By Mark Carroll, Income Research + Management:
Access Appropriate to Role (AAtR) and Role-based Access Control (RBAC) restrict network access based on a person’s role within an organization and has become one of the main methods for advanced access control. The “roles” in AAtR and RBAC refer to the levels of access that employees have to the network. In this article, Mark Carroll presents a scenario that breaks down the rationale of these IT security hot button topics.
With their family growing, it was time for Sandy and Kelly to exit the condo and buy a new house; not just any house, but the suburban home where they will raise their current child and the additional (US average of 2.3) siblings for years to come. So, they found their future domicile, a moderately new property, and purchased it. They will be moving in next week, bringing family and belongings from their prior abode.
As you would expect, they have a laundry list of tasks that need to be completed, from calling the utility providers to coordinating with their new town. Kelly handed the laundry list to father, Jack, an astute and experienced homeowner, who immediately asked, “What about the locks?”
Kelly and Sandy gave each other a dazed look since they had not even thought about changing the locks. Sandy’s first response was that this was unnecessary since the previous owner had turned over all the house keys at the lawyer’s office. The added expense of changing all the locks was a financial burden, in Sandy’s opinion. After a brief ‘caucus of enlightenment’ with Jack, the prudent decision was made to change locks.
Jack stressed the point that there was no way of confirming that ‘all’ the keys made during the previous tenants’ tenure were turned in. Some keys may have been lost or the previous owner may have given keys to family, friends, cleaning services, etc. and either did not chase them down for the house sale or just plain forgot who got them in the past. Further, the cleaning services, friends, etc. may have made copies of their own just to make access a bit easier or to prevent being shut out once an employee left (and inadvertently kept the house key).
A real faux pas up front, but problem solved, thought Sandy and Kelly. Just bring in ACME locksmiths and replace/rekey the locks so only the new key works. Straightforward and simple, the way they liked it.
A call was placed to ACME and Blair, a veteran locksmith, showed up that afternoon. In less than one minute, Sandy gave Blair the requirements to have the locks rekeyed and, so Sandy thought, put that simple solution in motion.
What Sandy heard from Blair’s mouth was “not so fast, Sandy. You are the customer and I can do exactly what you say, but the solution may not be that simple. There are some other considerations.”
Surprised and a bit annoyed (“just get it done”), but now more receptive and open-minded, especially due to the learning from the original almost-mistake of not planning to rekey the house at all, Sandy asked Blair for that additional insight.
Blair proceeded to explain that rekeying the locks with identical keys puts the entire house at the same level of security and provides all parties the same level of access; just a single layer of defense against intrusion.
The questions Blair asked both Sandy and Kelly were basic and straightforward, yet not at all what either Sandy or Kelly was expecting:
- Do you expect to have a landscaper or gardener (who will need access to the garage, basement, or both, but not the entire house)?
- Does that landscaper or gardener need access to the back yard shed?
- Does the house have a personal office that you would need to secure from the rest of the house?
- Does the house have a business office that needs to be secured separately?
- Will the in-law apartment in the basement be separately keyed?
- Are there internal areas within the in-law apartment (e.g., office) that needs to be secured separately?
- Does the garage side door need a unique key?
- Do the two garage doors need separate keys (for in-law use)?
- What about the hollow door between the in-law apartment and the garage? Is a new, solid door needed? Is a new lock needed? Should that lock be keyed the same as the in-law apartment?
- What locks are or will be on the pool house in the back yard and do they need a separate key for the pool service company?
- Will you still need a master or skeleton key that opens everything?
- Will you augment some of your handsets (doorknob locks) with deadbolts and will they require the same or different keys from those handsets?
- And on and on…
… and then, as they say, light dawned. Kelly said to Sandy, “We need to rethink this a bit”.
Blair explained to Sandy and Kelly that they should give everyone (gardener, in-laws, pool cleaner, etc.) everything that person needs in terms of access for their role, but nothing more than what is needed. If access is not provided at the level needed, then Sandy and Kelly are inconvenienced repeatedly to allow that access. Conversely, if too much access is provided then there is the risk of too much accessibility by too many people, the reason for changing the locks in the first place.
