Access and identity management does not start or finish with the setup of permissions in a domain. The more employees there are in the company, the more confusing the situation becomes. But it doesn’t have to be so. Everything can be sorted out. In SimplySec we have been cutting Gordian knots for almost 20 years but instead of using a sword, we have been using more advanced tools. One of them is role-mining.
Probably you know what role-mining is but for the record, we will explain. Role-mining is simply a process of permission analysis for an individual user and for entire groups of users. The main purpose of the analysis is to find common characteristics, in order to prepare a set of permissions for these users. For example, they can be people from the same department or in the same position.
This allows us to sort out access to systems and prevents people who change their position and place of work from collecting permissions.
Role-mining in three approaches
How does the process look like? Three main approaches are used:
- The first approach – “from the top to the bottom” – In this approach the roles are formulated from scratch based on individual skills or duties of one user or a position.
- The second one – “from the bottom to the top” – as it’s easy to guess this system is based on permissions which have already been assigned to users. In this case, we approach the problem from a low-level and with each subsequent turn/cycle we try to reveal more shared traits contributing to the final result, which is a description of a role-based on individual obligations on a single position or organizational unit. And in the meantime, we can create for example a more general group like department roles.
- The third one – “by example” – this approach is about choosing, for example, one department on which a permissions model is built with the support of managers. In the next step, we try to find, in the structure of the company a similar element or group of users and recreate the same model in another department.
In SimplySec we predominantly mix the first and the second approach. Why? It’s a result of our experience. Thanks to this flexible approach we can achieve the planned effect faster.
Role-mining. What do we need besides good intentions?
Quality of data to analyze. If the whole process is to be done well and bring results we need to do a bit of work. System by system. User by user. Permission by permission. It can seem doom and gloom, but we can tell you, that we use a dedicated tool for this.
Answering in advance to a question that may pop up: No. Excel is not a remedy. Wanting to carry out a high-standard role-mining you need real-time information. Excel is a tool of the past. Maybe not-so-distant past, but still. Organizations, especially the bigger ones are like a living organism where changes take place all the time.
This dedicated tool allows:
- to present real conditions of the moment
- to perform a precise review of authorizations and accesses
- to make corrections
Thanks to this you can smoothly go from the analysis stage to the segregation stage creating models and patterns and on to the allocation of accesses.
Apart from a tool, an experienced partner will be needed. SimplySec is an experienced team of specialists who have been dealing with this issue for almost 20 years now. What is interesting, to carry out an effective operation we don’t need to do any previous reconnaissance of the organization. We are learning the specifics of the organization through communication during the project and the results of the analyzes. Moreover, our experience allows us to choose the best tools and practices that will optimally suit given cases. As we have mentioned earlier – we are flexible.
What will a role-mining finally give you?
Perfect order in the area of permissions/authorizations and accesses, from which a higher level of security results. The worked-out internal standards at the end of the process can bring more control in the future. It is not a secret that a review of permissions should be done regularly, once every six months ideally. Of course, there will be groups of data and access to them where it is recommended to it more often, for example, data which is subject to RODO. However, in general, it is worth adopting as part of the internal procedures of the company to do such reviews twice a year.
Do you want to tidy out the Augean stables of accesses?
Turn to SimplySec. We are at your disposal. All you need is to contact us. We offer our experience, commitment and professional level of services. We are open to new challenges. The more ambitious they are the better!
So hope to hear from you soon!