Role based security for the multi-tier IT infrastructure of today's enterprise

Scope

This page discusses the need for role based security to be an integral part of an enterprise's user management facilities. Role based security includes the facility of password synchronization as an alternative to single sign on when used for controlling access to one or more enterprise business applications in the large, multi-user, multi-role IT service supported by a Unix and Windows infrastructure.

The problem addressed by role based security

The proportion of the workforce whose role gives them security clearance to access business critical software continues to increase, as does the number of applications to which access is similarly role based.

In the past, a user may have required access to only one application residing on a single system. Now, his/her role may require that he/she has to be registered on several different servers of different operating system types, various data bases and multiple business applications. Registration of each user with each facility is needed to control and prevent unauthorized access.

The problem is made worse by staff changing role within the organization, demanding the modification of access rights and the creation of new ones. Factors such as the global distribution of systems, the disabling (closing) of accounts for those leaving the organization and the everyday issues of forgotten passwords, temporary staff, new applications and new systems, and the problem is evident.

Applications consist of several layers - for example an ERP package may require use of a UNIX database server, Windows application servers, an ORACLE database and the ERP package itself. The service is operational only when every layer is available to users and functioning correctly. A fault in any layer results in service unavailability.

Security considerations

So, the problem remains of preventing registered users from reaching facilities to which they have no right, and of preventing any logins by non-registered users including those from outside the enterprise.

Most security problems are caused by staff rather than those outside the organization, so this must be addressed first. The ideal solution is a single package which supports the administration of both the user population and their security profiles at the same time.

From time to time, operating systems and applications will enforce password changes; passwords may also be forgotten. On each of these occasions, users must remember many different passwords and associated login-names. This need usually results in the use of a note with all the login names and passwords written on it, a security risk in itself, or in a call to the help desk to get forgotten passwords reset.

It would be much better if each user could maintain a single password for use across all the facilities to which she/he needs a login. Role based security supports synchronisation which is a "must have" for the modern, complex environment, and is the pragmatic alternative to the ideal of a single sign on (single sign-on or single signon) mechanism.

In addition to the large community of application users, the smaller class of privileged users (commonly system administrators) present their own problems for which role based security can be the solution. They frequently have unrestricted access to resources and data and, yet more problematic, their activities are neither monitored nor recorded for possible auditing. OSM supplies software products which close this gap. See www.cosduty.com.