role Mining?

Role mining functionality in a modern IGA platform helps identity managers improve access control by executing a process that discovers relationships between entitlements and a user’s job role. Role mining allows administrators to analyze mapping access to data and systems and determine if users in the organization have access to the applications and systems required to carry out their roles. After analyzing this mapping data, they can modify permissions to support the principle of least privilege. Role mining is emerging as the most effective way to collect relevant data about what user permissions and entitlements are required to do specific jobs in an organization. When executed successfully, role mining supports RBAC in reducing complexity during the onboarding of new hires by assigning birthright access and entitlements by function, role, or role set and enabling them to be productive on day one.

 

How Role Mining Improves Identity Lifecycle Management

When a new hire is onboarded, it is reasonable to expect that they will take on several different roles during their tenure in the organization. This can be a challenge for organizations as, when employees change departments, they should naturally only have access to systems they need for their new job function. To ensure continuous productivity, they may need access to a different set of systems and data to carry out newly assigned tasks. Without automated role mining, administrators must manually handle these changes across the organization. This makes the role management process time-consuming, costly, and error-prone. Identity lifecycle management based on a user’s role ensures that employees are provisioned precisely with access to the proper resources such as the directory service, email, shared cloud drives, and application services.

Using role mining to gain role insights, an organization can see identity data in independent systems within the IT environment, and then use connectors to transfer data between each of those respective systems and the IGA solution.

 

How Role Mining Supports RBAC

Role mining supports RBAC by enabling administrators to optimize the management of existing users and establish birthright and core functional roles when onboarding new users. Role mining eliminates the need to rely on people-generated actions and manual processes to reduce the number of over-permissioned users and incidences of credential stealing and lateral movement that may eventually result in a costly and labor-intensive cybersecurity incident.

Using a modern IGA like Omada Identity Cloud with Role Insights effectively automates user role discovery and role optimization to reduce the amount of manual work to create and/or update them. Omada uses an intelligent engine to analyze users’ access needs and then suggests optimal roles. It is a data-driven approach that determines the right fit, increasing efficiency and maximizing user productivity from the beginning. This innovative approach simplifies role discovery, lowers complexity, and heightens security. The result is a streamlined access management process that enables faster certifications and reviews as well as upfront assignments and continuous optimizations of roles throughout the identity lifecycle.

To learn more about how Omada helps provide the role visibility necessary to support NIST Role-Based Access Control, contact us today!

Let's Get
Started

Let us show you how Omada can enable your business.