Image for post
Image for post

Has complexity and the Cloud killed Role Based Access Control finally?

Claude Mandy
Sep 5, 2019 · 6 min read

Opinions expressed are solely my own and do not express the views or opinions of my employer

Remember when computers were simple — like really simple? I don’t, but my dad used to tell me stories of how in them days, he’d a’ been glad to have a laptop, all he had were mechanical calculators and the painstaking task of punching IBM punch cards.

“But you try and tell the young people today that… and they won’t believe ya’.” Monty Python, Four Yorkshiremen

Back then, access control was also simple — whoever had physical access, could essentially do whatever they liked, but only one person at a time could do anything useful, as punch cards were entered sequentially. Essentially that person only had one function — punch card operator.

It’s all CRUD anyway

Everyone has a role

The use of roles to indicate authorization allowed users to be allocated to different groups with specific access rights based on their needs. Typically this involved creating a comprehensive set of standard roles based on job descriptions and functions within an organization and assigning users to those roles.

“Is it a boy or a girl?,” asks the new mother…To which the obstetrician answers: “I think it’s a bit early to start imposing roles on it, don’t you?” Monty Python, the Meaning of Life

This is actually quite challenging to get right as you a) want to reduce the number of roles assigned to users (Note this is intended to be a many-to-many relationship) b) ensure they effectively manage segregation of duties (SoD) and c) still maintain the principle of least privilege. This becomes increasingly hard to maintain as organizations change all the time. As a result most roles are seldom updated promptly, if at all and where they are, the temptation is always to simply add a little more into existing roles; rather than redesign the roles completely.

“It’s only a wafer-thin mint, sir…” Monty Python, the Meaning of Life

If you do get the roles right, then RBAC is pretty easy to implement, particularly for developers as they only need to determine the user’s role when authorizing access. As a result, RBAC has been the goal for many organizations for over 15 years.

Unfortunately in that time, applications and the amount of data has continued to increase exponentially, and the need to protect data, micro-services, and APIs has evolved, particularly with the increasing use of the cloud. On the other side, the default limit on the number of roles that can be assigned within AWS is limited to 1000 per account. This exponential growth in complexity, externally imposed limit on roles and the inevitable change within every organization, has made the number of roles and tradeoffs required to control the seemingly infinite number of privileges across an organization unmanageable.

So, is RBAC dead?

These types of fine-grained access control requirements (i.e. based on more than someone’s role membership(s)) are simply too complex for RBAC and as a result many have argued that RBAC is indeed dead.

‘E’s not pinin’! ‘E’s passed on! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! Monty Python, Dead Parrot

It is firstly worthwhile to remember that most technologies never truly die — they tend to simply end up as legacy because it may simply be too costly to implement and maintain newer approaches, than the current approach.

But as the best framework for managing access management across an entire organization, it is obvious that RBAC is dead! It just isn’t scalable or manageable enough on its own to be used successfully in a modern organization.

I believe there is still a role (pun intended) for roles — particularly where accounts can be grouped into mutually exclusive and easily understandable roles, and particularly where they can be used to cleanly enforce segregation of duties and least privilege policies. As a result, I anticipate that RBAC will not disappear completely nor end up as part of a legacy stack of technology, but steadily become only one of many different user, activity, resources and data attributes controlling access being utilized to control access.

Attributes are already there

The use of multiple pre-existing and up-to-date attributes (particularly whether an action was performed historically or when last it was performed) allows fine grained authorization decisions to be made on the privilege, rather than solely on the access level. This significantly reduces the risk of assigning users into over privileged roles when they only need to perform a single task. The externalized authorization and policy engine required to make this effective, also allows more dynamic changes to be made to the access model when needed without fundamentally redesigning the roles and applications.

Is it that simple?

Nothing about identity and access management is ever simple, but what the evolution of access control over time teaches us is that things change.

As a result, my view is that the best access models is one which can be kept updated easily and dynamically change as more information comes available, particularly information about previous actions.

Regardless of how you adapt your access controls going forward, hopefully this post has at least convinced you to look at your implementation of RBAC and the roles. Hidden away in those roles is undoubtably one role or machine account with enough excess privilege to bring your company to its knees.

Check in again soon for another blog post specifically focused on overprivileged machine accounts particularly in the cloud.

Twenty 20 hindsight

Views expressed here are my own & not of my employer

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store