Four Ways to Avoid Role Explosion in Data Access Control

Security practitioners are all too familiar with the concept of role explosion or role proliferation. Roles are intended to help scale security controls by avoiding traditional Access Control Lists (ACLs) which are incredibly cumbersome to maintain. However, the fine-grained access control that is needed today, particularly when it comes to data-centric security, puts security teams in a situation where they are now creating highly specialized roles to the point where there are as many (or more) roles than people to which to assign them. 

(Image credit: Requisite Institute)

Role explosion hurts organizations in many ways:

• Role explosion erodes the original value proposition of security scalability
• It creates “blind spots” because data security teams lose sight of which roles are to be used for what access, creating risk and exposure for the organization
• Creates access certification and compliance challenges
• Adds operational complexity to security teams
• Performance impact on run-time access decisions

What Creates Role Explosion

Roles were originally conceived to help codify business rules and controls like the following:

• Managers have access to sales data
• Finance employees have access to payroll data
• Marketing employees have read only access to customer data

In this scenario, we can contemplate that creating a handful of roles (Manager, Finance, Marketing) would give organizations the ability to implement the controls that they need. Unfortunately, business rules tend to get very complex very fast. A more realistic picture just from the first bullet above is more like:

• Sales reps have full access to their own sales pipeline data
• Sales Managers have full access to the sales data, but only for their team
• The VP of Sales has full access to all sales data
• Finance also has access to all sales data, but constrained to read-only

So now, in order to provide the requisite controls, we now start to go through Role Explosion by creating:

• Sales Rep - NYC
• Sales Rep - SFO
• Sales Rep - Chicago
• Sales Manager - East
• Sales Manager - West
• VP Sales
• Finance - ReadOnly

And on and on the list grows till older roles that are no longer needed still exist into perpetuity, while security organizations buckle under the pressure of adding and managing new roles to tackle new types of business rules. 

Three Patterns that Compound Role Explosion

What we’ve described above is only one pattern (data consumers accessing the information they need) of many that are prevalent across medium, large, and global organizations. Each one of these patterns creates a compounding effect making the Role Explosion challenge increasingly difficult (if not impossible) to manage. 

1. Data Consumers – This is the most familiar pattern for many of us. Employees in various operational and analytical functions need to consume data to accomplish their daily tasks, and data engineers want to quickly give them that access, so roles get created on the fly and begin to pile up. It’s one of the largest drivers for Role Explosion due to the multitudes of systems, job functions, seniority levels, and data types that end up getting “baked” into an ever-growing set of roles. 
   
   
2. Data Engineers – Each type of data store (Oracle, Redshift, Snowflake, etc.) has its own set of infrastructure and security controls that also use role-based models for controlling access. These are again overloaded with context-driven roles to create additional layers of role complexity.
   
   
3. Data Mesh / Data Fabric Architectures – As organizations move towards more sophisticated data architectures, data gets increasingly federated and fragmented. However, “downstream” Data Stewards typically face mandates to honor data governance requirements placed by “upstream” Data Owners. A common solution to this is the creation of highly layered and matrixed roles that further multiply the Role Explosion challenge.

Four Ways to Harness Roles for Data-Centric Security

While this can all sound incredibly challenging, there’s no need to throw the proverbial baby out with the bathwater. 

Here are four ways you can deploy roles effectively at your organizations to provide fine-grained data access control.

Attribute Based Access Control (ABAC)

The single biggest way you can combat role proliferation is by preventing user context from encroaching into your role design. Think of our first example where a simple use case for a Sales organization immediately became highly complex by incorporating user-centric attributes like location and title into the role definitions. 

Instead, define policies using a combination of roles AND user attributes. 

Classification and Tag-based Policies

The other dimension that drives the largest role explosions is by incorporating data-centric security levels into roles. Just as user-centric attributes like Title and Location have no business in good role design, the same applies to data-centric sensitivity and classification levels (think of categories and tags like “Credit Card”, “HIPAA”, “SSN”, “Confidential”, and other similar classification labels). 

Instead, work with classification tools like Collibra and Snowflake to auto-classify your data, and then leverage those tags in your fine-grained data access control policies. 

Entitlements

Many organizations in industries like Financial Services, Healthcare, and Data Services have extremely complex rules regarding how data can be accessed by various internal and external stakeholders. These rules are driven by relationships between the data provider, data consumer, and the subject of the data, and are owned and managed by businesses using workflows. They are highly dynamic and should not be baked into the role hierarchy. Instead, combine these rules into your access control decision making process:

• Wealth Managers can access customer data, but only for those customers with whom they have relationships
• Physicians and Nurses can see patient healthcare data only (not billing or financial data), but only for those patients where they’re noted as caregivers
• Data purchased by a business unit should only be accessible to people in that BU, and any PII has to be masked and anonymized

These relationships are modeled in other business systems in those organizations. Leverage that relationship data in your policies by defining Entitlements that are independent of roles, user attributes, and data classification / tags.  

Implement a Role Governance Program

Ultimately, roles are a reflection and extension of your operations, and your role definitions will need to evolve with your organization. To that end, implement a Role Governance program that assigns role ownership and accountability, and requires the role owner to periodically review and re-validate that a role is still needed and that the definition is still valid and aligned with your business. This is a terrific opportunity to spot overly-granted access, and roles that are no longer needed can then get pruned to stay in sync with your organization. 

Conclusion

Roles are a powerful security and governance construct, and can provide tremendous scale and leverage when deployed thoughtfully. The challenge lies in combining a purely Roles-Based Access Control (RBAC) approach with additional layers that can add contextual entitlements without drowning your security team in an unmanageable role quagmire. 

By applying the four best practices of Attributes, Classification, Entitlements, and Role Governance, you can fully harness the powerful benefits that roles offer without creating a Role Explosion at your organization.  

TrustLogix's Data Access Governance platform enables organizations to implement data-centric security for fine-grained access control using a combination of roles, user attributes, and entitlements. Contact us today to learn more.