Why RBAC is obsolete

Image by Wallarm Inc.

Modern-day identity governance suffers from numerous concerns, but the main problem at the core of them all is increasing complexity. From numerous IAM (identity and access management) profiles to countless cloud resources to intricate policies governing said profiles and resources, the shift to the cloud has introduced a layer of complications never seen before. RBAC (role-based access control) is a traditional security measure that bounds a user’s access by their ‘role’ in an organization; however, cloud resources are often more dynamic and unpredictable than the traditional resources they’ve replaced. As technology advances and creates more complex planes of access (such as SaaS applications, the cloud, and internal tools), we must also look toward more complex solutions. RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Modern companies are using an ever-increasing number of SaaS applications, and allocating access based on once-discrete roles becomes exponentially complicated with every new application. With just the SaaS that an average company is aware of, there are over one hundred apps in use every day — not even considering the unknown number of apps used without explicit IT approval or knowledge (also known as “Shadow IT”). Each app represents a new site of authorization, roles, and permissions, making it increasingly difficult for predefined roles to stay relevant as your company’s resources innovate.

Moreover, in dynamic cloud environments, identity needs often change quickly and unexpectedly. For example, an employee might need access to certain resources one day but not the next. With RBAC systems, giving users access to these changing resources can be tricky — it can require manually reassigning all relevant permissions for each user every time there’s a change in their identity status. In addition to creating additional work (and therefore increasing labor costs), this can become time-consuming and error-prone.

There are also internal tools and companies’ end products. With everything from dashboards to the final products companies sell, permissions are everywhere. Especially in fast-paced work environments, new roles, access, and users may need to be added quickly, and in many cases, it’s not feasible to update RBAC permissions in time to match this pace. Additionally, the rigid structure of RBAC makes it a more challenging method the larger the organization is, the more users they have, and the more complex or intricate the end product is. Once products go to market and roles extend past employee users to encompass customers and investors as well, these challenges are exacerbated.

These three planes of identity — SaaS, the cloud, and internal tools — combine to render RBAC insufficient. Where roles were once able to be clearly defined and mapped between each other, modern companies face a tangled mess of permissions and access that are impossible to manage. We visualize this as many crossing wires constantly shifting through the contemporary corporate environment. Thus, it’s fitting to call a modern solution to this permissions problem, Crosswire, where users can be automatically granted the correct permissions without overcomplicating management systems with outdated roles. For further guidance on securing your organization, reach out to us! You can stay up to date with / join Crosswire here.