Oct 26 2023

What Is Role-Based Access Control (RBAC) and What Does It Have to Do with Zero Trust?

Categorizing users by their current role, rather than by their name, can help universities ensure users are allowed to access only what they need.
Cyber GIF


Zero-trust network design is an old idea with a new name that is rapidly becoming a best practice for security practitioners. In higher education environments, zero trust has a long history; a mix of staff, faculty, students and administrators, all sitting side by side, has pushed zero-trust architecture in large campus networks.

College and university network managers may not have called it zero trust, but old designs look more like zero trust than many corporate networks. That’s because higher ed network security usually assumes a broad threat model in which even those who are physically on campus, in offices, don’t get implicit trust. They must instead prove their identity to applications and often to the network itself, something that’s at the core of a zero-trust philosophy.

What Is Role-Based Access Control?

Role-based access control is a tool that network managers can use to make their zero-trust designs work well in a distributed campus environment. RBAC provides a layer of abstraction that greatly simplifies the management of large and complex security environments. Using RBAC can turn a nearly incomprehensible mishmash of network access, application control and data management rules into something that is not only manageable but also auditable. This is a key requirement for higher education, where regulatory frameworks such as the Federal Information Security Management Act (FISMA), the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) create heavy burdens for compliance among all higher education institutions.

Click the banner below to find out how identity and access management paves the way to zero trust.

Reviewing Zero Trust and Its Role in Higher Education Security

Let’s look at zero trust and RBAC to see how they can work together in college environments, starting with a quick review.

Zero trust is a network security and application design principle that stipulates that no entity has implicit trust. In the context of university networks, zero trust typically means that even if you’re coming from a particular wireless network, a particular building or a particular office, you don’t necessarily have any access beyond what any internet user would have. The network itself is completely untrusted, as are the devices attached to it.

To do anything useful on a zero-trust network, you must prove that you’re trustworthy. This usually starts with user authentication but can extend further to device authentication; proving the security posture of the device and meeting appropriate usage patterns may also be part of gaining trust. The focus here is on the access side of zero trust, even though a zero-trust design should also include server-to-server back end communications.

Naturally, there’s considerable variation, because zero trust is more a set of design principles than a specific architecture. For example, some schools might let unauthenticated and untrusted users access their wireless networks to get to the internet without authentication, but others may not.

Cyber Sidebar


Defining Role-Based Access Controls for Higher Education Institutions

Once someone starts to gain trust, however they do so, how do institutions use that trust in applying security policy?

The answer is that colleges and universities usually express policy as a set of access controls. For example, they might say that a specific user can connect to the finance application but can’t connect to the HR application.

That’s a fairly high-level statement, though, and how these access controls are enforced from campus to campus may be quite different. For example, the network might enforce certain controls that prevent the user from sending packets to an application they don’t have access to. A front-end device ahead of the application servers, such as a proxy firewall or SSL/TLS encryption accelerator, might do the enforcement. Or, the application itself might handle the access controls. Or, it could be some combination of all of these.

There’s no question that things can get complicated very quickly. This is especially true in heterogeneous environments, such as higher education networks, in which some applications might be firmly stuck in the past, some might be completely up to date, and the network and security infrastructure might be a mix of old and new. 

Role-based access control provides a way to simplify the potential chaos that comes from a campuswide zero-trust design. With RBAC, rather than allowing access to specific users, access is granted based on the user’s role. For example, in the case of the user who should be allowed access to finance data but not HR, RBAC might create a role called “Finance People” for those who can access the finance application. Assigning that role to specific users grants access to the finance application but not the HR application, which is assigned to a different role.

LEARN MORE: What universities should know about continuous authentication

Why Should Colleges and Universities Use RBAC?

RBAC makes security management possible because when a user moves on from a finance job to something else, managing the change in security profile just means reviewing the roles available to that user. Otherwise, you’d need to find every instance in which a user might be mentioned in an access control list in every network device, VPN server, firewall, application and database system.

This example is fairly basic, but with zero trust, the concept of a role within RBAC may extend in many directions. For example, it may not be sufficient to have the role “Finance People” to get to the finance application. Networks might also require a “Trusted Device” role, meaning that the device being used has been entered into the campus mobile device management or enterprise mobility management system.

In effect, zero trust requires that you have no access until you establish trust, and RBAC is used to define what access you have once you start to establish trust through authentication and other real-time checks.

Managing role-based access controls is part of an identity and access management system. Whether that’s homegrown on campus or a commercial product, IAM tools bring user identities, authentication, roles and attributes — as well as some access control rules — into a single management system and API for applications and network devices.

Higher education network managers may never find a single one-size-fits-all solution to complicated campus security policies and application environments, but the state-of-the-art has shifted dramatically the past few years. IAM tools and RBAC, combined with strong design and modern application capabilities, make a zero-trust network architecture a solid base for improving security and simplifying identity management.

Getty Images: Tatiana Magurova, JLco - Julia Amaral

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.