Many debates have been started about where to put the first layer of defense in cybersecurity. Do you start at the network layer? At the data layer? On the endpoint? Around the application? The reality is that cybersecurity isn’t an “either/or.” The only suitable solution for cybersecurity efficacy and resilience is to approach systems, humans, data, and software with a multi-layered strategy, ensuring that if an attacker manages to get past one control set, they must jump over another hurdle to get to the next. When attackers encounter too many obstacles, hopefully they give up and move on to easier targets — which aren’t you or your company.
What is role-based access control (RBAC)?
In all seriousness, though, one of the keys to maintaining a strong security posture is locking the proverbial front door. In other words, tighten up your access controls — to networks, hardware, software, and data. Role-based access control is one very common method of distributing and governing users’ access rights and permissions. As the name implies, RBAC is predicated on individual user’s role and responsibilities. For instance, if a user is a finance executive, they likely need access to all finance-related technology and data. If a user is entry-level finance staff, their role probably doesn’t require access to highly sensitive documents such as the financials of a potential acquisition target. Further, a salesperson seldom needs access to finance software or non-sales financial data such as how much the company is paying its insurance provider or paper supplier.
Why RBAC is essential for SaaS
Segmenting systems and data by access controls, and on an as-needed basis addresses several key security and administrative challenges:
-
Security:
RBAC prevents unauthorized access to sensitive information and actions. By assigning permissions based on job roles, users only have access to what they need to perform their job responsibilities. This reduces the risk of accidental or malicious misuse of data and systems.
-
Improved Efficiency:
RBAC streamlines the process of granting and managing user access. This frees up IT resources to focus on other important tasks.
-
Simplified Administration:
Imagine managing permissions for hundreds or thousands of users individually. It would be a nightmare! RBAC groups users with similar job responsibilities into roles and assigns permissions to those roles. This simplifies adding, removing, or modifying user permissions as roles change within the organization.
-
Reduced Risk of Errors:
Assigning permissions directly to users is error-prone. With RBAC, you manage permissions at the role level, reducing the chance of accidentally granting someone inappropriate access.
-
Compliance:
Many regulations require organizations to implement data security measures. RBAC provides a documented and auditable way to track user access and permissions, which can help demonstrate compliance with regulations.
Additional roles for the OX platform
For these reasons, OX Security has added several new roles to the OX platform to help our customers easily onboard and manage new users. Each assigned role maps to different personas who will benefit from access to AppSec and security posture management data. The new roles are:
-
Policy Manager:
Has full visibility and management capabilities for applications, issues, policies, workflows, and connectors.
-
Dev Manager/Security Champion:
Can view applications and perform certain application-related actions; can view issues and perform all issue-related actions, including the ability to exclude issues and change severity.
-
Developer:
Can view issues and perform remediation/collaboration actions, such as opening a PR, creating a ticket, sending an alert to Slack, and more.
-
Read Only:
Has read-only access to all pages; cannot perform actions
Scope
In addition to their role, each user is assigned a scope that determines which applications and issues they can access. Regardless of a user’s role designation, they can view data and perform actions only for applications within their scope and the issues related to those applications.
You can read more about OX enhanced RBAC in the platform under our “What’s New” section, or in the technical documentation on our website, or by watching this short video walk-through.