Blog   |   Security   |   August 17, 2021

The ABCs of RBAC: Understanding Role-Based Access Control

Role-based access control, or RBAC, may seem like techno jargon, but it is crucial for maintaining security at a highly granular level. Instead of assigning permissions to individual users, access is granted by job function and organization. This makes transitions easier and helps avoid potential breaches.

One of the keys to improving cloud security in your organization is to understand how to assign permissions. Let’s explore the basics of role-based access control, plus some considerations that enterprises, service providers, and Software-as-a-Service (SaaS) vendors need to take into account when developing security policies.


User-Level Access vs. Role-Based Access Control

Historically, prior to the use of RBAC, users were assigned access to resources on an individual basis. This was known as user-level access.

For example, Jane is a System Administrator for a data center. She would have access to nearly everything. Suppose Jane studies programming and transitions to become a Software Developer at the same firm. Unless someone remembers to change her access, she would still have access to resources that a developer should not.

However, if the organization assigns access based on roles, the moment Jane switches roles, her access would be updated as well, without relying on a human to catch the change.

This is similar to access to a physical building. If someone switches from working in Sales to joining the Marketing department, which is in a different building, their key fob should work in the new building and not the old one.

Now imagine doing this at scale, with hundreds or even thousands of employees. The chance of making a mistake and letting the wrong permissions stand increases significantly.


Other Applications of Role-Based Access Control

Effective role-based access control operates on the principle of least privilege, meaning that users only receive access to what they need to perform essential functions. In the cloud, especially, this becomes crucial for administrators building secure IAM policies.
Yet role-based access control extends further than enterprise IT situations. Service providers and SaaS vendors need to pay attention to how they manage permissions. Here are just a couple examples of role-based access control in action:


Role-Based Access for Service Providers

If you are a Managed Service Provider (MSP) that maintains cloud accounts for multiple clients, then RBAC becomes even more important. As an MSP, you need to give your customers the flexibility they need when using cloud services to stay ahead of competitors.

Suppose you have both Coca-Cola and Pepsi as customers. You absolutely have to ensure that neither company could gain access to the other’s confidential resources. And you also need to make sure that your own employees don’t have access to content they shouldn’t have, such as Coke’s secret formula! Highly granular role-based access is the key to making this work.


API Access for SaaS Vendors

It’s human nature to focus on what we can see. In computing, that literally translates to the user interface. It’s easy to test and verify what resources we have access to via an application console. But these days, many SaaS applications have an API, or Application Programming Interface. This is a back-end that allows programmers to write their own code that leverages the functionality of the SaaS provider, without logging in to the portal.

Imagine if the SaaS vendor allowed unrestricted access via their API, without RBAC. Anyone with the login credentials to the API could gain access to any and all content and functionality in the SaaS application. This is like leaving the back door to a bank wide open. Yet many SaaS vendors do this, either out of ignorance or because they don’t have security in their DNA.


RBAC: An Essential Step in Security-First Thinking

Adopting a role-based access control approach in the cloud can make it easier to add, delete, or modify users and monitor who receives access to which resources. This, in turn, ensures the security and compliance of IT infrastructure, whether in the cloud or elsewhere, conforms to a security-first mindset.

Permissions should be the priority for enterprises, services providers, and SaaS vendors. By addressing access permissions early on via a role-based access control methodology, organizations can scale to handle large use cases without worrying about vulnerabilities due to human error. 


Understanding Your Cloud Security Responsibilities

Role-based access control is just one area of cloud security that falls under your jurisdiction. But there’s more to cloud security than RBAC and APIs. The two leading cloud providers, Amazon Web Services (AWS) and Microsoft Azure, ensure the physical security of the cloud. But it’s the customer’s responsibility to close the data security loop. This is known as the shared responsibility model. Discover how next-generation automated cloud monitoring and security management tools like CloudCheckr can close the shared responsibility security gap. 


Learn more about CloudCheckr CMx

Todd Bernhard headshot
About the Author

Todd Bernhard has been with CloudCheckr handling Product Marketing and Technical Evangelism roles since 2017. He holds multiple certifications including AWS Solutions Architect Associate, Microsoft Azure Fundamentals, Google Cloud Associate Engineer and FinOps Certified Practitioner. Prior to joining CloudCheckr, Mr. Bernhard was an award-winning, bestselling mobile app developer and entrepreneur and previously worked for Sun Microsystems, as an Evangelist, Sales and Technical Trainer and Product Marketing Manager for Sun’s high-end data center servers.