Skip to content

ORBAC for Simplified and Secure Identity Management

The foundation of your zero-trust strategy

 

How can you secure the access of an employee working remotely who is using an unmanaged device, and who has access to your internal resources? With remote employees accessing their applications located inside the company’s network, the usual security solutions offered by the company’s internal network (Firewall, VPN) are no longer sufficient. How can you simultaneously secure access to applications for a group of employees whose rights have been suddenly altered due to a significant change in context? How does the ORBAC model help?

These employees need to quickly receive their new rights and access to applications/resources, but they should no longer retain their old access, and this must be done within an extremely short time frame, as the situation requires a high level of responsiveness.

The IAM main challenge: granting access to the right person at the right time.

Effective management of identities and digital rights protects against a wide range of use cases, all while maintaining strict security. The key challenge is ensuring the right person has the right access at the right time. Nothing more, nothing less.

It’s one of the two major challenges of IAM (Identity & Access Management): granting the right access at the right time to the right person (Identity Management) by managing their lifecycle, and handling their authentication (Access Management) by verifying their identity when they present themselves at the access portal, using credentials, multi-factor mechanisms like biometrics, or a federation mechanism.

Gartner positions IAM as the new perimeter of security. This perimeter must now be managed at a logical level: at the level of the “people” and the “applications” they use, in a much more detailed and granular way, both in space and time. Identity and access management is thus the first link in the zero trust security chain. Before individuals access your network, which has become much more open with remote work and the rise of the cloud, and even before they authenticate, you take control of what the user can access. This allows you to respond calmly in case of exceptional events: you modify access rights in an organized and rigorous way because you have a complete grasp of the perimeter to which the affected users have access.

This is the strength of an IAM software product or cloud service that allows you to:

  • Track the rights granted as well as the origin of these rights. In other words, you track who granted a user access to a particular application. There is no room for uncertainty.
  • Define the rights in great detail. You define user groups flexibly, taking into account roles, context, contracts, etc. You use the multiple filters that suit your needs, set the access rules, and apply (provision) the granted rights in the applications.

Thus, a head of department has access to their department’s applications and not those related to another department. In a given application, the user can access resources within their designated scope: for example, a sales representative may have access to deals in the region assigned to them, but not in other regions.

This is possible because advanced IAM solutions allow you to define each user’s roles, structure, and context, and determine access rights based on authorization rules. This is what we will explore next.

The OrBAC model: simplified and secure identity management

  • Roles definition

Let’s take the role of a nurse as an example. Assume that all nurses have access to a software system for daily patient visit tracking. Nurses retain this same right whether they move from the cardiology department to the emergency department: their role does not change, regardless of the organization. This method of assigning rights, based on the RBAC (Role-Based Access Control) model.

  • Definition of Organisation Based Access Control (ORBAC)

In an ORBAC (Organization-Based Access Control) model, the organization’s structure is defined and plays a key role in determining access rights.

For example, an administrator can easily account for the fact that a cardiology nurse at Hospital 1 does not necessarily have the same access rights as a cardiology nurse at Hospital 2, even though both hospitals are part of the same hospital group.

The administrator can also consider that a cardiology nurse holds a nursing role but also has specific access to cardiology applications. Thus, when the nurse moves to oncology, she retains the rights tied to her nursing role (such as access to the application for tracking daily patient visits), loses her rights related to her original department (access to cardiology applications), and gains rights related to the new structure (access to oncology applications).

The strength of an ORBAC-based solution is that the administrator does not need to define two separate roles: one for oncology nurse and one for cardiology nurse, as would be required with an IAM solution based solely on the RBAC (Role-Based Access Control) model. In ORBAC, the administrator defines the role of nurse and attaches the access rights for cardiology applications to the cardiology department. These cardiology applications are then accessible to everyone in the cardiology department.

This high level of efficiency allows administrators to easily assign rights. When opening a new department or service, the administrator can rigorously distribute rights without having to create a large number of roles, which can be error-prone.

  • Context definition

The concept of context enables rights to be adjusted according to the circumstances.

For example, when a hospital switches to emergency mode or a community enters a heightened security situation (such as a terrorist threat), access rights are adjusted according to the context and may not exactly match the usual ones. However, thanks to this, your rights continue to be managed rigorously.

  • Definition of Authorization Rules

Once all the previous steps are completed, the administrator will assign to each identity a role, structure, organization, and authorization rules. After calculating the rights, an access model is generated. For example, a person may be a “general” nurse at Hospital 1 and a general nurse at Hospital 2 within the same hospital group.

IAM products based on the OrBAC model, such as cyberelements, enable highly agile management of rights and authorizations, allowing you to significantly enhance the security of your information system, all while providing a transparent experience for the end user who also benefits from improved access.