Is Perfect Access Control Possible?

Bruce Schneier, the Chief Security Technology Officer of BT and a highly regarded security guru, engaged in a point/counter-point debate with Marcus Ranum in an article entitled Schneier-Ranum Face-Off: Is Perfect Access Control Possible?

The question regarding the efficacy of access controls is particularly relevant today, especially in light of the fact that excessive access rights was the top audit finding over the past two years. How can that be resolved? The general consensus among Identity Management (IdM) experts is that organizations should implement a role-based access control (RBAC) system to manage access rights. But as Schneier points out:

RBAC is very hard to implement correctly. Organizations generally don't even know who has what role. The employee doesn't know, the boss doesn't know--and these days the employee might have more than one boss -- and senior management certainly doesn't know.

Ranum notes that part of the problem is that we're paying for decisions made over the past decade to make critical data easier and cheaper to access.

What both Schneier and Ranum agree on is that over-entitlement is the norm today, and these excessive access rights -- also called excessive entitlements -- represent a security and compliance exposure.

So where does that leave us? Based on what I've seen, I have to agree with Schneier's assessment:

In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work.

If RBAC systems are so hard to implement correctly, and even if doing so still leaves the organization with excessive access rights and their associated risks and vulnerabilities, what can be done? User activity monitoring in the form of an Identity and Access Assessment (IdAA) solution can complement RBAC identity management systems by providing feedback that uncovers excess entitlement in the form of dormant (aka zombie) accounts. Therefore, even if RBAC is very hard to implement correctly, at least the organization can gain visibility into and remove the vulnerabilities and compliance exposure associated with excessive access rights.