Emerging Trends in IAM – Part 2: Using the Sunlit Approach to Simplify RBAC

The hybridization of the workforce and subsequent challenges within the IAM world have resulted in many organizations beginning (or reimagining) their journey toward building a mature identity program. As mentioned in our previous post, Emerging Trends in IAM: Simplified Engineering, Protiviti has observed several new trends in the IAM space. This series evaluates those key trends that organizations will focus on over the next few years. This post highlights how organizations can use the Sunlit Approach to simplify role-based access controls.

A fully evolved role-based access controls (RBAC) system is often the dream scenario in the minds of IT security professionals. Provisioning and de-provisioning user access using curated roles automatically aligned to and changing based on a user’s job function is often looked at as the promised land for managing user access. However, as many security professionals have discovered, the dream of a fully fleshed-out RBAC program can quickly turn into a nightmare if the scope of role creation quickly balloons past a manageable level and too many roles are created, bombarding users with more choices than they can handle.

In this scenario, the overabundance of service desk tickets cannot be reduced and role maintenance overhead will grow exponentially. Too many RBAC projects have suffered this fate, however, a new approach to deploying RBAC can help. At Protiviti, we refer to this as the Sunlit Approach.

What is the Sunlit Approach?

Every ocean’s water column has five main zones: the Sunlit Zone, the Twilight Zone, the Midnight Zone, the Abyssal Zone and the Hadal Zone. The Sunlit zone makes up the upper layer of the water column and is the only ocean zone that receives direct sunlight which penetrates to a depth of about 200 meters (656 feet). Due to this, around 90 percent of all marine life lives within this zone and is where most of the oceans’ bountiful resources can be found.

The Sunlit Approach in RBAC follows this principle. Instead of drilling down deep and creating roles for every potential scenario across their environment, we suggest organizations instead look to create roles that will cover 80 to 90 percent of user access. This approach helps limit the scope of role creation to a level that keeps the project moving but still provides a large ROI.

Using the Sunlit Approach to make RBAC more manageable

In practice, this is a shift in the overall question proposed to individual application owners. Instead of asking “What are all the different job roles within your application?” security professionals should be asking “What access is most utilized within your application?” This approach makes RBAC much more manageable and synergizes nicely with new IGA solution technologies such as AI-based role creation which can easily produce insights to quickly develop roles that are directly in line with end-user needs.

This process can be further accelerated and enhanced through the use of specialized tools that work with a company’s current architecture. These tools can provide analysis on common access, detection of new access, nested access and more. Some promising tools we are seeing penetrate the market include Veza, SailPoint Access Modeling and Brainwave GRC.

Adopting the Sunlit Approach does not completely remove the need for role creation by IAM professionals. However, it will allow organizations to get most of the way there, and in the process will provide an instant return on investment for the organization and a simpler catalog that is user-friendly and solves a majority of access needs.

Read the other blogs in this series: Emerging Trends in IAM Part 1: Simplified Engineering – Technology Insights Blog, Emerging Trends in IAM Part 3: Machine Identity Management and Emerging Trends in IAM Part 4: Going Passwordless with the FIDO Use Case.

Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug of War.

To learn more about our cybersecurity solutions, contact us.