Why am I so invested in Role Based Access Control?
The journey from Manually Creating Excel Spreadsheets of Role Candidates to simple visualizations took years in the practice.
A former colleague of ours recently asked why we've gone so deep into Role-Based Access Control. The short answer is that it works and it's the fastest and cheapest way to enhance security and reduce the costs of an IAM operation. To understand how we arrived at this answer, we have to go through our career paths in IAM. Nick's piece will be coming up shortly but we'll be starting with a couple pieces by me (John).
I came to IAM through a fellow student in my master's program. I was new to the concept, having spent the previous several years writing software to point lasers at missiles in the defense industry. My strong suits were software development, requirements gathering and talking to customers, the rest I had to learn on the fly. I spent three years at a client working with their IAM team to onboard applications and configure their certifications. During that time, I got to witness the pain that comes with overburdened certifications and excessive access requests. I watched an IAM Director go through the five stages of grief when coming to grips with the scope of access certification rubberstamping and I also witnessed a director-level consultant declare the role mining tools in the industry-leading IAM solution "useless" after fiddling with them for a few weeks.
With that IAM experience, I was surprised to find myself assigned to an RBAC project that had been sold to a different and valued long-term client without a plan, only a deadline. That I would find myself in such a position is probably less surprising to a person who is more familiar with consultancies than I was at the time. Larger consultancies send who they have available and expect them to figure it out. If that consultant is lucky, they might be able to draw on the larger knowledge of an organization that's relevant to the problem at hand. Unfortunately, it seemed to me at the time that the larger body of knowledge was that RBAC was "useless". How my bosses managed to sell the project with that attitude is beyond me. I searched the body of knowledge available at the time and found that the general attitude towards Role-Based Access Control was either negative, from users and clients, or positive, from consultancies, in that it could drag on profitably for them for years.
To anyone who questions that last sentence, I point you to this quote from an IAM training that a colleague of mine and I recently took:
"On average, implementing an RBAC solution may involve 20 to 30 people, and may take 3 to 5 years in large (20,000+ people) enterprises."
I didn't have years. I had months, four of them to be specific.










