This is the 12th blog in a series about security and how security is about how you think.
I came home one afternoon and walked into my house (my well-secured house). It was like walking into a meat freezer. How could this have happened? Did someone change the thermostat?
Yes, the thermostat had been changed. I hadn’t locked the thermostat, so anyone could change one of my critical house controls. I really need to lock down who can change this control and implement an easy way of knowing who can change the thermostat and who did. The first step is to define a permission (the word ‘privilege’ is also used) within my thermostat so that I can give it to the right people who I let change the thermostat. I’ll call it CHANGETHERMOSTAT. I’m going to give it to myself, as the administrator of the house and no-one else. But how do I let others administer my house? I need to create a ROLE which contains all of the permissions/privileges they have and then I can make others ADMINISTRATORS. There may be other roles in the household with other permissions – FAMILYMEMBER, RENTER, and maybe even PET. Each one of these roles is a collection of what they can do around the house, from UNLOADINGDISHWASHER to PAYINGMORTGAGE to SLEEPINGONFLOOR. Some people refer to a role as a “hat that they wear” (as in I’m wearing my ARCHITECT hat right now).
This organization is crucial to keeping the right permissions assigned to the right people. If I were to manually have to add and delete permissions from each person, it would be possible, but as the number of people grew and grew, it would be very hard to manage (a very manual process) and almost impossible to make sure that each person only had the permissions that they needed to do their job and NOTHING MORE. That’s crucial that everyone doesn’t have “extra” privileges that they can do when they really shouldn’t.
Think about a bank and the roles that exist within the bank. There may be TELLERs, MANAGERs, VICEPRESIDENTs, and AUDITORs. Each one contains specific permissions to do their job.
But are these roles exclusive? Can someone hold more than one role at a time (like TELLER and MANAGER)? Yes. In that case, the individual would hold all of the permissions of both roles simultaneously. Local bank policy may not allow that to happen though – it may require that the individual pick between the roles that they hold in the bank only the role that they are using at that point so that there is no conflict (for example, a TELLER can take more than $10,000 out of the safe only with a MANAGER’s approval).
Computer systems also have privileges and roles. There are DATABASEADMINS, SECURITYADMINS, SYSTEMADMINs, USERS, and other roles. Each one of these roles contains the permissions (privileges) that a person who is put into that role can do on the system. There also may not be one role with every privilege on the system – this helps with checks and balances on the system.
Another important point of roles is logging. Each device needs to generate a log record when an operation is performed, noting success or failure (and a failure could be that you don’t have the right privilege to perform the operation). For example, when I look back in my thermostat’s event log, I see that someone in the role of TEENAGER (real identity hidden from my blog) set the thermostat to 65 degrees at 4:01:02pm and MIKE set it back to automatic mode at 5:36:44 pm. Once I implemented role-based access, I see another event log entry that TEENAGER tried to do it again the next day at 3:55:11 pm and he was denied (since his role of TEENAGER didn’t have the CHANGETHERMOSTAT privilege).
The concept of role-based access is another way of thinking about security. The role of security is to define privileges within the computer datacenter and give each person the right privileges to do their job and nothing more. Grouping the privileges into roles and assigning roles to people makes this process easier than assigning each person the privilege – but with less management overhead and easier validation that each person has the privileges that they need. Through thinking about access security this way, it makes it easier to think about the overall security of our environment (whether a home, bank, or computer datacenter).