One of the biggest challenges organizations face is controlling access to sensitive data. With the average cost of a data breach in 2021 pegged at $4.24 million according to the IBM Data Breach Report 2021 and the rise in data privacy regulations (such as HIPAA and GDPR), businesses must ensure that employees have the right access to the right data needed to do their jobs—while keeping out malicious actors.

It’s critical that policies and procedures are in place to invalidate access when employees leave an organization—be it voluntary or because of termination. These tools and policies need to be in place to maintain least-privilege access to avoid ‘privilege black holes,’ where a user retains access to resources that are no longer required.

The most common solution used to ensure proper access levels are enforced is role-based access control (RBAC). RBAC defines who has access to what data. RBAC restricts access to resources or information to only that which is absolutely necessary. Typically, RBAC is implemented under the standard of least privilege where employees only have access to resources they need to fulfill their job role responsibilities.

Benefits of Role-Based Access Control

The benefits of RBAC are monumental, especially when it comes to security. The risk of data breaches is reduced by restricting access to only teams that need the data to do their job. RBAC also improves employee efficiency by helping employees focus on their job and get more actionable information via context-level access. As new employees are onboarded, RBAC gives employees greater access as they gradually become part of the team. RBAC should be automated across all applications so that as the organization adds an employee to an identity management solution, all connected systems automatically update their respective access and permissions.

RBAC can also be the foundation of a compliance strategy as it enforces access policies at the system and resources level and can map system roles to organizations’ compliance policies. RBAC can enforce an access matrix that defines who can access what and with what permission to comply with organizations’ needs. Another very important benefit of RBAC is that it allows administrators to have the specific credentials needed to view user access information and ensure that only authorized users have permission to access sensitive data in critical areas of the organization. Finally, proper RBAC policies can reduce data breaches. Organizations can ensure that only the right personnel have the access needed to do their jobs and nothing else.

Applying RBAC to Cloud Cost Management

 Cloud cost optimization relies on engineering teams having access to the right information to take ownership of cloud costs. The information needs to be accurate, specific and actionable to the teams that own the cloud resources that are generating cloud spend. 

DevOps and FinOps teams need to understand cloud costs for their branch of the organization, and beyond that, in large organizations, there may be numerous teams that focus on various areas of the business. RBAC can empower engineers to own their specific costs by giving recommendations that are meaningful and relevant to their application responsibilities.

Cloud costs must be attributed to the correct stakeholders for truly actionable recommendations and in the suitable context. As such, RBAC is fundamental to achieving the end goal of proper cloud cost attribution. RBAC allows for the correct definition of which employee needs to have access to specific information and what type of access is useful. For example, If two team leaders are heads of different divisions of an organization, it isn’t beneficial for them to have visibility into the other departments’ cloud spend and recommendations. In contrast, finance and the head of engineering would need to see all of the cloud cost data across divisions to manage budgets.  

A key aspect to consider when using RBAC to build a cloud cost management solution is to consider what each individual needs to do their job. There are certain types of information and actions that are applicable for an engineering team, for example, whereas the finance team would need different information and access. Engineers need to see recommendations that allow them to terminate unused resources, whereas the finance team may be more worried about forecasting. RBAC can handle this at the business context level. As a best practice, organizations should consider not creating too many roles as it could render RBAC meaningless. In addition, businesses should audit roles and permissions often to ensure that access levels stay relevant.

RBAC is only one of the various tools to consider when optimizing your cloud management approach to help prevent data breaches. But it’s extremely powerful and can help organizations map their people’s roles with their different perspectives and the context of their unique cloud cost management strategy.