I had an interesting conversation this week with an architect at the organization I work at. We were discussing the security model of an existing app that his group was looking at modifying. He was having a difficult time understanding why our organization uses an RBAC (Role Based Access Control) model.
The architect came from a military background before starting at our organization. In the military, information is secured by the level of privacy it requires: data can be unclassified, restricted, confidential, secret, and top-secret.
As our conversation progressed, it became clear to me the architect was trying to apply this classification model to how our organization conceptually separated data. Since we work at a large insurance company, anything with private health information could be one category, and anything with sensitive data (like a date of birth or social security number) could be another classification, and then people could be "cleared" for both classifications, right?
One of the significant differences that he hadn't yet realized was that, unlike a military outfit, our organization paid insurance claims. So, we adopted a role model to help enforce a separation of duty between the claim-creators and the claim-payers, because if you can create a claim and then pay it, you have all ingredients you need to bake a fraud-filled cake. While we do use a military-esque data classification model for certain types of business (for example, employee health data is sequestered away from the general population, as is data related to federal/government employees), the role model we use is where it really shines.
Using conceptual roles, we assign different types of employees different categories: claim processors (the folks that pay claims) are all placed in one conceptual role that gives them all of the access they need on the various applications they use that only permit paying of claims. Our underwriters are given a separate, conceptual role that only permits them to submit claims. Since there is a hard rule that associates can only have one role at a time, a separation between submitting and paying claims exists.
This implementation of Role-Based Access Control (RBAC) has several benefits, especially on a larger organization such as ours; separation of duty is simply one of them. I will get a bit more detailed into how it works in upcoming posts. For today, I just wanted to briefly share these two differing perspectives.
How does your organization classify data?
References:
Military data classifications
RBAC
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment