Role-based Access Control: Access, security, info tracking

Controlling access to sensitive data is of utmost concern for the world’s most complex business and network environments. The amount of security-related data stored across a network is immense for many organizations, and relating all this data to the user’s account information in Active Directory can be tricky and time consuming.

Proper data security includes three sides. Ensuring that new employee access and accounts are created properly when the employee is on boarded is the first step. Ensuring those access rights remain accurate and up-to-date during each of the organization’s employee’s tenures is the second step in the process.

The third, and most critical step in this process is the revocation of access rights when individual employees leave the organization

These phases identified, some of the most critical aspects of identifying roles and protecting them in a network environment, an even more detailed, complex examination of the solutions to achieve these three phases is required. A more in-depth look at solutions for all three of these phases of data security is required.


A simple, but profoundly effective solutions is role-based access control. Developing and using a role-based access control matrix in conjunction with an identity management solution means organizations are able to ensure that accounts for new employees are always created with proper access rights. Thus, the first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.

Access rights to data nearly always creep into multiple areas over an employees’ tenure with an organization. Rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of special or historical rights occurs infrequently at best. Software solutions are available to analyze the rights of employees and make the information actionable.

Information audits

Don’t like audits? Better get used to them. They’re required to successfully manage the information and the access of rights. Here, though, they are not as bad as financial audits. So, once an audit of access rights is performed, it can be compared against the baseline template for each employee role initially established. Any deltas can then be sent to managers and systems owners for verification or revocation of the rights.

The next step in the data security process is one that is often overlooked or not performed in a timely fashion. The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.

An example includes: a sales manager at a large organization had terminated sales rep had his network access revoked immediately upon departure. The organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was still “live” and proceeded to download more than 10,000 records during the course of the next 30 days at a cost to the company of more than $6,000.

Imagine the costs if 10, 20 or 30 terminated employees did this very same thing in a short period of time. It happens. The majority of breaches are inside jobs. Though this example may not paint the picture of a hacker breaking into a system, there was no need for the employee to break into anything. The organization simply left the side door wide open. No key required.

When putting a process in place to handle terminated employees, the most common scenario is a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems.

Using web application programming interfaces (API’s) to automate the process saves time and money in the long run. Where not feasible, an email workflow process should be established so system owners are notified to terminate the account and positive feedback required to establish the work has been completed.

Final thought

Organizations must implement necessary security measures to insure that access to data, groups and applications are right for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of data and costly access to external applications.

Dean Wiech is managing director at Tools4ever US. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management solutions.

Join the CSO newsletter!

Error: Please check your email address.

Tags network protectionexternal threatdata securityauditdata theftDean WiechData Solutionsinternal breachAPIcyber security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dean Wiech

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts