ModelingRBACFinal

8/3/2019 ModelingRBACFinal

1/27

2010 Standard Insurance Company

Modeling RBAC with SABSA, TOGAF and ArchiMateCreating a Foundation for Understanding and Action

Iver Band, CISSP - Open Group Conference, Austin, Texas

July 19, 2011


2/27


About The Standard

The RBAC standard

Modeling motivations and objectives

Framework analysis and comparison

Modeling approach

Diagrams that justify and explain RBAC

Conclusion

References

Agenda

May 1, 20122

Thanks to Kevin Graham, CISSP and enterprise securityarchitect at The Standard, for his partnership in this work


3/27


Financial services company

Founded in 1906 Our purpose:

To help people achieve financial

security so they can confidently

pursue their dreams

Expertise: Group Life & Disability Insurance

Individual Disability Insurance

Retirement Plans

Individual Annuities

Commercial Mortgages

Headquarters in Portland, OR

3,100 Employees

3

The Standard

May 1, 2012


4/27

2010 Standard Insurance Company4

IT at The Standard

May 1, 2012

People Several hundred

Facilities Portland: Primary data center and nearly all staffNew Jersey: Disaster recovery site

Hardware IBM System Z (mainframe), RISC, industry standard (x86)

Virtualization VMWare, System Z LPARS, SAN, NAS, Citrix

Network Nationwide, redundant, multi-carrier, connects all offices andkey partners

Applications 650 spanning CICS, batch, JEE, .NET architectures

Data Stores Flat file, VSAM, Oracle and SQL Server

End UserComputing

Microsoft Office (including SharePoint), SAS, etc.


5/27


5

Typical Access Control Challenges

May 1, 2012

Active

Directory

SharePoint

Oracle

UNIX

SQL

Server

Portal

LAN

Share

Fragmented identities, systems and processes Insufficient understanding of identity and access management best practices Inadequate visibility of access control mechanisms, changes and outcomes


6/27


A widely implemented mechanism for protecting system resourcesstandardized by ANSI INCITS 359-2004

Relies on user authentication, which in turn relies on identity management

Defines and applies relationships between

Usersoften human, but can also be systems

Roles

job functions defined for an organization Permissionsorganizational consent to perform specific operations

Ensures that each user can execute only those operations authorizedthrough roles that are both assignedto that user and activatedfor that userssession

Common alternatives include

Mandatory Access Control (MAC) administrators manage permissions based on

the classification and category of each object and user

Discretionary Access Control (DAC) users manage permissions for the objectsthey own

6

What is Role-Based Access Control (RBAC)?

May 1, 2012


7/27 2010 Standard Insurance Company

Four standard and cumulative levels

(1) Core, (2) Hierarchical, (3) Constrained, (4) Symmetric

All levels support

Restriction of user permissions to those acquired through roles

Many-to-many user-role and role-permission assignment

Review of user-role assignments

Simultaneous user access to permissions of multiple roles

Level 2 adds variants with differing hierarchy support

a. Support for an arbitrary partial order (reflexive, transitive, anti-symmetric)

b. Any restriction on the structure of the role hierarchy, for example:

Tree or inverted tree, limited inheritance or activation, depth limits

Level 3 adds separation of duty (SOD) support

Level 4 adds permission-role review with performance comparableto user-role review

7

RBAC Concepts

May 1, 2012



Business drivers

Increase the efficiency, agility and transparency of access control

Support strategic requirements for enterprise-wide and federated identityand access management

IT drivers

Increase RBAC understanding of both IT and key user personnel

Derive greater value from existing identity management investments andjustify further investment

Support identity and access management for enterprise initiatives such asCRM and Contact Center

Reduce administrative burden on IT by making access controlcomprehensible to the broader business community

Demonstrate relevance of TOGAF and ArchiMate to securityarchitecture

8

RBAC Modeling and Knowledge TransferMotivations

May 1, 2012



Desired State

9

Well-Designed RBAC Is Easy to Understand

May 1, 2012

All-Too-Typical State

Local roles aligned with systemcontext Local roles aligned with businesscontext



This effort is not fundamentally about technology

It is about getting people to think differentlyabout access control

Change behavior immediately and measurably

Systems and access administration requests and configurations

Lay the groundwork for successful investments in identity and accessmanagement solutions

It requires two types of communication to a range of business and ITstakeholders

Justification:Demonstrate the need for systematic access control

Explanation: Explain how RBAC works and how it satisfies the need

10

Modeling Objectives

May 1, 2012



Sherwood AppliedBusiness Security

Architecture(SABSA)

The OpenGroup

ArchitectureFramework(TOGAF)

ArchiMate

ArchitectureDevelopmentMethod

Yes Yes No

ContentFramework

Yes Yes Yes

Explicit Entity-RelationshipMetamodel

No Yes Yes

ExplicitDefinitions forIndividualViewpoints

No: Somewhat Yes

Visual ModelingLanguage

No No Yes

11

How Can Our Chosen Frameworks Help?

May 1, 2012


12/27


TOGAF and SABSA Have ComparableMethods for our Purposes

May 1, 2012

TOGAF ADM

SABSA Lifecycle


13/27


Contextual and Conceptual Architecture areOrganized Differently in Each Paradigm

May 1, 2012

Application

Business

Technology

Implementationand Migration

Motivation

ArchiMate2.0 Draft

Core and Extensions

Conceptual

Contextual

Logical

Physical

ServiceMgmt

Component

SABSAModel for Security

Architecture

Business

Principles,Vision,

Requirements

InformationSystems

Technology

Realization

TOGAFVersion 9

Full Content Metamodel

Extensions Motivation Governance

Process Data Services Infrastructure

Consolidation


14/27


Select cells from SABSA Matrix for RBAC justificationand explanation

Strength: Comprehensive treatment of enterprise security architecture

Select best fitting TOGAF catalogs, matrices and diagram types

Strength: Comprehensive treatment of enterprise architecture (EA)

Select best fitting ArchiMate diagram types

Strength: General EA visual modeling language with broad coverage of TOGAF,particularly in the 2.0 draft specification

Adapt viewpoints as necessary to express SABSA objectives

Create catalogs and matrices

Straightforward based on TOGAF 9 guidance

This presentation will instead focus on diagrams

Create ArchiMate diagrams based on selected TOGAF and ArchiMateviewpoints

14

Our Modeling Approach Leverages Strengthsof Each Standard

May 1, 2012


15/27


The Top Two Rows of the SABSA Matrix HaveRelevant Content

May 1, 2012

Justify RBAC Explain RBAC


16/27


SABSA Matrix Location Relevant Viewpoints

Layer /

Aspect

Title Selected Cell

Content

TOGAF

Catalogs, Matrices & Diagrams

ArchiMate Diagrams

Context/Assets

BusinessDecisions

Goals & Objectives C: Driver/Goal/Objective,Contract/Measure

M: Stakeholder Map

D: Goal/Objective/Service

Stakeholder Goal Refinement Goal Contribution Principles Motivation

Context/Motivation

BusinessRisk

Opportunities &Threats

Concept/

Motivation

Risk Mgmt

Objectives

Enablement & Control

Objectives

Context/People

BusinessGovernance

OrganizationalStructure & theExtended Enterprise

C: Organization/Actor,Bus.Service/Function

M: Bus. Interaction, Actor/Role

D: Value Chain, Organizational

Decomposition, Bus.Footprint

Organization Actor Co-operation Bus. Function Bus. Process Bus. Process

Co-operation

Concept/People

Roles &Responsi-

bilities

Owners, Custodians& Users; Service

Providers &Customers

Concept/Location

DomainFramework

Security DomainConcepts &Framework

C: Role, Location

D: Solution Concept

Introductory Layered Product Application

Behavior Landscape Map

Each Selected SABSA Matrix Cell Corresponds toMultiple TOGAF and ArchiMate Viewpoints


