Role Based Access Control (RBAC) is defined as “Access control based on user roles (i.e., a collection of access authorizations that a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals (NIST SP 800-53 Rev.5). It is a foundational piece in the Zero Trust security model enabling the principle of least-privileged access. It is also one of CISA’s targeted cyber intrusion and detection mitigation strategies.
We will review why RBAC is important and should be a foundational part of your critical infrastructure security controls.
Why Role-Based Access Control (RBAC)
These control policies define user and identity permissions associated to the operational compute environment. These are closely aligned to the process and functions an employee will perform while using a technology device, application or operating system. A highly mature role-based access implementation will give just the right level of access to perform the job or function at just the right time.
This minimizes the threat surface to the organization as it does not grant unnecessary privileges to identities and user accounts where they are not needed. It also reduces the amount of elevated privileges that can be exploited by adversaries within the organization or external to the organization.
As illustrated by the investigation of some of the more recent and large compromises and attacks, entry into the organization started after gaining access or harvesting through phishing. These compromised credentials are then used to gain access and elevate privileges.
This is where RBAC provides an excellent form of risk reduction. If an organization defines roles that limit the privileges to only those duties assigned and limits the amount of personnel with escalated privileges, then the capabilities to compromise an environment can be limited. If you couple a least-privilege RBAC with network segmentation, then the capabilities of an attacker with compromised credentials and the impact of the intrusion to your organization is significantly reduced.
Enforcing Role-Based Access Control
CISA’s Targeted Cyber Intrusion and Detection Mitigation Strategies includes RBAC as a necessary tool to mitigate cyber intrusions because its design inherently limits the capabilities of an intruder who gains access to a user’s account.
Further, with a cybersecurity platform like ConsoleWorks, your users are monitored and their attributes are verified through contextual information. Things like location and device, among other attributes, are checked every time a user attempts to enter the network. Additionally, ConsoleWorks will provide risk based conditional access based on personnel performance and attributes.
Because their session is monitored in real time, not only is their access limited to their role type, but if they begin making inputs that do not align with their stated role, their access can be terminated or flagged to a supervisor. ConsoleWorks can also inhibit certain commands from even being entered by users in the first place.
Role-Based Access Control Examples
Leveraging the strengths of RBAC, you can see in each role-based access control example below how user access is granularly managed, to the point of access being fluidly granted or revoked based on business needs.
- A contractor can be granted access for the date and time of his arrival on the site, to the exact devices and assets he will touch, for the duration of time that he will need to access them. Once he has completed his job, his access is revoked.
- A technician only sees his industrial device on the network and can only make changes related to the scope of his work to that specific device he is permitted access to.
- An employee servicing tickets is permitted access to a device to accomplish the task related to the ticket. After the ticket is serviced, the employee’s access to said endpoint is then revoked.
- The individual with permissions to perform specific functions has no visibility, knowledge, or access to the credentials used to establish the remote connection.
Each of these role-based access control examples demonstrates how RBAC is used to protect your business while also fluidly enabling your workforce to achieve their jobs. ConsoleWorks can make user permission changes dynamically through its integration capabilities with your identity management solutions such as Active Directory.
Increasing Your Security with a Cybersecurity Platform
RBAC is an essential piece to your cybersecurity. As we’ve discussed in our previous posts reviewing CISA’s recommendations, ConsoleWorks is a cybersecurity platform that reinforces, enables and goes beyond CISA’s own strategies and recommendations.
It solves your RBAC needs by providing very granular definitions of permissions, profiles and security access controls per user and per device and/or console. Add to this the monitoring, alerting, and forensics capabilities and you can have full detective control of your environment’s personnel and their associated user accounts.
RBAC is just one the many elements ConsoleWorks can provide for as it is a robust, feature rich solution that can reduce your time spent on identity management with built-in automations so you can focus on what is important for your business.
You can talk to us here about your specific business needs and see how ConsoleWorks helps you.