Sandy agreed but was concerned and a bit annoyed by all of the restrictions and hurdles raised “just to live in the house.” There had to be other options with more focus on utility rather than restriction.
“Blair is right. The universal access we were considering, where one key opens up everything, is definitely not the right answer. Still, I don’t want to carry around a full 4-inch key ring with an individual and distinct key for every lock on the property and spend 10 minutes in the dark trying to find the right key, just to get into the house.”
Blair brought forward other, less traditional options, that went beyond carrying keys for every lock in the house. One such option was a transponder solution, but both Kelly and Sandy rejected that outright (“As it is, we carry badges to get into the workplace; not doing it to get into our own home”).
Blair then went into a completely different direction. Rather than focus on something you have (keys, transponder, etc.), why not leverage something you know, like a code for a cypher lock. A specific lock could be opened by either a physical key or the keying in of a specific code. Further, multiple locks, all keyed differently, could be opened with one specific code if desired. The garage, pool house, shed et al could each be accessed by unique keys but all with a single access code. The code could be used to supplement the physical key or in lieu of a physical key.
Further, the access code could be changed in the event a single code was no longer the right solution (e.g., Gave the neighbors the access code that is specific to the shed so they can borrow tools while we are away) or a code was compromised. The code can be changed at any time and does not present the duplication risk of a more traditional key. Good option, thought Sandy and useful, especially for raising and lowering garage doors.
Blair went on to raise a further option, beyond something you have (e.g., key) and something you know (e.g., cyber lock code), into something you ARE. Blair raised the possibility of a biometric solution (fingerprint, iris scan, palm scan, typing cadence, etc. Not something you would put on a tool shed, but possibly something of value for a business office, gun rack or even the individual guns themselves.
Sandy and Kelly did not perceive a need for this but clearly Blair had demonstrated tremendous knowledge and insight. They listened to Blair describe this option and tucked that knowledge away for possible future use.
As Blair walked around the property, he investigated each and every door and in one case found a house key hidden in a fake rock at the back door. “If for no other reason, finding this is why locks need to be changed,” said Blair. Kelly and Sandy definitely got it.
As XYZ company’s Finance Manager, Kelly started thinking about the number of people who have access to Finance applications and the level of that access.
Who has the keys and what could these keys open?
What about Larry who left the firm, or Mary who is still with the firm but now works in Marketing? Have their “keys” been taken away in the form of the application User ID? Why does all of Finance, from the intern to the CFO, have the same level of access? Why is there only one login for that application when I know 6 folks use the application regularly, and so must be passing “keys” around in the form of login credentials. That post-it on Tom’s desk has login information, like that fake rock key in the back yard, but only worse.
As LMN’s Security Manager, Sandy starting thinking about employee badges. Everyone needs a badge to open the front door, but everyone’s badge also opens the doors for the records room, check printing station, data center, HVAC room, etc. Why is there only a single, all-inclusive level of access for all employees? If Tracy, in our shipping department asked for a key to our data center or the code for the cypher lock, we would say “No”, yet Tracy’s badge opens the data center door. Admittedly, the universal ‘skeleton’ key is easier to manage, but it puts the firm at real risk.
About the Author: Mark Carroll has over 35 years of experience in Business Continuity, Risk Management, and Information Technology in a variety of diverse environments and disciplines at levels that have ranged from technician to senior executive. Currently, he is the Business Risk Officer for Income Research + Management (IR+M), a fixed income Investment Adviser firm in Boston. In this capacity he has responsibility for overall operational risk involving areas such as Business Continuity, IT Security, Vendor Risk, Records Management Risk, etc.
Previously he held senior Risk and Business Continuity positions with Fidelity; Procter&Gamble/Gillette, and BIOGEN. He also served as worldwide head of IT Audit for Gillette, with responsibility for operational and IT audits globally. He is founder and serves as adjunct faculty for the graduate degree program in Business Continuity at Boston University and has been a guest lecturer at a number of colleges and firms including MIT and Clark universities.