Why RBAC is obsolete

Hannah Young
Hannah Young
.
December 19, 2022
3 min
 read

Image by Wallarm Inc.

Modern-day identity governance suffers from numerous concerns, but the main problem at the core of them all is increasing complexity. From numerous IAM (identity and access management) profiles to countless cloud resources to intricate policies governing said profiles and resources, the shift to the cloud has introduced a layer of complications never seen before. RBAC (role-based access control) is a traditional security measure that bounds a user’s access by their ‘role’ in an organization; however, cloud resources are often more dynamic and unpredictable than the traditional resources they’ve replaced. As technology advances and creates more complex planes of access (such as SaaS applications, the cloud, and internal tools), we must also look toward more complex solutions. RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Modern companies are using an ever-increasing number of SaaS applications, and allocating access based on once-discrete roles becomes exponentially complicated with every new application. With just the SaaS that an average company is aware of, there are over one hundred apps in use every day — not even considering the unknown number of apps used without explicit IT approval or knowledge (also known as “Shadow IT”). Each app represents a new site of authorization, roles, and permissions, making it increasingly difficult for predefined roles to stay relevant as your company’s resources innovate.

Moreover, in dynamic cloud environments, identity needs often change quickly and unexpectedly. For example, an employee might need access to certain resources one day but not the next. With RBAC systems, giving users access to these changing resources can be tricky — it can require manually reassigning all relevant permissions for each user every time there’s a change in their identity status. In addition to creating additional work (and therefore increasing labor costs), this can become time-consuming and error-prone.

There are also internal tools and companies’ end products. With everything from dashboards to the final products companies sell, permissions are everywhere. Especially in fast-paced work environments, new roles, access, and users may need to be added quickly, and in many cases, it’s not feasible to update RBAC permissions in time to match this pace. Additionally, the rigid structure of RBAC makes it a more challenging method the larger the organization is, the more users they have, and the more complex or intricate the end product is. Once products go to market and roles extend past employee users to encompass customers and investors as well, these challenges are exacerbated.

These three planes of identity — SaaS, the cloud, and internal tools — combine to render RBAC insufficient. Where roles were once able to be clearly defined and mapped between each other, modern companies face a tangled mess of permissions and access that are impossible to manage. We visualize this as many crossing wires constantly shifting through the contemporary corporate environment. Thus, it’s fitting to call a modern solution to this permissions problem, Crosswire, where users can be automatically granted the correct permissions without overcomplicating management systems with outdated roles. For further guidance on securing your organization, reach out to us! You can stay up to date with / join Crosswire here.

More from our blog

UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read