17/27


TOGAF Value Chain Diagram Explain RBACJustify RBAC

RBAC resulted in $6 billion in US economic benefits from 2002-2009,

according to 2010 economic analysis commissioned by US NIST,from which this diagram was adapted


18/27


ArchiMate Motivation Diagram

May 1, 2012

Justify RBAC


19/27


ArchiMate Actor Cooperation Diagram

May 1, 2012

Justify RBAC

J if RBAC


20/27


ArchiMate Landscape Map

May 1, 2012

Lines of Business

Business

Functions

Group

Insurance

Retirement

Plans

Individual

Insurance

Wealth

Management

Mortgage

Brokerage

BrokerCollaboration

NotApplicable

Sales CRM

Service CRM

Policy/Plan/AccountAdministration

Claims/Payment

/WithdrawalProcessing

DocumentProcessing

EnterpriseCRM Application

MortgageSolution

Document Mgmt System B

PolicyAdmin

AppPlan

Admin

App

HostedAdvisorWork-bench

Document MgmtSystem A

ClaimsApp A

HostedVerticalIndustry

Solution

Justify RBAC

E l i RBAC


21/27


TOGAF Solution Concept Diagram

May 1, 2012

Explain RBAC

J tif RBAC


22/27


ArchiMate Product Diagram

May 1, 2012

Explain RBAC

Justify RBAC


23/27


Review: RBAC Levels

May 1, 2012

LevelRoleStructure

HierarchySupport

RoleConstraints

RoleSymmetry

1. Core Flat N/A None No

2. Hierarchical Hierarchy

General

None NoLimited

3. Constrained HierarchyGeneral Separation of

DutiesNo

Limited

4. Symmetric HierarchyGeneral Separation of

DutiesYes

Limited

E l i RBAC


24/27


ArchiMate Application Behavior View

May 1, 2012

Explain RBAC


25/27


TOGAF, ArchiMate and SABSA each provide broad and deep value

for enterprise architects, regardless of their specialty Integrating these three paradigms today requires significant effort,

since they cover much but not all of the same ground, often withsimilar but not strictly equivalent concepts

Fortunately, there are Open Group efforts underway to integrate

TOGAF and SABSA

The TOGAF and ArchiMate content frameworks

Architects can use RBAC to improve the effectiveness, scalability,transparency and agility of access control

Architects can use SABSA, TOGAF and ArchiMate To model, portray and analyze planned or actual RBAC solutions

As a rigorous foundation for a wide range of stakeholdercommunications

25

Conclusion

May 1, 2012


26/27


The NIST Model for Role-Based Access Control: Towards a Unified Standard

http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf

ANSI INCITS 359-2004 Information Technology Role-Based Access Control

http://www.techstreet.com/standards/incits/359_2004?product_id=1151353

Sherwood Applied Business Security Architecture (SABSA)

http://www.sabsa.org/publications.aspx

Executive White Paper on Enterprise Security Architecture

Enterprise Security Architecture: A Business-Driven Approach

TOGAF 9 standard online

http://pubs.opengroup.org/architecture/togaf9-doc/arch

ArchiMate Version 1.0 standard online

http://www.opengroup.org/archimate/index.htm

Economic Benefits of Role-Based Access Control

http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf

Speaker contact: [email protected]

26

References

May 1, 2012
http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.sabsa.org/publications.aspxhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://www.opengroup.org/archimate/index.htmhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfmailto:[email protected]:[email protected]://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://www.opengroup.org/archimate/index.htmhttp://www.opengroup.org/archimate/index.htmhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://www.sabsa.org/publications.aspxhttp://www.sabsa.org/publications.aspxhttp://www.sabsa.org/publications.aspxhttp://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf


27/27


Documents

ModelingRBACFinal