Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2021/11/01/solving-the-access-goldilocks-problem-rbac-for-insightappsec-is-here/
We’re all familiar with the story of Goldilocks and the Three Bears. Goldilocks starts a new job as a security specialist on the security team at Three Bears’ Porridge, Inc. and is given access to their application security platform.
At first, the access she’s given is far too broad. It causes problems, and she has access to more data than she needs to do her job. By the end of the day, it’s impacted the entire system. The next day, she’s given too little access, preventing her from fully completing her tasks and creating more work for Hansel, Gretel, and the rest of the security team. Finally, after several rounds of granting and restricting permissions, they eventually land on an access level that’s just right.
Does this famous yarn hit a little too close to home?
Getting access control just right
Providing the right access levels to different teams and individual team members is a critical component of managing any security program, but it can be time-consuming, cumbersome, and rife with constant back-and-forth.
That’s why we’re excited to announce a new feature standard for InsightAppSec called Role-Based Access Control (RBAC). Our RBAC system gives you the flexibility to provide the right levels of access to the InsightAppSec platform needed for each role on your security team. By identifying users through groups, you can grant access and permissions quickly and easily, reducing back-and-forth setting up access that may have caused your team more than one porridge hangover.
The InsightAppSec RBAC feature works under a simple premise: scalability. RBAC allows you to create groups with bespoke levels of access based on what they need to actually do their jobs. The role a user is given will govern what they can see in the product in terms of features — for example, can they see the scan configs or vulnerabilities areas? — but their data access will define if they can actually see any data within those areas.
It doesn’t matter if you have a department of 10 or 20 — everyone assigned to designated groups will have the right access parameters to successfully carry out their tasks. Those parameters are easily updated to roll with changes as needed, and they’re fully customizable. With a few clicks, RBAC lets you set the access levels your entire security team needs to operate.
Go for the Goldilocks zone
So, why is this so important? Well, on day one, Goldilocks had far too much access and nearly brought the operation to a screeching halt. Having too many team members with unneeded access invites risk, and cleaning up that mess can be time-consuming and difficult. Similarly, day 2 wasn’t much better. Goldilocks didn’t have the permissions she needed and couldn’t contribute to the team (through no fault of her own). That meant the slack needed to be picked up somewhere, putting stress on the entire team and slowing the operation down.
If Three Bears’ Porridge, Inc. had the new RBAC, Goldilocks and the other members of her team or in her group would have had the permissions they needed from day 1, saving time, headaches, and money.
But the conveniences go further than that. InsightAppSec’s RBAC feature allows you to better partner with the dev team, providing them direct access to their application vulnerability details and context. That means less back-and-forth, less time lost, and a system that will scale with your business.
The RBAC feature allows you to do more than create custom roles. You can control access to applications in bulk with just a few clicks — and with our prebuilt roles, you can use the feature right out of the proverbial box (and customize from there).
This is one of the many features we’ve been working on this year to make your life at work just a little bit safer, more streamlined, and efficient. Current InsightAppSec customers will see that they may already have access to RBAC, and it will be rolled out for other parts of the Insight platform in the coming months. If you’d like to learn more, check out this handy video:
As for Goldilocks, she’s been promoted to security administrator and is dreaming of becoming a CISO. And they lived happily ever after.