The highly orchestrated symphony of grouping employees into well-defined roles with specific and granular access to enterprise apps/services is breaking down under the frenetic rock ‘n’ roll era of dynamic business. The instruments of creative destruction — digital transformation, cloud migrations, DevOps, and Agile methodologies — are powering the new sound. If security and risk (S&R) pros want to keep up with these changes, and make sure that access is as secure as possible in this new age, then they are going to have to turn it up to 11! (That’s a Spinal Tap reference, for the uninitiated.)
Keeping with the musical analogy, we can think of role-based access control (RBAC) as sheet music that can be made even more nuanced and complex with the addition of attribute-based access control. These work wonderfully when the employee roles and access needs are relatively static and clear-cut. However, if you try to apply this same approach when the conductor keeps changing keys and tempos on a whim, you get cacophony — which is great if John Cage is your jam but not so much if you prefer rhythm and harmony.
More instances are arising where employees need on-demand access to build new digital products, or to analyze customer data to make business decisions, or to quickly shift investment priorities. Access controls need to be able to improvise like jazz players or jam bands. New approaches such as just-in-time (JIT) access show real promise as a more fluid, real-time approach to managing access for dynamic parts of the business. The JIT approach is built around self-service access requests, automated workflow and approval processes, and time-bound access that is automatically revoked at the end of the allotted time period. More nuanced rules engines, anomaly detection, and machine-learning capabilities can provide additional value.
But let’s not get too far ahead of ourselves. RBAC will still need to be the “four on the floor” foundational drumbeat that holds the band together. HR systems and Active Directory (or other LDAPs*) still need to be the systems of record. Plus, many apps/services will continue to be role-aligned and appropriate for more static access models. Yet for the ephemeral access that is increasingly being required, it’s better to add a JIT approach than to stick with the status quo of creating hundreds of new roles for these exceptions and then never revoking access.
Forrester will be conducting in-depth research in the coming months to quantify the problem, address the pros and cons of overlaying an improvisational rock ‘n’ roll band on top of a symphony orchestra, and, lastly, to offer some advice on how S&R pros can plan effectively before implementing new approaches.
Please contact me if you would like to participate in the research — via questionnaires and/or 30-minute phone interviews.
* LDAP: Lightweight Directory Access Protocol